Fingerprint: Attacks on Port#80 (Bagian 1)

Dibawah ini merupakan contoh-contoh urllist yang mungkin digunakan oleh attacker pada port80.

        Tulisan sengaja tidak diterjemahkan ke dalam bahasa Indonesia untuk tidak menimbulkan keracuan arti dalam pengertian.

"* " Requests

        The asterisk is often used by attackers as an argument to a system command.

Below is an example

* http://host/index.asp?something=..\..\..\..\WINNT\system32\cmd.exe?/c+DIR+e:\WINNT\*.txt

        This request is asking for all text files within the directory of e:\WINNT to be listed. Requests like these can often be used to gather a list of log files, along with other important files. Not a lot of web applications use this character in a valid request so this makes an asterisk stand out in logs.

* http://host/blah.pl?somethingelse=ls%20*.pl

        This request is asking for a directory listing on a Unix system of all perl scripts that end in .pl.

" ~ " Requests

        The ~ character is sometimes used by attackers to determine who is a valid user on your system.

Below is an example

* http://host/~joe

        This request is looking for a user named "joe" on the remote system. Often times users will have web space and if the attacker manages to visit a web page, or get a 403 error(Denied error) then a user exists. Once an attacker has a valid username, they may try guessing passwords, or brute forcing until they get a valid password. There are other ways of finding out who is a valid user but this is a port80 request so I figured I'd mention it. (This is a well known method) It can easily be misidentified as a valid request in IDS logs depending on if the system has user pages in this format.

" ' " Requests

        If this particular character shows up in your logs then there is a possibility someone is trying a SQL injection attack against your software. Often times programs may be written poorly and may allow an attacker to insert SQL commands into the script. If it is possible to execute system commands then it may be possible for an attacker to gain administrative access to your system. (Sometimes administrators run SQL as root on Unix, and if you run MS-SQL it already runs with administrative privileges)

Below is an example.

* http://host/cgi-bin/lame.asp?name=john`;EXEC master.dbo.xp_cmdshell'cmd.exe dir c:'--

        This request is executing the cmd.exe shell on a windows NT machine. From here an attacker has free reign on the remote machine with access to add users, upload trojans, and steal the sam password file.

        For more information on SQL attacks visit http://www.cgisecurity.com/lib/ and check out a few papers we've collected from various sites on the subject. Also check out http://www.webappsec.org for further examples of SQL Injection.

" #, {} , ^ , and [] " Requests

        These particular characters may show up in your logs if an attacker is echoing some source code into a file of a perl or c program. Once a file is created and compiled/interpreted the attacker could bind a shell to a port giving themselves easy access.

        I won't show a complete example of this because in order to do so I'd have to paste a bindshell program. This paper wasn't written to give people easy to follow example on how to use trojans. For this reason I have decided not to include an example. [ and ] may also be used as a command argument in Unix for commands like ls -al [a-f]*. This would list all the files starting with characters between a and f. # may show up if an attacker is uploading a perl script backdoor (Ex: #!/usr/bin/perl at the top of the file).

Below is an example using #

* http://host/dont.pl?ask=/bin/echo%20"#!/usr/bin/perl%20stuff-that-binds-a-backdoor"%20>/tmp/back.pl;/usr/bin /perl%20/tmp/back.pl%20-p1099

" ( and ) " Requests

        This value is often used in cross site scripting attacks. Cross Site Scripting has gotten a lot of attention lately, and a lot of large sites still suffer from this type of attack.

Below is an example.

* http://host/index.php?stupid=

        This example above will be sent to the index.php. From here an output page will be displayed with the following javascript. Next your browser will execute this javascript and display a popup window. Cross site scripting is considered a low to medium threat. It does have the ability to allow an attacker to steal cookies from you. An obvious way to prevent this would be to make sure the output doesn't contain <> in them. This way the javascript will not be executed.

" + " Request

        Sometimes the + is used as a blank space similar to "%20" as mentioned in my previous paper. This value (when used in an attack) is often used with cmd.exe backdoored hosts. Often times an attacker or worm will copy cmd.exe to a file inside the webroot. Once this file is copied an attacker has full control over your windows machine. He will use the + character to help pass arguments to the script. If this character comes up in your logs don't freak. This character is widely used with web applications and it can be easily misidentified. If it manages to pop up in your logs you may want to double check them but there is no reason to panic.

Below is an example.

* http://site/scripts/root.exe?/c+dir+c:\

        This particular example is showing a request to a backdoor called root.exe. This backdoor is installed by sadmind/IIS worm, Code Red, and Nimda after a host is compromised. The + character is often used in windows backdoors that involve cmd.exe copies.

 

Additional Worm Information
http://www.cert.org/incident_notes/IN-2001-09.html

Sumber: http://www.cgisecurity.com