[WEB SECURITY] Frontpage Exploit - Strange POST Payload
anvil at jumperz.net
Wed Jun 22 08:03:03 EDT 2005
> http://10.10.2.2:191/lsd. Has anyone else seen this before?
Yes. I uploaded some of them.( I don't hide source IP addresses :p )
The Result of 'strings' is as follows.
- About IP address
As you can see, both private address and global address are used.
In case global address is used, that address is the same as the source
address ( address of the affected host ).
- About port number
191 and other ports are used.
> 1) This appears to be an attempt to have my vulnerable server download
> something from a remote website. If this is so, why the use of the
> non-routable IP address (10.10.X.X)? My server wouldn't be able to
> get to the attacker's site...
I think in this case ( In case private address is used ) affected host
is behind the router and has private address.
> 2) What about the use of port 191? This port seems to be related to
> the propero service (by Cliff Neuman). Does anyone know of any
> trojans that use this port?
I think that 'port 191' does not have special meanings.
> 3) I am assuming that "/lsd" URI is a file for some form of malware.
I think it may be the worm itself.
Thanks and sorry for my bad English.
Kanatoko<anvil at jumperz.net>
Open Source WebAppFirewall
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity