I am really curious as to the motivation of the parties deploying these types of scans. I understand that they would like to find vulnerable systems to compromise... but for what purpose? S
dor what ? Mainly the smarter ones, are, not malign, non botters, and dont use these shit systems to make money but, many poorer countries, this can make even, a small amount, with rooted boxes also, you have the power to charge a sip call for example...to an isp...and they would, as usually..bill it... but, it seems, anything thats new/big, is being scanned, its simple..one engine, MANY addons :P siimple formula, to exploit tonnes, of thousdands, of hosts...and, i have seen many public lists ranging upto 50-100megs of ips all vuln...fullnily, most of amazon aws 50. range is pwned...phpmyadmini believe..hehe....wen will ppl learn...security is a MUST, not an item to be glanced at and, presumed over for 100days..it has to be fast,responsive,and knows what todo..so,.. buy into immunity :P~~ lol... i know many others are using this to fuzz...great fopr mass fuzzing to i hear...altho then. acutenix could be obtained freely, and, made to look pro...so i guess..is lesser of the evils...ones 20 grand with a few addons, ones free... ill take both :P On 23 December 2011 18:34, <[email protected]> wrote: > >From analysis on compromised sites I've been receiving abuse messages for at > >$day_job they're launched from irc bots on compromised servers, mainly > >cpanel- cpanel is cool for novices but skimps on security out of the box. > > Will dig out some signatures when I get into the office. > > Sent from my BlackBerry® wireless device > > -----Original Message----- > From: Lamar Spells <[email protected]> > Sender: [email protected] > Date: Thu, 22 Dec 2011 23:23:11 > To: Nikolay Kichukov<[email protected]> > Cc: <[email protected]> > Subject: Re: [Full-disclosure] New awstats.pl vulnerability? > > Here is an update on this: > > Over the past week, we have seen the awstats activity continue, but > morph to include other vulnerabilities. Details of this are at > http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html > -- but the summary is that we have seen activity change to include > Local File Inclusion and command injection in phpAlbum and other > components written in PHP. > > We started seeing today some activity related to phpthumb and > CVE-2010-1598... Details of this are at > http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html > > I am really curious as to the motivation of the parties deploying > these types of scans. I understand that they would like to find > vulnerable systems to compromise... but for what purpose? Sending > spam? So far, based on what I am seeing, it looks like they are > compromising systems just to have those systems look for more systems > to compromise. At this point, I have to assume that they are still in > the construction and building phase... > > On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <[email protected]> wrote: >> Here are some additional IPs and some analysis of the IPs in question. >> Looks like very few of the scanning IPs are running awstats, but many >> are legitimate business running old apache versions. I am guessing >> they didn't self install an awstats scanner... >> >> http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html >> >> >> On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <[email protected]> wrote: >>> Today we are also seeing requests like this one which is looking to >>> exploit CVE-2008-3922: >>> >>> GET /awstatstotals/awstatstotals.php ? >>> sort={${passthru(chr(105).chr(100))}}{${exit()}} >>> >>> >>> >>> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <[email protected]> >>> wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Same here, I even tried to notify a bunch of the ISP registrators of the >>>> IP address range those originated from. >>>> >>>> - -Nik >>>> >>>> >>>> >>>> On 12/13/2011 07:30 AM, Bruce Ediger wrote: >>>>> On Mon, 12 Dec 2011, Lamar Spells wrote: >>>>> >>>>>> For the past several days, I have been seeing thousands of requests >>>>>> looking for awstats.pl like this one: >>>>> >>>>> Yeah, me too. They just started up. I haven't seen any awstats.pl >>>>> requests since 2010-05-18, and now I've gotten batches of them, since >>>>> about 2011-11-22, but heavier since the start of December. >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.11 (GNU/Linux) >>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>> >>>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9 >>>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi >>>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef >>>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI >>>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v >>>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY= >>>> =0+7+ >>>> -----END PGP SIGNATURE----- >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
