AWStats Exploits, Port 7162/TCP and 24212/TCP traffic, spamvertised site redirected to Al'Jazeera

Published: 2005-01-31
Last Updated: 2005-01-31 22:09:43 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

AWStats Exploits



A couple days ago, an advisory (e.g. see ) detailed a vulnerability in the popular web statistics package 'AWStats'.
We got a note from Ryan Barnet earlier, who detected an exploit attempt for this vulnerability. The traffic was flagged using mod_security.
The following mod_security rule was used to detect the attempt:


SecFilter "\;id"


This rule will 'trigger' on all requests that contain the string ';id'. 'id' is a command frequently executed by attackers, as it is ubiquitous across various Unix versions, and it will return details about the user executing the command. This is helpful to find out if commands are executed as 'nobody', 'apache' or maybe even 'root' and allow the attacker to adjust a follow-up attack.
Another reader reported an incident where this attack was succesful. The
attacker defaced the respective website by replacing various 'index' files.
(index.htm, index.html, index.php). The web hosting company attacked informed
its clients.
This rule was derived from the following snort rule (line wrapped):


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-ATTACKS id command attempt"; flags:A+; content:"\;id";nocase;
sid:1333; rev:1; classtype:web-application-attack;)

And the captured request data (I removed some lines that may reveal too much about the attacked system):

HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_HOST = www.foo.com
HTTP_MOD_SECURITY_ACTION = 403
HTTP_MOD_SECURITY_MESSAGE = Access denied with code 403. Pattern match "\;id" at THE_REQUEST
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)
PATH = /usr/sbin:/usr/bin
QUERY_STRING =
REDIRECT_QUERY_STRING = configdir=|echo%20;echo%20;id;echo%20;echo|?configdir=|echo%20;echo%20;id;
echo%20;echo|
REDIRECT_REQUEST_METHOD = GET
REDIRECT_SCRIPT_URI =
http://www.foo.com/awstats/awstats.pl
REDIRECT_SCRIPT_URL = /awstats/awstats.pl
REDIRECT_STATUS = 403
REDIRECT_URL = /awstats/awstats.pl
REDIRECT_mod_security_relevant = 1
REMOTE_ADDR = 200.203.166.61
REMOTE_PORT = 33165
REQUEST_METHOD = GET
REQUEST_URI = /awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|
?configdir=|echo%20;echo%20;id;echo%20;echo|
SCRIPT_NAME = /cgi-bin/403.cgi
SCRIPT_URI = http://www.foo.com/awstats/awstats.pl
SCRIPT_URL = /awstats/awstats.pl
SERVER_ADDR = 192.168.1.100
SERVER_ADMIN = webmaster@foo.com
SERVER_NAME = www.foo.com
SERVER_PORT = 80
SERVER_PROTOCOL = HTTP/1.0
SERVER_SIGNATURE =
TZ = US/Eastern


Port 7162/tcp



Eric Hughes submitted a packet he captured on port 7162. The content looks
IMHO suspiciously like a P2P application, but we would like to know if anybody
else sees it and what application uses this port. Sample content captured:

GET sha1:3vIubshl4KdNlGzXw//cbRN6dsU= http/1.1
User-Agent: W rez.2.4.0.2948
X-My-Nick: tj
X-B6MI: j0OfdLQkO69V8F/S
X-MyLIP: 0A010109
X-B6St: sg10Hu0BaYbhwVbXs40IS8bJltFOWbw=
Range: bytes=0-2097151


Similar traffic was reports in May of 2004 (on port 32624) and interpreted
as P2P afterglow from a P2P application called 'Ares' (see the DShield
mailing list archive here:

http://lists.sans.org/pipermail/list/2004-May/048210.html
To double check, I downloaded the latest version of Ares ('regular' version) and ran it for a short time. But the above pattern never came up. I did start
the download for one random file. The packet dump captured during this test can be found here: http://isc.sans.org/images/ares.dump.zip . The application does communicate on numerous tcp ports. I didn't see it talk on port 7162.

Port 24212/tcp



Another user reports that his router is rejecting port 23212 traffic. The
log excerpt he sent shows a few hits each minute from very different
sources. Anybody got any idea what 23212/tcp could be used for? Maybe a recent
virus backdoor?
BTW: As seen in the port 7162 example above, it is very helpful to get a bit
of payload from mystery traffic like this. TCP traffic blocked at a firewall will typically not include any payload as all you should see is the SYN packet. To find out more, 'netcat' can be used to setup a quick listener. Just run netcat -p 24212 -l (or replace 24212 with the port number of interest). Of course, for this to work you need to open the firewall for this traffic.

Spamvertised site redirected to Al'Jazeera



Sadie Brinham notified us that the spamverised site 'www.levitra.get.to' redirects
users to the Al'Jazeera news site. The pharmacy scam site opens two frames. One fo the advertisement and one with content from the Al'Jazeera news site. We don't really know why this is happening. It could be a cause of vigilante defacement, or maybe someones attempt to use anti-spam DDOS tools to DDOS the news site.
Initially, we didn't see any malware installed by this site. But now (thanks Deb!), it appears to install some spyware.
-------

Johannes Ullrich, jullrich@';/bin/sh rm -rf *;'sans.org

Keywords:
0 comment(s)

Comments


Diary Archives