So, on a sunday morning, I was watching some hacker activities.
These hackers were doing the following pattern:
- Using bots based on Perl
- Querying Google for parts of the urls that may identify some applications, using the "inurl:" parameter.
- Scanning the Google results sites for vulnerable applications
- Exploit those applications in a way to run remote commands on the machine, giving orders like download additional software to the machine, like the same perl bot.
As the "plat du jour" , the following services/applications were being scanned, using google:
- modules/tinycontent
- flashchat
- /xgallery/
- webcalendar
So, if you use any application that contains these strings in the url that makes easy for them to find your site, beware and check for additional updates on these applications!
---------------------------------------------------------------------------------------
Pedro Bueno < pbueno //&&// isc. sans. org >
