Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
 Posted: Sat Dec 01, 2007 7:17 pm Post subject: [WsIRT#94] OS Disclosure, Qe3shell, id Disclosure @AS30340 |
|
|
Attack Alert
Full Report:  /OS_Disclosure_Qe3shell_id_Disclosure_attack94.html
Changed status to confirmed attack.
IP Converted: 65.61.123.60
dword = 1094548284
hex1 = 0x413d7b3c
hex2 = 0x41.0x3d.0x7b.0x3c
oct = 0101.075.0173.074
View CIDR AS30340 Report: http://www.cidr-report.org/cgi-bin/as-report?as=30340
"30340 | US | arin | 2003-09-12 | AS-TIER - Tierpoint, LLC"<br />
Extended information for AS30340:
State/Province: wa
Country: us
Responsible Domain: llix.net
Abuse Email: postmaster@llix.net
The 1.jpg file for download upon inspection reveals a <title>#ulil security tester on dalnet Qe3</title> name.
The Qe3Shell not only permits access to the exploited web server, but it also established sql database connections. It is claimed By * Ulil Hacker Security Tester* * http://ulga.by.ru in the source.
One of the commands the Qe3shell executes is:
("insert into Qe3_temp_table EXEC master.dbo.xp_cmdshell '".$_POST['test4_file']."'",$db)
Another one of the many things it attempts is:
readfile(\"/etc/passwd\");
There is also a reference to:
o---[ HDTEAM shell Ulga/Ulil | http://ulil.xlphp.net
We have found attackers attempting to inject the 3.jpg script to exploitable web servers. While investigating we found files 2.jpg and 1.jpg which are also nefarious in nature. All scripts, if successfully injected into a remote web server, permits criminals to gather intelligence on those systems, and even take control via the Qe3shell. Please remove these immediately.
| Quote: | | http://www.zbazaar.com/.ssh/3.jpg?? |
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
