Tuesday, April 21, 2009

Revolt Web PHPmyAdmin Security scanner

revolt

writt3n by: Jared Braverman
SECNAP Network Security Corp.
www.secnap.com

revolt is a scanner for phpMyAdmin installations. I don’t know what vulnerable servers are “used” for though.

… "HEAD http://…:80/phpmy/ HTTP/1.1" 403 0 "-" "revolt"
… "HEAD http://…:80/phppma/ HTTP/1.1" 403 0 "-" "revolt"
… "HEAD http://…:80/myadmin/ HTTP/1.1" 403 0 "-" "revolt"

revolt tries a large number of possible URIs – almost 100 variations in one scan. revolt also doesn’t seem to know any host names of the IP address.


THIS IS THE SIGNATURE THAT WAS CREATED TO DETECT REVOLT
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB PHP Attack Tool Revolt Scanner"; flow:established,to_server; content:"User-Agent: revolt "; nocase; reference:url,www. Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2009300; rev:1;)



THANKS TO:
http://johannburkard.de/blog/www/spam/morfeus-fucking-scanner-revolt-other-vulnerability-scanners.html
Posted by at No comments:

screenshot of the Payload - Public IP obfuscated for confidentiality


the revolt payload (attacking MySQL)

Posted by at 1 comment:
Subscribe to: Comments (Atom)