Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help understanding attack log


  • Please log in to reply
12 replies to this topic

#1 Usko_Detra

Usko_Detra

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 09 July 2013 - 01:44 AM

Hi,

So earlier today I got an attack, and I was trying to figure the logs out, but it's over My head, was wondering if someone can help..

 

To start off, I'm using Norton Internet Security. The alert name is Web Attack: Plesk Command Injection (What exactly is this?), then further down it lists the attacking computer's address, then directly below that it lists the Attacker URL, the first numbers are My own URL address, xxx.xxx.xxx.xx/phppath/php?-d+allow_url_include=on+d+safe_mode=off+d+sulhosin simulation=on+d+disable functions=""+d+open_basedir=none+d+auto-prepend_file=php://input+-n

then below that lists destination address, followed by source address, followed by traffic discription. Under it all, it states Network Traffic from xxx.xxx.xxx.xx/phppath/php?-d+allow_url_include=on+d+safe_mode=off+d+sulhosin simulation=on+d+disable functions=""+d+open_basedir=none+d+auto-prepend_file=php://input+-n matches the signature of  a known attack. The attack resulted from \device\harddiskvolume1\program files(x86)\skype\phone\skype.exe.

 

So, My questions are: What is a plesk command injection, why is My URL listed in the attacker URL, and what does the URL mean, and what does it mean by the attack resulted from Skype,exe? Can anyone explain all this to Me? thanks in advance!


Edited by Usko_Detra, 09 July 2013 - 01:47 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:43 PM

Posted 09 July 2013 - 02:09 AM

Web Attack: Plesk Command Injection: Attack Signature See the Norton page -

 

Thanks -



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:43 AM

Posted 09 July 2013 - 10:01 AM

Sounds like Skype is attempting to connect to an address on an Apache Server Norton does not like.

There have been several reports in recent weeks of a Plesk command injection vulnerability which is currently being exploited in the wild and is infecting web servers.

Security firms are tracking ongoing attacks targeting a vulnerability in a hosting control panel behind thousands of websites that could be used by cybercriminals to gain access to sensitive files or compromise site visitors.

Attacks Target Plesk Flaw Impacting Some Apache Servers
IRC Botnet Leveraging Unpatched Plesk Vulnerability
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 10 July 2013 - 12:16 PM

Plesk is a web hosting control panel. You install it on a server to remotely manage this server. cPanel is another example.

Plesk command injection is an attack for Plesk installations. It exploits vulnerabilities in Plesk to execute commands on the server without requiring proper credentials. E;.g, it allows one to take over a server without knowing the password.

 

It could be that your machine is infected, and that it is used to attack servers with Plesk. But I don't have enough information to be sure that this is the case.

So I have some questions.

 

xxx.xxx.xxx.xx/phppath -> is xxx.xxx.xxx.xx an IP address?

Is it the IP address of your machine?

Is it a private IP address or a public IP address?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Usko_Detra

Usko_Detra
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 10 July 2013 - 01:54 PM

 

xxx.xxx.xxx.xx/phppath -> is xxx.xxx.xxx.xx an IP address?

Is it the IP address of your machine?

Is it a private IP address or a public IP address?

 

 

Correct, the X's are My IP address of My machine, and as far as I know, it's a private IP. The odd thing is, Skype just started doing this on it's own 2 days ago. I never downloaded anything, I never went to different websites than what I usually visit, I never accepted any shared files, or added anyone unknown to Skype. I got another attack report last night around the same time the first one was flagged. I also ran scans with Norton and MalwareBytes, and they never found anything.

 

Thanks for the help with this, it's interesting information.


Edited by Usko_Detra, 10 July 2013 - 01:55 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 10 July 2013 - 02:01 PM

And the source IP address? Is that your IP too, or is it a public address?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Usko_Detra

Usko_Detra
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 10 July 2013 - 02:04 PM

The source address isn't Mine. Each attack the address was different, the first address I tracked to Spain, the second I tracked to France.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 10 July 2013 - 02:20 PM

Then your machine is the target of the attack, and it is not infected and attacking.

But since you have no Plesk or PHP running on your machine, these attacks can not exploit your machine.

 

But what puzzles me is that these connections end up on your machine. Since you have a private IP address, these requests should not get past your network device that connects you to the Internet.

To be 100% sure that you have a private IP address, can you confirm that it is in one of these three IP ranges:

192.168.0.0 - 192.168.255.255
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
 

And if it is, can you give me a short describtion of your network setup? How do you connect to the Internet?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Usko_Detra

Usko_Detra
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 10 July 2013 - 02:34 PM

The first 3 digits are 209  so I guess it might not be private. I connect through the phone lines, I think it's called DSL. It's not dial-up. There is another computer that connects via the same line, but it can't be online at the same time this one is.


Edited by Usko_Detra, 10 July 2013 - 02:36 PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 10 July 2013 - 02:57 PM

Yes, an address that starts with 209 is definitively a public IP address. So now your logs make sence to me.

What is probably happening, is that these connections (with the HTTP requests that try to attack Plesk) connect to a port that is open on your machine.

That port is probably opened by Skype, and that is why Norton is reporting Skype in the attack log.

 

If there are ports open, you should use the firewall in Norton to hide these from the Internet, unless there are specific applications on your machine that require ports open to the Internet.

Since I'm not familiar with Norton, I'm not going to tell you how to configure it.

Wait if somebody else steps in to help you in this post, otherwise start a new post requesting help to configure your Norton firewall.

 

Succes.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Usko_Detra

Usko_Detra
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 10 July 2013 - 03:06 PM

Awesome, thanks for clearing that up, it makes better sense now.



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 10 July 2013 - 03:07 PM

You're welcome.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 10 July 2013 - 03:23 PM

Forgot to add: you can visit Shields Up to have an idea of open ports on your machine.

https://www.grc.com/shieldsup

 

But don't get freaked out by the amount of reporting and advise ;-)


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users