Skipfish Web application vulnerability scanner



It appears that someone’s been targeting my website again looking for application vulnerabilities, here’s just a small sample of the attack detailed in my stats

20140815 08:05:14 lm_absolute_path=
20140815 08:04:54 mosConfig_live_site=
20140815 08:04:10 CONFIG_EXT[ADMIN_PATH]=
20140815 08:04:00 cropimagedir=
20140815 08:03:50 mosConfig_live_site=
20140815 08:03:05 INC=
20140815 08:03:03 INC=
20140815 08:03:02 path[docroot]=
20140815 08:02:57 cfgProgDir=
20140815 08:02:56 language=
20140815 08:02:52 init_path=
20140815 08:02:53 config[installdir]=
20140815 08:02:39 dir=
20140815 08:02:37 config[installdir]=
20140815 08:02:34 language=
20140815 08:02:35 GLOBALS[PT_Config][dir][data]=
20140815 08:02:28 GLOBALS[CLASS_PATH]=
20140815 08:02:24 xtrphome=
20140815 08:02:16 level=
20140815 08:02:17 bypass_installed=1&secure_page_path=
20140815 08:02:11 mod_root=
20140815 08:02:08 commonIncludePath=
20140815 08:02:04 format_menue=
20140815 08:02:00 loadadminpage=
20140815 08:01:57 config[installdir]=
20140815 08:01:52 lm_absolute_path=../../../&install_dir=
20140815 08:01:49 config[installdir]=

As you can see the attack was fairly constant, this attack had been going on for about 1-2hrs before I spotted it and blocked the relevant ip address from the site, but in the space of 2hrs they’d made about 2500+ attempts to find the Humans.txt

The following website Akamai Blog  gives a few more details about Skipfish , you can also find some more info here

Here’s the basics from the Akamai blog about what Skipfish attempts to do:

Skipfish will test for an RFI injection point by sending the string or to the site’s pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site.

If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish.

Anyway I’ve not blocked this IP address and made an Abuse Report against it, hoping that this will at least prevent that IP from being used again.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.