All about current Attacks by the underground

How cz32ts determines if your site is vulnerable to SQL Injection

2010-01-07T07:05:00.001-08:00

How cz32ts determines if your site is vulnerable to SQL Injection

Thanks to following site for info: http://wirewatcher.wordpress.com/2009/11/17/how-cz32ts-determines-if-your-site-is-vulnerable-to-sql-injection/

cz32ts will append some SQL to a URL given to it by its C&C server at 205.209.143.94, and will fetch the results. It then phones home the results of its mischief like this:

C&C: +OK LINK-SERVER READY
cz32ts: CMD PUTLINK http://some.victim.url?sql=goes&after=this InjectAsp:YES
C&C: Finished.

It’s the InjectAsp:YES that denotes a successful SQL Injection vulnerability assessment. Given the appended SQL described in this post, cz32ts is looking simply for:

|number|

…in the page handed back by the server under test. If this pattern appears anywhere on the page, it will report InjectAsp:YES to the C&C server. Even error reports are sufficient, because they indicate that the injected SQL was executed and that the server is ripe for exploitation:

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘|98|’ to data type int.

If you’ve been paid a visit by cz32ts, it’s probably a good idea to replay its requests (based upon the parameter string in your web server’s logfiles) and check the responses for the pattern |number| – if it’s there, you’ve got a vulnerability that needs addressing. A vulnerability that the bad guys know about already!

writt3n by: Jared Braverman
SECNAP Network Security Corp.
www.secnap.com

CZ32ts - Auto SQL Injection attacks, and a Sig to catch it

2010-01-04T07:24:00.000-08:00

As many people hosting websites have noticed attack traffic in their logs from what appears to be an automated SQL Injection attack from a botnet that has a user agent of 'NV32ts' in recent months, a Snort signature was created to detect this activity, and there is now what appears to be a botnet using a user agent string of 'CZ32ts', and this is the signature created to detect it.

Just search for 'CZ32ts' and you will see plenty of people talking about it already, but here's a specific link to a discussion about CZ32ts:

http://www.webmasterworld.com/search_engine_spiders/4025814.htm

and here's a discussion on NV32ts:

http://stackoverflow.com/questions/436715/what-is-nv32ts-and-its-sql-injection-attack-trying-to-do

Here's the signature I just created to catch CZ32ts (things like the version number and sig id will be changed in the future, but this is what I have for now):

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"|0d 0a|User-Agent: CZ32ts|0d 0a|"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:2010621; rev:1;)

Revolt Web PHPmyAdmin Security scanner

2009-04-21T12:11:00.001-07:00

revolt

writt3n by: Jared Braverman
SECNAP Network Security Corp.
www.secnap.com

revolt is a scanner for phpMyAdmin installations. I don’t know what vulnerable servers are “used” for though.

… "HEAD http://…:80/phpmy/ HTTP/1.1" 403 0 "-" "revolt"

… "HEAD http://…:80/phppma/ HTTP/1.1" 403 0 "-" "revolt"

… "HEAD http://…:80/myadmin/ HTTP/1.1" 403 0 "-" "revolt"

revolt tries a large number of possible URIs – almost 100 variations in one scan. revolt also doesn’t seem to know any host names of the IP address.

THIS IS THE SIGNATURE THAT WAS CREATED TO DETECT REVOLT
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB PHP Attack Tool Revolt Scanner"; flow:established,to_server; content:"User-Agent: revolt "; nocase; reference:url,www. Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2009300; rev:1;)

THANKS TO:
http://johannburkard.de/blog/www/spam/morfeus-fucking-scanner-revolt-other-vulnerability-scanners.html

screenshot of the Payload - Public IP obfuscated for confidentiality