SUC016 : RCE & SQL injection attempts on xmlrpc.php

  • Use Case Reference : SUC016
  • Use Case Title : RCE & SQL injection attempts on xmlrpc.php
  • Use Case Detection : IDS / Web logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No, but User-Agent Mozilla/5.0
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Joomla XML-RPC vulnerability
  • Multi functions Web scanner (RFI, LFI, XMLRPC, etc.)

Source(s) :

Since one week, we have detect some increasing RCE (Remote Code Execution) and SQL injection attempts on xmlrpc.php. These attempts are detected by ET rule 2002158, with last modification on the rule the 2009-03-13.

You can find here under the payload how is called by the attempts.

test.method’,”));echo ‘XxXDIOCANEXxX’;exit;/*

Despite the source IPs are completely random, the User Agent is still Mozilla/5.0 and the payload is all the time the same. These attempts seems to be generated by a tool using some Google dorking capabilities. Also the source IPs are also involved in other exploits attempts, members of RFI or LFI botnets.

24 hours SIG 2002158 events activities
24 hours SIG 2002158 events activities
1 week SIG 2002158 events activities
1 week SIG 2002158 events activities
1 Month SIG 2002158 events activities
1 Month SIG 2002158 events activities
One year SIG 2002158 events activities
One year SIG 2002158 events activities
1 Month TOP 10 source IPs for SIG 2002158
1 Month TOP 10 source IPs for SIG 2002158