Skipfish Web application vulnerability scanner

Hacking

 

It appears that someone’s been targeting my website again looking for application vulnerabilities, here’s just a small sample of the attack detailed in my stats

20140815 08:05:14 128.199.246.204 lm_absolute_path=http://www.google.com/humans.txt?
20140815 08:04:54 128.199.246.204 mosConfig_live_site=http://www.google.com/humans.txt?
20140815 08:04:10 128.199.246.204 CONFIG_EXT[ADMIN_PATH]=http://www.google.com/humans.txt?
20140815 08:04:00 128.199.246.204 cropimagedir=http://www.google.com/humans.txt?
20140815 08:03:50 128.199.246.204 mosConfig_live_site=http://www.google.com/humans.txt?
20140815 08:03:05 128.199.246.204 INC=http://www.google.com/humans.txt?
20140815 08:03:03 128.199.246.204 INC=http://www.google.com/humans.txt?
20140815 08:03:02 128.199.246.204 path[docroot]=http://www.google.com/humans.txt?
20140815 08:02:57 128.199.246.204 cfgProgDir=http://www.google.com/humans.txt?
20140815 08:02:56 128.199.246.204 language=http://www.google.com/humans.txt?
20140815 08:02:52 128.199.246.204 init_path=http://www.google.com/humans.txt?&
20140815 08:02:53 128.199.246.204 config[installdir]=http://www.google.com/humans.txt?
20140815 08:02:39 128.199.246.204 dir=http://www.google.com/humans.txt?
20140815 08:02:37 128.199.246.204 config[installdir]=http://www.google.com/humans.txt?
20140815 08:02:34 128.199.246.204 language=http://www.google.com/humans.txt?
20140815 08:02:35 128.199.246.204 GLOBALS[PT_Config][dir][data]=http://www.google.com/humans.txt?
20140815 08:02:28 128.199.246.204 GLOBALS[CLASS_PATH]=http://www.google.com/humans.txt?
20140815 08:02:24 128.199.246.204 xtrphome=http://www.google.com/humans.txt?
20140815 08:02:16 128.199.246.204 level=http://www.google.com/humans.txt?
20140815 08:02:17 128.199.246.204 bypass_installed=1&secure_page_path=http://www.google.com/humans.txt?%00
20140815 08:02:11 128.199.246.204 mod_root=http://www.google.com/humans.txt?
20140815 08:02:08 128.199.246.204 commonIncludePath=http://www.google.com/humans.txt?
20140815 08:02:04 128.199.246.204 format_menue=http://www.google.com/humans.txt?
20140815 08:02:00 128.199.246.204 loadadminpage=http://www.google.com/humans.txt?
20140815 08:01:57 128.199.246.204 config[installdir]=http://www.google.com/humans.txt?
20140815 08:01:52 128.199.246.204 lm_absolute_path=../../../&install_dir=http://www.google.com/humans.txt?
20140815 08:01:49 128.199.246.204 config[installdir]=http://www.google.com/humans.txt?

As you can see the attack was fairly constant, this attack had been going on for about 1-2hrs before I spotted it and blocked the relevant ip address from the site, but in the space of 2hrs they’d made about 2500+ attempts to find the Humans.txt

The following website Akamai Blog  gives a few more details about Skipfish , you can also find some more info here

Here’s the basics from the Akamai blog about what Skipfish attempts to do:

Skipfish will test for an RFI injection point by sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site’s pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site.

If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish.

Anyway I’ve not blocked this IP address and made an Abuse Report against it, hoping that this will at least prevent that IP from being used again.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.