SUC016 : User-Agent “Toata dragostea mea pentru diavola” scanner

  • Use Case Reference : SUC016
  • Use Case Title : User-Agent “Toata dragostea mea pentru diavola” Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Toata Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • Toata scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET /e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:16 +0200] "GET /db/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:17 +0200] "GET /e107/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /site/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /web/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:19 +0200] "GET /forum/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
...

Theses patterns are related to Toata Scanner, an Web scanner specialized in Web applications discovery. Originally this Web scanner was targeting Roundcube Webmail installation files in order to exploit CVE-2008-5619. You can see with theses logs samples that Toata is no more only targeting Roundcube, but is also used to detect installation of e107, for example. We have publish yesterday (24 Mai 2010) an security alert regarding e107, toata is surely using a google dorking feature to find his target.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009159SCAN Toata Scanner User-Agent Detected“.

Here under you can find the latest statistics for Toata scanner activities.

1 Month SIG 2009159 events activities
1 Month SIG 2009159 events activities
One year SIG 2009159 events activities
One year SIG 2009159 events activities
1 Month TOP 10 source IPs for SIG 2009159
1 Month TOP 10 source IPs for SIG 2009159
TOP 20 source countries for SIG 2009159
TOP 20 source countries for SIG 2009159

Joomla wgPicasa component Local File Inclusion is in the hype

The 14 April 2010, Antisecurity has release a Joomla wgPicasa Component Local File Inclusion (LFI) exploit, published on Exploit Database as EDB-ID 12230. To attract the “bad guys” how will use this exploit, we published the 15 April a news containing, in the URL and the content of the news, some keywords to be the more attractive as possible 🙂 Most of the LFI scanners are using Google dorking methods to find a potential vulnerable target. So let get a good position in Google ranking.

Since the 15 April, we can see that this particular exploit is more targeted than other Local File Inclusion exploits, and the number of events are still increasing until we are one month after the exploit publication.

Joomla wgPicasa SIG 2011067 events for current month
Joomla wgPicasa SIG 2011067 events for current month

Also, we have some source IP how are really trying to get in 🙂

TOP 10 source IPs exploiting Joomla wgPicasa SIG 2011067 during current month
TOP 10 source IPs exploiting Joomla wgPicasa SIG 2011067 during current month
TOP 20 source countries exploiting Joomla wgPicasa SIG 2011067
TOP 20 source countries exploiting Joomla wgPicasa SIG 2011067

So, just one word, Joomla wgPicasa is in the hype, and really if you use Joomla, shutdown your server 🙂

SUC012 : Chinese Blind SQL Injection – hn.kd.ny.adsl

  • Use Case Reference : SUC012
  • Use Case Title : Chinese Blind SQL Injection
  • Use Case Detection : IDS / HTTP logs / SQL logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No
  • Source IP(s) : Most of 115.48.0.0/12 and ChinaNet
  • Source Countries : China
  • Source Port(s) : Random, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Random SQL Injection Tool with some Google dorking capabilities

Source(s) :

We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.

1 month SID 2011040 IDS Events
1 month SID 2011040 IDS Events
One month SID 2006446 activity
One month SID 2006446 activity

Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.

1 Month TOP 10 source IPs for SID 2011040
1 Month TOP 10 source IPs for SID 2011040
1 Month TOP 10 source IPs for SID 2006446
1 Month TOP 10 source IPs for SID 2006446
TOP 20 source countries for SID 2011040
TOP 20 source countries for SID 2011040
TOP 20 source countries for SID 2006446
TOP 20 source countries for SID 2006446

When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.

For examples :

115.52.225.227 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 60865 (26 events)
  • source port : 61446 (4 events)
1 week 115.52.225.227 SIG 2011040 events
1 week 115.52.225.227 SIG 2011040 events

123.161.77.52 – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 21703 (26 events)
  • source port : 22035 (4 events)
1 week 123.161.77.52 SIG 2011040 events
1 week 123.161.77.52 SIG 2011040 events

115.52.227.129 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 24431 (26 events)
  • source port : 25206 (4 events)
1 month 115.52.227.129 SIG 2011040 events
1 month 115.52.227.129 SIG 2011040 events

hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.

The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.

/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%278

/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%278

/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%278

Other SQL injection fingerprints

'%20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20--%20And%20'6'='6

If you have any informations around theses SQL injections and more in particular the used tool, please contact me on Twitter or comment this post.

SUC004 : phpMyAdmin User-Agent Revolt Scanner

  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288