ISC Stormcast For Friday, April 5th 2019 https://isc.sans.edu/podcastdetail.html?id=6442

New Waves of Scans Detected by an Old Rule

Published: 2019-04-04
Last Updated: 2019-04-04 07:13:15 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Who remembers the famous ShellShock (CVE-2014-6271)? This bug affected the bash shell in 2014 and was critical due to the facts that it was easy to exploit and that bash is a widespread shell used in many tools/applications. So, at this time, I created an OSSEC alerts to report ShellShock exploitation attempts against my servers. Still today, I'm getting a hit on this rule from time to time.

But, for 15 days, I started to get more alerts like this one:

Received From: (xxxx) x.x.x.x->/www/log/xxxxxxx.access
Rule: 100705 fired (level 10) -> "Shellshock Attempt"
Src IP: x.x.x.x
Portion of the log(s):

x.x.x.x - - [04/Apr/2019:07:31:19 +0200] "GET /type.php?template=tag_(){};@unlink(_FILE_);assert($_POST[T00ls]);{//../rss HTTP/1.1" 301 604 "http://xxxxxxx" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html\xa3\xa9"

This rule fired 34 times since mid-March and I'm still getting, at least, one per day. This query is related to CVE-2018-19127 which affects phpcms[1]. By exploiting the vulnerability, the attackers get a webshell on the server (details are available on a Github page[2]). Some details about the hits I found:

Three different User-Agents have been used:

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)                                            24
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html\xa3\xa9    2
python-requests/2.21.0                                                                        8

Scan sources are clearly identifiable: 

The scan in itself is not critical (except if you're still running a vulnerable version of phpcms of course) but what's interesting here? An alert created in your SIEM or log management solution a long time ago can still be relevant!

[1] http://www.cmsmatrix.org/matrix/cms-matrix/phpcms#
[2] https://github.com/ab1gale/phpcms-2008-CVE-2018-19127

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Thursday, April 4th 2019 https://isc.sans.edu/podcastdetail.html?id=6440

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives