If an Attack Doesn't Work the First Time ... (TinyCMS exploit)

Posted by Hans de Ruiter

... then why would it work the second time, or the third, or the fourth, etc. Yesterday I discussed a TinyCMS exploit that someone attempted to use on this website, in order to steal passwords. Fortunately, this website does not use TinyCMS, so it failed. However, skimming through today's log demonstrates that this exploit is truly out in the wild. A single IP address has basically been hammering the server non-stop from 5:30 A.M. through to 8:30 A.M. this morning, with what are essentially the same two requests:

217.20.127.17 - - [24/Aug/2008:05:32:06 -0400] "GET /someone-tried-to-steal-some-passwords//modules/ZZ_Templater/templater.php?config[template]=../../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 21427 "-" "libwww-perl/5.64"
217.20.127.17 - - [24/Aug/2008:05:32:08 -0400] "GET //modules/ZZ_Templater/templater.php?config[template]=../../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 8497 "-" "libwww-perl/5.64"

What a pointless waste of bandwidth. The 404 errors received the first time round should have made it clear that the attack failed. Webservers are very deterministic so the same request will return exactly the same error. One can only conclude that, not only is this a malicious hacking attempt, it is also a poorly written script. 

A Reverse DNS lookup on 217.20.127.17 reveals that it comes from the internetserviceteam.com domain. However, internetserviceteam.com does not even have a proper website. Performing a whois lookup on this domainreveals that it is registered to someone in Frankfurt. Unfortunately this does little to narrow down who is responsible. Internetserviceteam.com could be anything; it could even be a compromised server that has been previously hacked. 

Once again, if anyone reading this knows of an organization that is tasked with tracking these people down, please leave a comment.

Comments (0) | 24 August 2008