[WEB SECURITY] Frontpage Exploit - Strange POST Payload

Kanatoko anvil at jumperz.net
Wed Jun 22 08:03:03 EDT 2005


> http://10.10.2.2:191/lsd.  Has anyone else seen this before? 

Yes. I uploaded some of them.( I don't hide source IP addresses :p )
http://www.jumperz.net/fuga/frontpage_exploits/150.161.187.152.txt
http://www.jumperz.net/fuga/frontpage_exploits/168.188.52.102.txt
http://www.jumperz.net/fuga/frontpage_exploits/200.142.96.26.txt
http://www.jumperz.net/fuga/frontpage_exploits/200.30.101.4.txt
http://www.jumperz.net/fuga/frontpage_exploits/200.67.80.254.txt
http://www.jumperz.net/fuga/frontpage_exploits/203.252.86.31.txt
http://www.jumperz.net/fuga/frontpage_exploits/207.232.155.25.txt
http://www.jumperz.net/fuga/frontpage_exploits/211.212.152.228.txt
http://www.jumperz.net/fuga/frontpage_exploits/211.234.100.33.txt
http://www.jumperz.net/fuga/frontpage_exploits/211.43.15.21.txt

The Result of 'strings' is as follows.

Ehttp://150.161.187.152:191/lsd
Ehttp://168.188.52.102:191/lsd
Ehttp://200.142.96.26:36642/lsd
Ehttp://192.168.0.55:63658/lsd
Ehttp://192.168.254.1:37917/lsd
Ehttp://203.252.86.31:60894/lsd
Ehttp://10.160.5.151:191/lsd
Ehttp://211.212.152.228:37010/lsd
Ehttp://211.234.100.33:5165/lsd
Ehttp://211.43.15.21:39133/lsd

- About IP address
As you can see, both private address and global address are used.
In case global address is used, that address is the same as the source
address ( address of the affected host ).

- About port number
191 and other ports are used.


> 1) This appears to be an attempt to have my vulnerable server download
> something from a remote website.  If this is so, why the use of the
> non-routable IP address (10.10.X.X)?  My server wouldn't be able to
> get to the attacker's site...

I think in this case ( In case private address is used ) affected host
is behind the router and has private address.


> 2) What about the use of port 191?  This port seems to be related to
> the propero service (by Cliff Neuman).  Does anyone know of any
> trojans that use this port?

I think that 'port 191' does not have special meanings.


> 3) I am assuming that "/lsd" URI is a file for some form of malware.

I think it may be the worm itself.


Thanks and sorry for my bad English.

-- 
Kanatoko<anvil at jumperz.net>
Open Source WebAppFirewall
http://guardian.jumperz.net/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list