Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers – is the security community’s go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Joomla 0-Day Exploited In the Wild (CVE-2015-8562)

A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information...

OWASP/WASC Distributed Web Honeypots Project Re-Launch - Seeking Participants

The SpiderLabs Research Team is proud to announce that we are officially re-launching the Distributed Web Honeypots Project under the new joint OWASP/WASC project home! For those SpiderLabs Blog readers who follow our "Honeypot Alert" series, you may be interested...

Shellshock a Week Later: What We Have Seen

Trustwave, like most other information security firms, has been busy investigating the ShellShock vulnerability and subsequent scanning and exploit attempts. The SpiderLabs team at Truswave wanted to give the community some feedback on what we are seeing happening "in the...

[Honeypot Alert] New Bot Malware (BoSSaBoTv2) Attacking Web Servers Discovered

Our web honeypots picked up some interesting attack traffic. The initial web application attack vector (PHP-CGI vulnerability) is not new, the malware payload is. We wanted to get this information out to the community quickly due to the following combined...

[Honeypot Alert] Wordpress XML-RPC Brute Force Scanning

There are news reports of new Wordpress XML-PRC brute force attacks being seen in the wild. The SANS Internet Storm Center also has a Diary entry showing similar data. We have captured similar attacks in our web honeypots so we...

[Honeypot Alert] Open Flash Charts File Upload Attacks

Our web honeypots picked up some increased scanning/exploit activity for the following file upload vulnerability in Open Flash Charts - The following screenshot shows the contents of the vulnerable ofc_upload_image.php file: As you can see from this simple code, there...

[Honeypot Alert] JCE Joomla Extension Attacks

Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability. Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit...

[Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)

In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. Here is a screenshot taken from the ModSecurity WAF alert data: PHP-CGI Attack The...

[Honeypot Alert] Probes for Apache Struts 2.X OGNL Vulnerability

Today our web honeypot sensors picked up probes for the recent Apache Struts 2.X OGNL vulnerability (CVE-2013-2251): 222.136.0.151 - - [16/Aug/2013:09:25:21 +0200] "GET /index.action? redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest' ),%23p%3d(%23req.getRealPath(%22/%22)%2b%22inback.jsp%22).replaceAll(\"\\\\\\\\\",%20\"/\" ),new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c %22)).close()}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull) (new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%2 2f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e HTTP/1.1" 404 291 "-" "Sturt2" Struts users are strongly encouraged...

[Honeypot Alert] Inside the Attacker's Toolbox: Webshell Usage Logging

In a previous blog post, we discussed the common lifecycle of web server botnet recruitment. While installing perl IRC botnet scripts is a common tactic for post-exploitation, it is by no means the only method used to interact with or...

[Honeypot Alert] Active Exploits Attempts for Plesk Vulnerability

Last week, hacker "kingcope" provided PoC expliot code for a Plesk 0-day on the Full Disclosure public mail-list. Our web honeypot systems received some exploit attempts so we wanted to share with the community. Here is an example request taken...

The Life Cycle of Web Server Botnet Recruitment

This blog post is an excerpt taken from the recently released Global Security Report (GSR) for 2013. Over the course of the past year, my team has monitored and analyzed vast amounts of data within our Web honeypots and shared...

[Honeypot Alert] User-Agent Field PHP Injection Attacks

In a previous Honeypot Alert blog post, I showed an example of attackers using LFI attacks to access /proc/self/environ to execute code within the User-Agent field. Our web honeypots have identified more probes of this type. Here is an example...

[Honeypot Alert] Active Probes for Ruby on Rails XML Vulns

In a previous blog post, I outlined some ModSecurity defenses to help protect Ruby on Rails users from the XML parsing vulnerabilities. Hopefully you have had a chance to update RoR for your site. If not, you might want to...

[Honeypot Alert] Turning Local File Inclusion into Reflected Code Execution

Which web application attack type is more severe: Local File Inclusion (LFI) or Code Excution? Most people would say the latter as the majority of threat modeling excercises assign LFI attacks/vulnerabilities a lower severity rating. Successful LFI attacks normally result...

[Honeypot Alert] SQL Injection Scanning Targeting Joomla Plugins

The following SQL Injection attack payloads targeting Joomla components were identified in our web honeypot sensor logs: 91.213.96.32 - - [28/Nov/2012:11:31:04 +0100] "GET /index.php?option=com_joomgalaxy&view=categorylist&type=thumbnail&lang=en&catid=100000001-100000001=0 union (select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13+from+jos_users) HTTP/1.1" 400 299 "-" "-" 92.38.226.14 - - [28/Nov/2012:11:31:42 +0100] "GET /index.php?option=com_spidercalendar&date=999999.9' union...

Stay Connected


Subscribe

Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.


Trending Topics