[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALCvwp703MF71t1J9w_-fZpkwPZ8EuhxY_uFCe=hx_4FrnWMaw@mail.gmail.com>
Date: Fri, 23 Dec 2011 19:21:33 +1100
From: xD 0x41 <secn3t@...il.com>
To: james@...o-internet.org.uk
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: New awstats.pl vulnerability?
I am really curious as to the motivation of the parties deploying
these types of scans. I understand that they would like to find
vulnerable systems to compromise... but for what purpose? S
dor what ?
Mainly the smarter ones, are, not malign, non botters, and dont use
these shit systems to make money but, many poorer countries, this can
make even, a small amount, with rooted boxes also, you have the power
to charge a sip call for example...to an isp...and they would, as
usually..bill it... but, it seems, anything thats new/big, is being
scanned, its simple..one engine, MANY addons :P
siimple formula, to exploit tonnes, of thousdands, of hosts...and, i
have seen many public lists ranging upto 50-100megs of ips all
vuln...fullnily, most of amazon aws 50. range is pwned...phpmyadmini
believe..hehe....wen will ppl learn...security is a MUST, not an item
to be glanced at and, presumed over for 100days..it has to be
fast,responsive,and knows what todo..so,.. buy into immunity :P~~
lol... i know many others are using this to fuzz...great fopr mass
fuzzing to i hear...altho then. acutenix could be obtained freely,
and, made to look pro...so i guess..is lesser of the evils...ones 20
grand with a few addons, ones free... ill take both :P
On 23 December 2011 18:34, <james@...o-internet.org.uk> wrote:
> >From analysis on compromised sites I've been receiving abuse messages for at $day_job they're launched from irc bots on compromised servers, mainly cpanel- cpanel is cool for novices but skimps on security out of the box.
>
> Will dig out some signatures when I get into the office.
>
> Sent from my BlackBerry® wireless device
>
> -----Original Message-----
> From: Lamar Spells <lamar.spells@...il.com>
> Sender: full-disclosure-bounces@...ts.grok.org.uk
> Date: Thu, 22 Dec 2011 23:23:11
> To: Nikolay Kichukov<hijacker@...um.net>
> Cc: <full-disclosure@...ts.grok.org.uk>
> Subject: Re: [Full-disclosure] New awstats.pl vulnerability?
>
> Here is an update on this:
>
> Over the past week, we have seen the awstats activity continue, but
> morph to include other vulnerabilities. Details of this are at
> http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html
> -- but the summary is that we have seen activity change to include
> Local File Inclusion and command injection in phpAlbum and other
> components written in PHP.
>
> We started seeing today some activity related to phpthumb and
> CVE-2010-1598... Details of this are at
> http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html
>
> I am really curious as to the motivation of the parties deploying
> these types of scans. I understand that they would like to find
> vulnerable systems to compromise... but for what purpose? Sending
> spam? So far, based on what I am seeing, it looks like they are
> compromising systems just to have those systems look for more systems
> to compromise. At this point, I have to assume that they are still in
> the construction and building phase...
>
> On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <lamar.spells@...il.com> wrote:
>> Here are some additional IPs and some analysis of the IPs in question.
>> Looks like very few of the scanning IPs are running awstats, but many
>> are legitimate business running old apache versions. I am guessing
>> they didn't self install an awstats scanner...
>>
>> http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html
>>
>>
>> On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells@...il.com> wrote:
>>> Today we are also seeing requests like this one which is looking to
>>> exploit CVE-2008-3922:
>>>
>>> GET /awstatstotals/awstatstotals.php ?
>>> sort={${passthru(chr(105).chr(100))}}{${exit()}}
>>>
>>>
>>>
>>> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker@...um.net> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from.
>>>>
>>>> - -Nik
>>>>
>>>>
>>>>
>>>> On 12/13/2011 07:30 AM, Bruce Ediger wrote:
>>>>> On Mon, 12 Dec 2011, Lamar Spells wrote:
>>>>>
>>>>>> For the past several days, I have been seeing thousands of requests
>>>>>> looking for awstats.pl like this one:
>>>>>
>>>>> Yeah, me too. They just started up. I haven't seen any awstats.pl
>>>>> requests since 2010-05-18, and now I've gotten batches of them, since
>>>>> about 2011-11-22, but heavier since the start of December.
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9
>>>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi
>>>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef
>>>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI
>>>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v
>>>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY=
>>>> =0+7+
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists