Closed bond-alexander closed 5 years ago
I was reviewing some TimThumb exploit attempts in the Glastopf MySQL database. Consistently, Glastopf appears to be dropping the payload from the log. Examples:
| 168385 | 2015-06-07 21:06:49 | 178.43.73.64:12689 | /wp-content/themes/vilisya/appserv/comments&%3Bsa%3DU&%3Bei%3DYVH1U_b_LZf-yQTvnYKYAQ&%3Bved%3D0CDUQFjAGOFA&%3Busg%3DAFQjCNF39rGx4ckxh4GIJxH6AMz6bw3G7A/wp-content/themes/vilisya/timthumb.php?src | GET /wp-content/themes/vilisya/appserv/comments&%3Bsa%3DU&%3Bei%3DYVH1U_b_LZf-yQTvnYKYAQ&%3Bved%3D0CDUQFjAGOFA&%3Busg%3DAFQjCNF39rGx4ckxh4GIJxH6AMz6bw3G7A/wp-content/themes/vilisya/timthumb.php?src HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Connection: keep-alive Host: XXXXXX Keep-Alive: 115 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 | comments | NULL | | 168384 | 2015-06-07 21:05:29 | 79.141.173.52:10358 | /wp-content/themes/vilisya/appserv/comments&%3Bsa%3DU&%3Bei%3Df1T1U5HICtKLyASb3IKICw&%3Bved%3D0COEBEBYwKTge&%3Busg%3DAFQjCNGo3WvJEi06b0JVTjfUx9HsBIM-BQ/wp-content/themes/vilisya/timthumb.php?src' | GET /wp-content/themes/vilisya/appserv/comments&%3Bsa%3DU&%3Bei%3Df1T1U5HICtKLyASb3IKICw&%3Bved%3D0COEBEBYwKTge&%3Busg%3DAFQjCNGo3WvJEi06b0JVTjfUx9HsBIM-BQ/wp-content/themes/vilisya/timthumb.php?src' HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: identity Host: XXXXXX User-Agent: Mozilla/3.0 (compatible; Indy Library) | comments | NULL | | 168383 | 2015-06-07 20:59:14 | 180.76.15.32:47914 | /wp-content/themes/vilisya/appserv/comments&%3Bsa%3DU&%3Bei%3DmlT1U4e5A5KLyATIsIHIDg&%3Bved%3D0CMkCEBYwPTgK&%3Busg%3DAFQjCNGt4fBWiDItCQlyviLtYqd1fiitIA/wp-content/themes/vilisya/wp-content/themes/vilisya/timthumb.php?src | GET /wp-content/themes/vilisya/appserv/comments&%3Bsa%3DU&%3Bei%3DmlT1U4e5A5KLyATIsIHIDg&%3Bved%3D0CMkCEBYwPTgK&%3Busg%3DAFQjCNGt4fBWiDItCQlyviLtYqd1fiitIA/wp-content/themes/vilisya/wp-content/themes/vilisya/timthumb.php?src HTTP/1.1 Accept: */* Accept-Encoding: gzip Accept-Language: en-US Connection: close Host: XXXXXX User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) | comments | NULL |
The payload should follow after src, but it's not appearing there.
I was reviewing some TimThumb exploit attempts in the Glastopf MySQL database. Consistently, Glastopf appears to be dropping the payload from the log. Examples:
The payload should follow after src, but it's not appearing there.