Since one week, we have detect some increasing RCE (Remote Code Execution) and SQL injection attempts on xmlrpc.php. These attempts are detected by ET rule 2002158, with last modification on the rule the 2009-03-13.
You can find here under the payload how is called by the attempts.
test.method’,”));echo ‘XxXDIOCANEXxX’;exit;/*
Despite the source IPs are completely random, the User Agent is still Mozilla/5.0 and the payload is all the time the same. These attempts seems to be generated by a tool using some Google dorking capabilities. Also the source IPs are also involved in other exploits attempts, members of RFI or LFI botnets.
24 hours SIG 2002158 events activities1 week SIG 2002158 events activities1 Month SIG 2002158 events activitiesOne year SIG 2002158 events activities1 Month TOP 10 source IPs for SIG 2002158
After the discovery of a new car license plate type, created to fight, with SQL injection method, the unpopular fixed radar system, mikkohypponen a security specialist has report a funny method to SQL inject services fingerprinting.
The concerned service is the HTTP service of www.reddit.comwebsite. Normally the HTTP service should return things like “Apache” or “ISS”, but here you can find a dedicated fingerprint.
SQL injection against fixed radar systems
SQL injection against services fingerprinting
Most of time, fingerprinting method are done with nmap like tools, and the results could be stored into a database. ERIPP is also well know to create a database of 4 Billion routable IP addresses with the associated most common services fingerprints. SHODAN is also a similar database type than ERIPP, how is a computer search engine permitting to find computers running certain software (HTTP, FTP, etc). Imagine that the crawler code has some sql injection flaw… oups your database has gone cause the fingerprint contains some sql injection code 🙂
For Reddit, we have search the “CREATE TABLE servertypes” on Google, and find one services fingerprinting crawler using a database called “servertypes” and targeting Reddit 🙂
banthar gist HTTP service fingerprinting crawler
Is Reddit protecting him self against information gathering or just an sysadmin funny joke.
We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.
Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040 “WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446 “ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.
1 Month TOP 10 source IPs for SID 20110401 Month TOP 10 source IPs for SID 2006446TOP 20 source countries for SID 2011040TOP 20 source countries for SID 2006446
When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.
For examples :
115.52.225.227 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 60865 (26 events)
source port : 61446 (4 events)
1 week 115.52.225.227 SIG 2011040 events
123.161.77.52 – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 21703 (26 events)
source port : 22035 (4 events)
1 week 123.161.77.52 SIG 2011040 events
115.52.227.129 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 24431 (26 events)
source port : 25206 (4 events)
1 month 115.52.227.129 SIG 2011040 events
hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.
The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.
