There's a guy comes around periodically and fiddles with my webserver.
He's definately up to no good, because he tools around until he finds a
CGI program and tries injecting URLs to scripts on russian (or taiwanese) servers into the argument list of such CGIs.
The server alerts me whenever he appears. Generally speaking, I just let him enjoy himself, since he's not getting anywhere.
But one thing I can't quite figure why he's doing it. He keeps trying to view/execute the object '&' in various directories. So I keep getting
"File does not exist" errors in all the various directories on the site. Sort of like:
File does not exist: /var/www/htdocs/this/directory/&
File does not exist: /var/www/htdocs/that/directory/&
File does not exist: /var/www/htdocs/some/other/directory/&
Anybody recognise this? I suspect that he is attempting to drop something on my server named '&' by way of a broken CGI script, and then execute it. He's tried injecting several URLs, some of which are 404 but the rest all return this script:
<?php echo md5("just_a_test");?>
Obviously, if this works, the real payload will follow. It strikes me
that I should deliberately insert this test script in a few directories, name it '&' and wait for him to try again in a few days, or weeks. When
he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!
Wotcha think?
Obviously, if this works, the real payload will follow. It strikes me
that I should deliberately insert this test script in a few directories, name it '&' and wait for him to try again in a few days, or weeks. When
he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!
Wotcha think?
Obviously, if this works, the real payload will follow. It strikes me that I should deliberately insert this test script in a few directories, name it '&' and wait for him to try again in a few days, or weeks. When he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!
Wotcha think?
Hell Angus, go for it. Apparently whomever is doing this isn't smart
enough to do it on his own anyhow, and if it "worked", he would
probably shit himself.. ;o)
See, even if he *could* dump some PHP exploit code on my system in a file named '&', how does he expect to get it executed? The PHP interpreter
isn't going to RUN the script unless it is named with a .php extension, is it? All that would happen, is that the server send him his own exploit script back again!
See, even if he *could* dump some PHP exploit code on my system in a file named '&', how does he expect to get it executed? The PHP interpreter
isn't going to RUN the script unless it is named with a .php extension, is it? All that would happen, is that the server send him his own exploit script back again!
I'm guessing that the script is looking for some other exploit to be in plac or a flaw in apache or a asapi module... you don't seem to be affected by this, but it's always an interesting curiousity that follows... I don't chec my logs nearly as often as I should.. usually see tons of tests for exploits in older versions of IIS on this end... not sure how many people are runnin old versions of IIS3-5 on unpatched nt4/win2000 boxes though...
Re: Re: Exploit?
By: Tracker1 to Angus McLeod on Thu Jan 24 2008 05:41:00
I'm guessing that the script is looking for some other exploit to be in
or a flaw in apache or a asapi module... you don't seem to be affected this, but it's always an interesting curiousity that follows... I don't
my logs nearly as often as I should.. usually see tons of tests for exp
in older versions of IIS on this end... not sure how many people are r old versions of IIS3-5 on unpatched nt4/win2000 boxes though...
So what I could do is execute his exploit test, capture the output, and
serve it when he requests the "&" file. He ought to be getting bac
exactly what he would expect if the code ran. That should trigger his attempt to drop a real payload on the box, which would let me retrieve his exploit package and, uh, exploit it?
To go along with the '&' file, just make it a text file with
just_a_test in it and name it '&', and stick it our in a directory It should fool them into thinking their test *worked*. Should be funny to
see what happens then.
Sysop: | MCMLXXIX |
---|---|
Location: | Prospect, CT |
Users: | 325 |
Nodes: | 10 (0 / 10) |
Uptime: | 24:55:23 |
Calls: | 508 |
Messages: | 219996 |