Surely during your daily HTTP log check, you have detect theses kind of patterns.
...
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET /e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:16 +0200] "GET /db/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:17 +0200] "GET /e107/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /site/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /web/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:19 +0200] "GET /forum/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
...
Theses patterns are related to Toata Scanner, an Web scanner specialized in Web applications discovery. Originally this Web scanner was targeting Roundcube Webmail installation files in order to exploit CVE-2008-5619. You can see with theses logs samples that Toata is no more only targeting Roundcube, but is also used to detect installation of e107, for example. We have publish yesterday (24 Mai 2010) an security alert regarding e107, toata is surely using a google dorking feature to find his target.
Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009159 “SCAN Toata Scanner User-Agent Detected“.
Here under you can find the latest statistics for Toata scanner activities.
1 Month SIG 2009159 events activitiesOne year SIG 2009159 events activities1 Month TOP 10 source IPs for SIG 2009159TOP 20 source countries for SIG 2009159
The 14 April 2010, Antisecurity has release a Joomla wgPicasa Component Local File Inclusion (LFI) exploit, published on Exploit Database as EDB-ID 12230. To attract the “bad guys” how will use this exploit, we published the 15 April a news containing, in the URL and the content of the news, some keywords to be the more attractive as possible 🙂 Most of the LFI scanners are using Google dorking methods to find a potential vulnerable target. So let get a good position in Google ranking.
Since the 15 April, we can see that this particular exploit is more targeted than other Local File Inclusion exploits, and the number of events are still increasing until we are one month after the exploit publication.
Joomla wgPicasa SIG 2011067 events for current month
Also, we have some source IP how are really trying to get in 🙂
TOP 10 source IPs exploiting Joomla wgPicasa SIG 2011067 during current monthTOP 20 source countries exploiting Joomla wgPicasa SIG 2011067
So, just one word, Joomla wgPicasa is in the hype, and really if you use Joomla, shutdown your server 🙂
We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.
Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040 “WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446 “ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.
1 Month TOP 10 source IPs for SID 20110401 Month TOP 10 source IPs for SID 2006446TOP 20 source countries for SID 2011040TOP 20 source countries for SID 2006446
When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.
For examples :
115.52.225.227 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 60865 (26 events)
source port : 61446 (4 events)
1 week 115.52.225.227 SIG 2011040 events
123.161.77.52 – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 21703 (26 events)
source port : 22035 (4 events)
1 week 123.161.77.52 SIG 2011040 events
115.52.227.129 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 24431 (26 events)
source port : 25206 (4 events)
1 month 115.52.227.129 SIG 2011040 events
hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.
The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.
Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.
Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288 “WEB_SERVER Attack Tool Revolt Scanner“.
You can find here, the typical list of directories how are scanned by revolt.
Here under you can find the latest statistics for Revolt Agent activities.
1 Month SIG 2009288 events activitiesOne year SIG 2009288 events activities1 Month TOP 10 source IPs for SIG 2009288TOP 20 source countries for SIG 2009288
