Comments on: libwww-perl and exploits http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/ Just another WordPress weblog Tue, 02 Dec 2008 15:01:35 +0000 http://wordpress.org/?v=2.0.7 by: admin http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-293097 Tue, 04 Dec 2007 15:04:11 +0000 http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-293097 Lemat tried to post this, but it didn't make it past the filters: This is Mic22 type PHP injection script (also known as Remote File Include), it is used by the hackers to determine if the scanned website is vulnerable or not. There are few types of script-kiddies: 1) Lame: using c99, r57 type script to manually search and hack webservers, they try to use proxy to hide their IPs and free hostings to store their tools - sometimes along with website "I'm the supermastahacker". User Agent is usually a real browser - Firefox, Opera and IE (!). Not a real threat. 2) Advanced: using Mic22 type, and Perl backdoor used to connect hacked webserver to the IRC server, where hacker can run commands from remote. Usually attacking IP is Brazillian 200.0.0.0/7, 189.0.0.0/8. They store their tools on free hostings (like geocities) and previously hacked webservers. User Agent is usually "Indy Library" - they run Deplhi-made crawlers on their home computers (Windows). IRC servers are: irc.indoirc.net, bots.crewchat.org, brasilcrew and many more. Major threat due to amount of people. They usually "own" ~10-30 hacked webservers each. 3) Pro: they run crawlers on hacked webservers - User Agent string is "libwww". A major thread due to amount of parallel Internet sweeps. 4) Pro+: there is a service on previously hacked webserver, usually listening at port 9991 instead (or parallel to) IRC server. I have seen hacker named xeQt in February 2007 with ~100 webservers hacked during weekend (2 days). Currently this is a rare species. There is lots of Brazillians and Indonesians, few Italians, French, 3 were from Poland (yes, past tense). If you list channels on IRC server take a look at "scan! bug dork" descriptions. Lemat tried to post this, but it didn’t make it past the filters:

This is Mic22 type PHP injection script (also known as Remote File
Include), it is used by the hackers to determine if the scanned website is
vulnerable or not. There are few types of script-kiddies:

1) Lame: using c99, r57 type script to manually search and hack
webservers, they try to use proxy to hide their IPs and free hostings to
store their tools - sometimes along with website “I’m the
supermastahacker”. User Agent is usually a real browser - Firefox, Opera
and IE (!). Not a real threat. 2) Advanced: using Mic22 type, and Perl
backdoor used to connect hacked webserver to the IRC server, where hacker
can run commands from remote. Usually attacking IP is Brazillian
200.0.0.0/7, 189.0.0.0/8. They store their tools on free hostings (like
geocities) and previously hacked webservers. User Agent is usually “Indy
Library” - they run Deplhi-made crawlers on their home computers
(Windows). IRC servers are: irc.indoirc.net, bots.crewchat.org, brasilcrew
and many more. Major threat due to amount of people. They usually “own”
~10-30 hacked webservers each. 3) Pro: they run crawlers on hacked
webservers - User Agent string is “libwww”. A major thread due to amount
of parallel Internet sweeps. 4) Pro+: there is a service on previously
hacked webserver, usually listening at port 9991 instead (or parallel to)
IRC server. I have seen hacker named xeQt in February 2007 with ~100
webservers hacked during weekend (2 days). Currently this is a rare
species.

There is lots of Brazillians and Indonesians, few Italians, French, 3 were
from Poland (yes, past tense). If you list channels on IRC server take a
look at “scan! bug dork” descriptions.

]]> by: Igor Berger http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-291829 Fri, 30 Nov 2007 21:20:34 +0000 http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-291829 SpamHuntress, I always have an issue with how wordpress handles url rewrites. http://spamhuntress.com/?igor-the-troll This should not work but it does! Not only it can be a Google duplication penalty for lower trust sites, but a public relationship exploit for a brand if targated by gorilla warfare SEOs. SpamHuntress, I always have an issue with how wordpress handles url rewrites.
http://spamhuntress.com/?igor-the-troll

This should not work but it does! Not only it can be a Google duplication penalty for lower trust sites, but a public relationship exploit for a brand if targated by gorilla warfare SEOs.

]]> by: David Clarke http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-283004 Thu, 15 Nov 2007 17:52:38 +0000 http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-283004 The scripts are served as text/plain, but in vulnerable configurations, they use a PHP Include() command to be incorporated. I've been noticing quite a few of these for some time - and reporting them to the site owners, most of whom have been co-operative. I've described some of this Script Kiddie activity on my blog at http://www.dragonthoughts.com The scripts are served as text/plain, but in vulnerable configurations, they use a PHP Include() command to be incorporated.

I’ve been noticing quite a few of these for some time - and reporting them to the site owners, most of whom have been co-operative.

I’ve described some of this Script Kiddie activity on my blog at http://www.dragonthoughts.com

]]> by: Roland http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-281512 Tue, 13 Nov 2007 10:11:56 +0000 http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-281512 It's a so called "PHP shell" where you can enter Linux commands and then they will be executed on the targeted server. Damn script-kiddies... :( It’s a so called “PHP shell” where you can enter Linux commands and then they will be executed on the targeted server. Damn script-kiddies… :(

]]> by: Alden http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-279559 Sat, 10 Nov 2007 00:03:13 +0000 http://spamhuntress.com/2007/11/09/libwww-perl-and-exploits/#comment-279559 I've been getting a lot of those type of hits, and have been trying, where I can, to inform the owners of the sites that they appear to have been hacked. Obviously the hackers aren't monitoring the responses from the target servers, because all they've been getting from my sites are 404s. :P I’ve been getting a lot of those type of hits, and have been trying, where I can, to inform the owners of the sites that they appear to have been hacked. Obviously the hackers aren’t monitoring the responses from the target servers, because all they’ve been getting from my sites are 404s. :P

]]>