Monday, June 6, 2016

Scans for Risky Web Folders

If you review your website , firewall, or IDS logs you may see scanners out on the Internet looking for these various folders, likely because if they are publically exposed they contain juicy information that could help and attacker take over your website.

http://www.mysite.com/_vti_cnf
http://www.mysite.com/_passwords/
http://www.mysite.com/passwords/
http://www.mysite.com/iisadmin/
http://www.mysite.com/~root
http://www.mysite.com/dmsdump/
http://www.mysite.com/oprocmgr-status/


I thought I'd take a second and explain a few of them.

For the _vti_cnf, if you go to a site that has frontpage extensions enabled, then this folder will give you a a complete listing of all the files in the real directory and with this information you could snatch useful files that were not meant to be exposed publically.

I'm going to guess the next 2 folder names give you access somehow to a passwords file or something that again isn't supposed to be exposed publically.

The iisadmin folder is for older versions of IIS that used to allow remote administration, which can be a very bad thing on a public facing site.

The ~root folder is likely referring to if you've somehow improperly configured your linux web server (like apache) to map to your root accounts home folder.

The dmsdump folder refers to Oracle's Dynamic Monitoring Services. Many of Oracle's services in older version were accessible remotely by anonymous users by default which is bad as this can lead to attackers having remote access to administer your server. This is also the case with the Oracle Java Process Manager (oprocmgr-status).

If you have any of these folders exposed on your site publically you've possibly already been compromised, but if not go take those folders down (or restrict them in httpd.conf or htaccess or similar) so they're no longer accessible to the bad guys. In many cases, you'll find that if these folders exists, you may also be using a super duper old unpatched version of software and thus you're going to need to do some major upgrades as well to fix all your issues.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment