PUT requests and Using Web Server Logs, trillian exploit, sudo exploit.

Published: 2004-09-21
Last Updated: 2004-09-22 02:22:16 UTC
by Cory Altheide (Version: 1)
0 comment(s)
"PUT" Followup

The 'PUT' requests we posted about yesterday have now been linked
to a defacement crew. As mentioned yesterday, make sure you disable
'PUT', or if you use it, secure it sufficently.

Web Server Error Log Patterns

Based on our note about web site defacement attempts using 'PUT'
requests, we received a couple of reports about various odd web server
log entries. Monitoring these entries is important and a web server
log can provide many of the information traditionally provided by an
intrusion detection system. While incomplete, here a couple of common
patterns:

(a) spam relays.

There are a number of commonly installed cgi scripts that can be used
to relay spam. Among others, these are formmail.pl,rt_response.cgi,
friends.cgi,backcon_sales.cgi, mt-send-entry.cgi (there are many more)

(b) Unicode exploits.
Old versions of IIS do not decode unicode correctly. As a result, the
right URL may allow traversal of your system files and execution of
commands via the 'script' url. Most commonly, these requests are caused
by the Nimda worm. Typical requests:
/_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe

(c) Buffer overflows.
Various web servers can be tricked into executing arbitrary code by
triggering buffer overflows. Typically, the requests stick out because
they use long URLs in various shapes to trigger the overflow. As a
sample the famous Code Red request:

GET /default.ida?NNNNNNN...NNNNNNNN%u9090%u6858

or more recently the WebDav 'search' exploit:
SEARCH /AAAAAAAAAAAAAAAANNNNNNNNNNNN....

(both log entries abbreviated)

(d) SQL injection / script exploits

SQL injection typically attempts to insert quotes to terminate the
SQL statement and start a new (malicious) command. For example:
GET somescript.php?param=test'%20or%201=1

(e) Cross Site Scripting

In its simples form, you will see the string '<script>' included
in the URL. However, this may be obfuscated using URL encoding. Again,
overly long (and just plain weird looking) URLs will show whats going
on. Since XSS is usually used against a valid URL, you will not see
an entry in your error log, and even if you are not vulnerable, you
will see a '200' code or similar.

Lesson of the day:

Most of these exploit attempts are 'harmless' for a well maintained web
site. They do attempt to exploit older faults of standardized scripts.
In order to detect more targeted attacks, consider the following:

Many times, as part of standard recognizance prior to an attack, the
attacker will download the 'robots.txt' file, to look for URL that
should not be indexed by search engines. Inexperienced sysadmins will
use this technique to 'hide' administrator pages. The attacker will
then use the 'robots.txt' file as a guide to launch their attack.

Add a fake "admin page" to your robots.txt "disallow" section. If you
are using a web scripting language like php, have it send you an e-mail
whenever this fake admin page is accessed. This will provide an instant
IDS to alert you of anyone poking around in areas they shouldn't.

Trillian Exploit

An exploit has been released against the popular instant messenger client
'trillian'. It is written to exploit the MSN module vulnerability in Trillian version 0.74i

sudo vulnerability

sudo version 1.6.8 may provide a local attacker with super user (root) access to files.

----------

Johannes Ullrich, jullrich'&at&sans.org (filling in for Cory today)
Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives