[WsIRT#1186] OS Disclosure, RFI Scanner Public, Simple PHP I

 CastleCops -> WsIRT Reports
Author: Paul PostPosted: Mon Dec 24, 2007 5:24 am    Post subject: [WsIRT#1186] OS Disclosure, RFI Scanner Public, Simple PHP I
Attack Alert
 
 Full Report: CastleCops Link/OS_Disclosure_RFI_Scanner_Public_Simple_PHP_Injection_id_Disclosure_attack1186.html
 
 mic.txt, if successfully injected into a susceptible web server, will attempt to download an RFI Scanner:

############################################################################
# RFI Scanner
# Public Version Pitbull Smile
#
# This one contains the following engines :
# Google, UOL, Libero, MSN, AllTheWeb, ASK, AOL, UOL, Lycos, FireBall, Yahoo
#
# Yahoo is Fixxed Wink
#
############################################################################

Found at http://www.pcr.ac.id/~rina/includes/file/x.txt
If x.txt is successfully downloaded and executed, there are a couple variables pointing to:

http://www.lasiestamadrid.com//portal/images/zoom/PEASCH/sample.jpg?
http://trimedia-online.net/ihmank/id.txt?

There is also a server connection to lelakibiasa.indoirc.net on port 6667 using the nick "PcrX- followed by a random number.
channel and hacked by karawanghack (karawanghackerlink)

Simple PHP Injection - *nix & *BSD OnLy
Consumed following related reports:

[1032] http://www.pcr.ac.id/~rina/includes/file/37.txt??
[1121] http://www.pcr.ac.id/~rina/includes/db/mc2.txt??
[1187] http://www.pcr.ac.id/~rina/includes/file/all.txt??
[1188] http://www.pcr.ac.id/~rina/includes/db/mix.txt??
[1189] http://www.pcr.ac.id/~rina/includes/db/max.txt??
[1190] http://www.pcr.ac.id/~rina/includes/db/gb.txt??
[1191] http://www.pcr.ac.id/~rina/includes/db/gab.txt??
[1192] http://www.pcr.ac.id/~rina/includes/db/gab.txt?
[1193] http://www.pcr.ac.id/~rina/includes/db/37.txt??
http://www.pcr.ac.id/~rina/includes/file/37.txt?? attempts to download http://www.pcr.ac.id/~rina/includes/file/xx.txt which is the rfi scanner. In it is a URL: http://www.pcr.ac.id/~rina/includes/file/37.txt?
http://www.pcr.ac.id/~rina/includes/db/mc2.txt?? calls http://www.pcr.ac.id/~rina/includes/db/x.txt

http://www.pcr.ac.id/~rina/includes/file/all.txt?? calls http://www.pcr.ac.id/~rina/includes/file/x.txt

http://www.pcr.ac.id/~rina/includes/db/gab.txt? calls http://www.pcr.ac.id/~rina/includes/db/z.txt
Changed status to confirmed attack.
All these files found in this report are setup to permit attackers compromise of remote webservers by injecting them. Please remove them immediately.
IP Converted: 89.248.100.178

dword = 1509450930
hex1 = 0x59f864b2
hex2 = 0x59.0xf8.0x64.0xb2
oct = 0131.0370.0144.0262
IP Converted: 71.18.186.181

dword = 1192409781
hex1 = 0x4712bab5
hex2 = 0x47.0x12.0xba.0xb5
oct = 0107.022.0272.0265
View CIDR AS42237 Report: http://www.cidr-report.org/cgi-bin/as-report?as=42237

"42237 | ES | ripencc | 2007-01-23 | INTERDOMINIOS Grupo Interdominios S.A."<br />
Extended information for AS42237:
State/Province:
Country:
Responsible Domain: interdominios.com
Abuse Email: admin@interdominios.com
IP Converted: 124.81.214.3

dword = 2085737987
hex1 = 0x7c51d603
hex2 = 0x7c.0x51.0xd6.0x3
oct = 0174.0121.0326.03
View CIDR AS32392 Report: http://www.cidr-report.org/cgi-bin/as-report?as=32392

"32392 | US | arin | 2004-04-26 | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation"<br />
Extended information for AS32392:
State/Province: ky
Country: us
Responsible Domain: ecommerce.com
Abuse Email: abuse@ecommerce.com
View CIDR AS4795 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4795

"4795 | ID | apnic | 1996-10-30 | INDOSAT2-ID INDOSATM2 ASN"<br />
Extended information for AS4795:
State/Province:
Country: id
Responsible Domain: indosat.net.id
Abuse Email: abuse@indosat.net.id
Quote:
http://www.pcr.ac.id/~rina/includes/file/mic.txt?
CastleCops -> WsIRT Reports

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group