Posts tagged Scanner
- Use Case Reference : SUC025
- Use Case Title : ZmEu exploit scanner
- Use Case Detection : IDS / HTTP logs
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : ZmEu bot
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
- phpMyAdmin scanner
Emerging Threats SIG 2010715 triggers are :
- The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro“
- The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
Since 28 August we have detect some increasing Web Proxy CONNECT Request from China. All the source IPs are different and most of these source IPs are only trying one or two connections.
Here under a live graph on the “Web Proxy Connect Request”. An Afterglow visualization, all datas (timestamps, source IPs, source IPs countries, source IPs ASN) are available by clicking on the following link.
Since the 24 July, our HoneyNet has reveal increasing SSH brute force attempts. These scans are similar to the previous increasing SSH brute force attemps alert. The source IP addresses are only focusing on the root user.
You can follow the SSH Brute Force Attempts in our Use Case SUC015 with real time life data’s.
They’re is no new day without a Joomla Local File Inclusion (LFI) vulnerability. Just take a look at Exploit-DB, Inj3ct0r or Hack0wn and you will find thousands of Joomla components vulnerable to this vulnerability.
Since many years, security researcher have write studies on this vulnerability, and describe the different way to exploit them. You can find some good papers about LFI exploitations on Exploit-DB. But since 2010, LFI are coming back in force.
LFI vulnerability doesn’t look like to be dangerous in a first manner, but maybe we have to make a quick recap on the potential impacts to be vulnerable :
- Exposure of sensitive informations (clear or hashed password, source code, documents leakage, etc.)
- Exposure of system informations (system informations, users list, runtime informations, etc.)
- Security bypass (normally inaccessible informations could be acceded…)
- System access (malicious users could gain access to the system and compromise him)
- Be involved in a botnet without knowing it
Why Local File Inclusion (LFI) attemps are on the rise ? The answer is very simple, cause Remote File Inclusion (RFI) are stagnating or even declining. Just do a simple research on Exploit-DB for RFI, you will directly see the difference with the LFI search. RFI vulnerabilities are very simple to exploit unlike LFI vulnerabilities. To argument, I propose you to visit our one year RFI HoneyNet statistics, you will see the increasing activity of RFI botnets. But the number of RFI exploits are decreasing continuously since the hype of 2006 and 2007. Compromised hosts by LFI are integrated into RFI botnets.
Despite LFI exploitation fail in 90% of cases (due to the OS, web server or PHP default hardening), if you scan 1000 hosts you can finally compromise 100 of them. LFI compromised hosts are compensating the decrease of RFI compromised hosts by RFI exploits. In such manner, we can see since 2010 apparition of dedicated Joomla LFI dork lists and mutation of traditional RFI scanners to LFI/RFI scanners (LRFI). The 2010 mutation of all traditional RFI scanner is also now to integrate XML RPC and SQL injection scanners, with nice updated dork lists.
We provide you a list of all unique LFI attempts on our HoneyNet for the latest 24 hours. This list will be updated daily and will permit you to follow the new vulnerable web applications.
So just a final word, take care on your /proc/self/environ, and special dedication to Indonesia 🙂 If you are curious, take a look to the Indonesian scene.