Tag Archives: Scanner

SUC025 : ZmEu exploit scanner

  • Use Case Reference : SUC025
  • Use Case Title : ZmEu exploit scanner
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ZmEu bot
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • phpMyAdmin scanner

Source(s) :

Emerging Threats SIG 2010715 triggers are :

  • The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2010715 1 Week events activity
SIG 2010715 1 Week events activity
SIG 2010715 1 month events activity
SIG 2010715 1 month events activity
1 Month TOP 10 source IPs for SIG 2010715
1 Month TOP 10 source IPs for SIG 2010715

Increasing WEB Proxy CONNECT Request from China

Since 28 August we have detect some increasing Web Proxy CONNECT Request from China. All the source IPs are different and most of these source IPs are only trying one or two connections.

Here under a live graph on the “Web Proxy Connect Request”. An Afterglow visualization, all datas (timestamps, source IPs, source IPs countries, source IPs ASN) are available by clicking on the following link.

1 month SIG 2001675 IDS Events
1 month SIG 2001675 IDS Events

Local File Inclusion attempts on the rise

They’re is no new day without a Joomla Local File Inclusion (LFI) vulnerability. Just take a look at Exploit-DB, Inj3ct0r or Hack0wn and you will find thousands of Joomla components vulnerable to this vulnerability.

Since many years, security researcher have write studies on this vulnerability, and describe the different way to exploit them. You can find some good papers about LFI exploitations on Exploit-DB. But since 2010, LFI are coming back in force.

LFI vulnerability doesn’t look like to be dangerous in a first manner, but maybe we have to make a quick recap on the potential impacts to be vulnerable :

  • Exposure of sensitive informations (clear or hashed password, source code, documents leakage, etc.)
  • Exposure of system informations (system informations, users list, runtime informations, etc.)
  • Security bypass (normally inaccessible informations could be acceded…)
  • System access (malicious users could gain access to the system and compromise him)
  • Be involved in a botnet without knowing it
  • etc.

Why Local File Inclusion (LFI) attemps are on the rise ? The answer is very simple, cause Remote File Inclusion (RFI) are stagnating or even declining. Just do a simple research on Exploit-DB for RFI, you will directly see the difference with the LFI search. RFI vulnerabilities are very simple to exploit unlike LFI vulnerabilities. To argument, I propose you to visit our one year RFI HoneyNet statistics, you will see the increasing activity of RFI botnets. But the number of RFI exploits are decreasing continuously since the hype of 2006 and 2007. Compromised hosts by LFI are integrated into RFI botnets.

Despite LFI exploitation fail in 90% of cases (due to the OS, web server or PHP default hardening), if you scan 1000 hosts you can finally compromise 100 of them. LFI compromised hosts are compensating the decrease of RFI compromised hosts by RFI exploits. In such manner, we can see since 2010 apparition of dedicated Joomla LFI dork lists and mutation of traditional RFI scanners to LFI/RFI scanners (LRFI). The 2010 mutation of all traditional RFI scanner is also now to integrate XML RPC and SQL injection scanners, with nice updated dork lists.

We provide you a list of all unique LFI attempts on our HoneyNet for the latest 24 hours. This list will be updated daily and will permit you to follow the new vulnerable web applications.

So just a final word, take care on your /proc/self/environ, and special dedication to Indonesia 🙂 If you are curious, take a look to the Indonesian scene.