lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1015093749-1324625691-cardhu_decombobulator_blackberry.rim.net-221893219-@b25.c20.bise7.blackberry>
Date: Fri, 23 Dec 2011 07:34:51 +0000
From: james@...o-internet.org.uk
To: "Lamar Spells" <lamar.spells@...il.com>,
	full-disclosure-bounces@...ts.grok.org.uk,
	"Nikolay Kichukov" <hijacker@...um.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: New awstats.pl vulnerability?

>>From analysis on compromised sites I've been receiving abuse messages for at $day_job they're launched from irc bots on compromised servers, mainly cpanel- cpanel is cool for novices but skimps on security out of the box.

Will dig out some signatures when I get into the office.

Sent from my BlackBerry® wireless device

-----Original Message-----
From: Lamar Spells <lamar.spells@...il.com>
Sender: full-disclosure-bounces@...ts.grok.org.uk
Date: Thu, 22 Dec 2011 23:23:11 
To: Nikolay Kichukov<hijacker@...um.net>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] New awstats.pl vulnerability?

Here is an update on this:

Over the past week, we have seen the awstats activity continue, but
morph to include other vulnerabilities.  Details of this are at
http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html
-- but the summary is that we have seen activity change to include
Local File Inclusion and command injection in phpAlbum and other
components written in PHP.

We started seeing today some activity related to phpthumb and
CVE-2010-1598...  Details of this are at
http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html

I am really curious as to the motivation of the parties deploying
these types of scans.  I understand that they would like to find
vulnerable systems to compromise... but for what purpose?  Sending
spam?  So far, based on what I am seeing, it looks like they are
compromising systems just to have those systems look for more systems
to compromise.  At this point, I have to assume that they are still in
the construction and building phase...

On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <lamar.spells@...il.com> wrote:
> Here are some additional IPs and some analysis of the IPs in question.
>  Looks like very few of the scanning IPs are running awstats, but many
> are legitimate business running old apache versions.  I am guessing
> they didn't self install an awstats scanner...
>
> http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html
>
>
> On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells@...il.com> wrote:
>> Today we are also seeing requests like this one which is looking to
>> exploit CVE-2008-3922:
>>
>> GET /awstatstotals/awstatstotals.php ?
>> sort={${passthru(chr(105).chr(100))}}{${exit()}}
>>
>>
>>
>> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker@...um.net> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from.
>>>
>>> - -Nik
>>>
>>>
>>>
>>> On 12/13/2011 07:30 AM, Bruce Ediger wrote:
>>>> On Mon, 12 Dec 2011, Lamar Spells wrote:
>>>>
>>>>> For the past several days, I have been seeing thousands of requests
>>>>> looking for awstats.pl like this one:
>>>>
>>>> Yeah, me too.  They just started up.  I haven't seen any awstats.pl
>>>> requests since 2010-05-18, and now I've gotten batches of them, since
>>>> about 2011-11-22, but heavier since the start of December.
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9
>>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi
>>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef
>>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI
>>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v
>>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY=
>>> =0+7+
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ