“Toata dragostea mea pentru” Vulnerability Scanners
Posted 2009-01-16 in Spam by Johann.
I have many visits from people who are interested in vulnerability scanners, whether libwww-perl or the “Toata dragostea mea pentru diavola” scanners.
Requests
Here are all requests made by them. They did change user agents in the meantime to something cloaked – their latest one is
62.75.224.201 … "GET /roundcubemail-0.1/bin/msgimport HTTP/1.1" 403 4131 "-" "Toata dragostea mea pentru god (god is a girl and this is not a pbot or a browser)"
I wonder what they were smoking…
/bin/configure?action=image/bin/msgimport/bt/login_page.php/bug/login_page.php/bugs/login_page.php/bugtrack/login_page.php/bugtracker/login_page.php/cgi-bin/configure?action=image/cube/bin/msgimport/domain_default_page/index.html/email/program/js/list.js/issue/login_page.php/issuetracker/login_page.php/login_page.php/mail/bin/msgimport/mail/program/js/list.js/mail/roundcube/bin/msgimport/mantis/login_page.php/mantisbt/login_page.php/msgimport/portal/login_page.php/program/js/list.js/projects/login_page.php/rc/bin/msgimport/rc/program/js/list.js/round/bin/msgimport/roundcube-0.1/bin/msgimport/roundcube//bin/msgimport/roundcube/bin/msgimport/roundcube/program/js/list.js/roundcubemail-0.1/bin/msgimport/roundcubemail-0.2/bin/msgimport/roundcubemail/bin/msgimport/roundcubemail/program/js/list.js/roundcubewebmail/bin/msgimport/support/login_page.php/tag/configure?action=image/tracker/login_page.php/twiki/bin/configure?action=image/vhcs/domain_default_page/index.html/vhcs2/domain_default_page/index.html/webmail/bin/msgimport/webmail/program/js/list.js/webmail/roundcube/bin/msgimport/wiki/bin/configure?action=image/wiki/cgi-bin/configure?action=image/wiki/cgi/configure?action=image/wikis/bin/configure?action=imageHTTP/1.1
The last line is not a mistake – their code just makes malformed HTTP requests. They also do not send any host headers with the requests. In other words, they do not have a list of domains they’re scanning, just IP addresses. Maybe not even that.
Targets
Just by going through the list of requests, we can see
- webmail systems,
- bug tracking software,
- Wikis and
- unspecified login pages.
Tips
How can you harden your web server against these attacks?
- No default paths. Never install web applications in default paths suggested by installation instructions.
- Remove footprints. Most web applications leave notes in the HTML. “Powered by WordPress” is a very common one. Make sure you remove the most obvious hints.
- No default web sites. Make sure a host header is required. Try
wget -d http://<your IP address>. You should not get your home page back. - Have a strategy for other types of web abuse. Spamtraps, the ability to block by IP netblock and user agent, firewalls.
11 comments
#1 2009-02-26 by baffled
Mine is checking for the Coppermine photo gallery and similar software or varied paths to photo galleries. Thanks for all the hints. Without them, here and anywhere else, I would not even have been able to set-up my .htaccess file. I still hope, my hosting provider will do the rest.
#3 2009-03-13 by Dan
One of my server got scaned but as I had mod_security installed and configured all requests got a 400 error... and not only this kind of scans got blocked. Rules cand be easy understand and customised by any server administrator.
Dan,
I've heard about mod_security before. Do you find it useful? How much abuse does it stop? Just scanning and exploits or also comment spam?
#5 2009-03-13 by Dan
Hello Johann,
ModSecurity core rules can do many things, like blocking/loging protocol violation and anomalies, seting request limit, blocking bad robots (like email harvesters), blocking generic attacks (eg. sql injection and XSS), blocking backdor access, block information leakage.
And it also have rules to block SPAM comments.
There is also possible to make Apache scan all files uploaded using antivirus software (eg. amavis).
Separate, there is a ModSecurity Console (screenshot http://img27.imageshack.us/img27/3900/picture3avh.png) that can be used to analise the problems ocured. Personaly i love it :)
Another screenshot: http://img149.imageshack.us/img149/5052/86495002.jpg
#6 2009-03-14 by Dan
I just remembered something, as i said you can make Apache scan all files with an antivirus using mod_security, a file on yahoo's geocities... http://br.geocities.com/thalesnn/r57.txt
I found this file some days ago... and it is still there... i wonder what the hell yahoo work on that is so important that his servers are used to exploit other servers security isues...
So, i recomand again using mod_security (as it is free and easy to install) just to not go like yahoo...
Dan,
that's a well-known backdoor that is used by vulnerability scanners as payload.
They're hosted here and there, some hosts remove them, some don't.
#8 2009-03-23 by Dan
Yes Johann, but as a server admin you must take care of your security, and also prevent the use of your server for this kind of things... At least that's my point of view...
#10 2010-01-05 by Nico
My homeserver was also scanned by this thing. But i dont know which pages where checked (my sw does not link pages with browsers) The using Name of it was: "Toata dragostea mea pentru diavola". What's the reason of these things?
Nico,
these people are looking for bugs in software that you have installed on your software. More specifically, they're looking for bugs that let them abuse your server to host their material or send email spam.
Subscribe
RSS 2.0, Atom or subscribe by Email.
Top Posts
- DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
- 6 fast jQuery Tips: More basic Snippets
- xslt.js version 3.2 released
- xslt.js version 3.0 released XML XSLT now with jQuery plugin
- Forum Scanners - prevent forum abuse
- Automate JavaScript compression with YUI Compressor and /packer/