iEntry 10th Anniversary Forum Rules Search
WebProWorld
Register FAQ Calendar Mark Forums Read
Internet Security Discussion Forum This forum is for the discussion of security related issues. If you find a new Phishing scheme, spyware, virus or malicious site - let us know about it. If any of the above found you... here's where you ask for help.

Share Thread: & Tags

Share Thread:

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-17-2006, 10:10 AM
Faglork's Avatar
WebProWorld Veteran
 
Join Date: Feb 2005
Location: Forchheim, Germany
Posts: 938
Faglork RepRank 1
Default Urgent warning - obviously new exploit

Hello,

a warning for all: We are seeing right now numerous attempts to access files associated with various well-known and widely used programs. Obviously some exploits exist, notably around the XML-RPC interface. I suggest you visit the homepage/support forums of these programs to find out whether you need to take precautions. The files in question are:


Code:
[Mon Jan 16 21:34:58 2006] [error] [xxx] File does not exist: /web/awstats/awstats.pl.
[Mon Jan 16 21:34:59 2006] [error] [xxx] script not found or unable to stat: /u/httpd/cgi-bin/awstats.pl.
[Mon Jan 16 21:35:00 2006] [error] [xxx] script not found or unable to stat: /u/httpd/cgi-bin/awstats.
[Mon Jan 16 21:35:03 2006] [error] [xxx] File does not exist: /web/blog/xmlrpc.php.
[Mon Jan 16 21:35:04 2006] [error] [xxx] File does not exist: /web/blog/xmlsrv/xmlrpc.php.
[Mon Jan 16 21:35:05 2006] [error] [xxx] File does not exist: /web/blogs/xmlsrv/xmlrpc.php.
[Mon Jan 16 21:35:06 2006] [error] [xxx] File does not exist: /web/drupal/xmlrpc.php.
[Mon Jan 16 21:35:07 2006] [error] [xxx] File does not exist: /web/phpgroupware/xmlrpc.php.
[Mon Jan 16 21:35:08 2006] [error] [xxx] File does not exist: /web/wordpress/xmlrpc.php.
[Mon Jan 16 21:35:11 2006] [error] [xxx] File does not exist: /web/xmlrpc/xmlrpc.php.
[Mon Jan 16 21:35:12 2006] [error] [xxx] File does not exist: /web/xmlsrv/xmlrpc.php
hth,
faglork
Reply With Quote
  #2 (permalink)  
Old 01-17-2006, 04:55 PM
ADAM Web Design's Avatar
WebProWorld 1,000+ Club
 
Join Date: Dec 2003
Location: Toronto, Ontario, Canada
Posts: 2,181
ADAM Web Design RepRank 1
Default

Good post (as always!)

This one oughta be stickied.
Reply With Quote
  #3 (permalink)  
Old 01-17-2006, 11:32 PM
WebProWorld New Member
 
Join Date: Nov 2003
Location: Toronto
Posts: 14
Syspira RepRank 0
Default

I checked WordPress's site, since I have WP blogs on several of my own and my clients' sites. Any version prior to 1.5 is vulnerable, so people running WP should check what version they have and upgrade if necessary.
Reply With Quote
  #4 (permalink)  
Old 01-18-2006, 10:19 AM
WebProWorld Veteran
 
Join Date: Jun 2004
Location: Indiana
Posts: 579
google junky RepRank 1
Default

I have my site setup to email me if ever a visitor hits a 404 page.
I get requests for those files showing up almost everyday now.
Reply With Quote
  #5 (permalink)  
Old 01-18-2006, 10:50 AM
Faglork's Avatar
WebProWorld Veteran
 
Join Date: Feb 2005
Location: Forchheim, Germany
Posts: 938
Faglork RepRank 1
Default

See
http://www.hardened-php.net/advisory_142005.66.html
http://isc.sans.org/diary.php?storyid=823
http://www.gulftech.org/?node=resear...00088-07022005
for details.

Obviously, the vulnerability has been known for some time.

faglork
Reply With Quote
  #6 (permalink)  
Old 01-18-2006, 11:42 AM
WebProWorld Veteran
 
Join Date: Jun 2004
Location: Indiana
Posts: 579
google junky RepRank 1
Default

I also get the info of where it comes from when I get the emails about the requested pages and where they are coming from.

Not sure if im allowed to post this. If a mod sees a problem with it then delete my post.

Quote:
Time of the error:

browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Page Requested: xxx.xx.xxx.xx/blog/xmlsrv/xmlrpc.php

Referer:
IP Address: 216.127.92.9
Hostname: onicrom.com

Quote:
Time of the error:

browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

Page Requested: xxx.xx.xxx.xx/xmlrpc.php

Referer:

IP Address: 62.154.176.138

Hostname: mail.icongmbh.de
that's just 2 of many requests for pages from these sites.
I have tried to send these sites an email about their site requesting these pages. I never get a reply.
Reply With Quote
  #7 (permalink)  
Old 01-30-2006, 07:32 AM
WebProWorld New Member
 
Join Date: Jan 2006
Location: Adelaide, Australia
Posts: 7
sunnet RepRank 0
Default Known, Historical Web Attacks

The entries being seen in the logs correspond to known attacks for known vulnerabilities in the AwStats perl Website Statistics software, and in the XML-RPC library included with PHP.

If you are not running a site which uses AwStats, and are not running a site which makes use of PHP's XML-RPC functionality at all (many CMS and blogging tools use it), then you have nothing to fear from these attacks.

If you do run a site which uses either of these features, then you should really consider moving the applications to non-standard installation points (i.e. changing the directories they live in from a default installation), and update to the latest versions of all your software (most packages which were vulnerable to these attacks have been updated for a while).
Reply With Quote
  #8 (permalink)  
Old 01-30-2006, 11:28 AM
bodgekaloopie's Avatar
WebProWorld Member
 
Join Date: Aug 2004
Location: Michigan, USA
Posts: 66
bodgekaloopie RepRank 0
Default

Upon reading this post I promptly consulted with our hosting tech and was informed that the AWStats security holes apply to copies of AWStats that are installed as CGI scripts.

AWStats installations that are HTML based (which we use) are apparently not vulnerable to this threat.
Reply With Quote
  #9 (permalink)  
Old 01-30-2006, 12:31 PM
Faglork's Avatar
WebProWorld Veteran
 
Join Date: Feb 2005
Location: Forchheim, Germany
Posts: 938
Faglork RepRank 1
Default

Quote:
Originally Posted by bodgekaloopie
Upon reading this post I promptly consulted with our hosting tech and was informed that the AWStats security holes apply to copies of AWStats that are installed as CGI scripts.

AWStats installations that are HTML based (which we use) are apparently not vulnerable to this threat.
HTML "based" ...? *something* has to do the work ;-)

Most likely it is command-line driven and run by a cron job, so you get only the generated HTML reports. Most stats packages are configured this way, since it makes no sense to let the users play around with the cgi interface ... too much server load.

Just wanted to clarify this.

A somewhat longer list of xml-rpc "victims" can be found at
http://secunia.com/search/?search=xml-rpc+php

Note that PHPAdsNew is in the list - it is a widely used adserver.

faglork
Reply With Quote
  #10 (permalink)  
Old 01-30-2006, 09:32 PM
bodgekaloopie's Avatar
WebProWorld Member
 
Join Date: Aug 2004
Location: Michigan, USA
Posts: 66
bodgekaloopie RepRank 0
Default

The impression I got from our tech was that there are two versions, and what I posted ("HTML based") was quoted directly from him, but what you say makes absolute sense. Thanks for clarifying.
Reply With Quote
Reply

  WebProWorld > Webmaster, IT and Security Discussion > Internet Security Discussion Forum

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -4. The time now is 05:49 PM.



Search Engine Optimization by vBSEO 3.3.0