Friday, January 28, 2011

can you assign same ip address to two interfaces

cisco if the interface type is point to point we don't need to assign ip address related to RFC 1812 2.2.7 section :
Related to this if the interface type is P2P we can assign same ip address to two interfaces.

Serial1/0 192.168.1.1 YES manual up up
Serial1/1 192.168.1.1 YES manual up up


Ok if i ping 192.168.1.2 where it will go ? lets explore it ..

Basic diagram

R2 (s1/0)--<(s1/1) R1 (s1/0)>--(s1/0) R3 -- LO 192.168.6.1/32


R1#show ip route 192.168.1.2
Routing entry for 192.168.1.0/30
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Serial1/0
Route metric is 0, traffic share count is 1
directly connected, via Serial1/1
Route metric is 0, traffic share count is 1

so basically load sharing :)
further more ,

R1#show ip cef 192.168.6.1
192.168.6.1/32
nexthop 192.168.1.2 Serial1/0
nexthop 192.168.1.2 Serial1/1


if i enabled the debug ip icmp and interface changed the loadsharing mode to per packet :

R1#ping 192.168.6.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.1, timeout is 2 seconds:
U!
*Jan 28 22:24:25.455: ICMP: dst (192.168.1.1) host unreachable rcv from 192.168.1.2
*Jan 28 22:24:25.555: ICMP: echo reply rcvd, src 192.168.6.1, dst 192.168.1.1.!U
Success rate is 40 percent (2/5), round-trip min/avg/max = 76/88/100 ms
R1#
*Jan 28 22:24:27.635: ICMP: echo reply rcvd, src 192.168.6.1, dst 192.168.1.1
*Jan 28 22:24:27.743: ICMP: dst (192.168.1.1) host unreachable rcv from 192.168.1.2


So we can assign the ip address but if its connecting to same device no issue otherwise will be problem

XAMPP WebDAV Vulnerability

This vulnerability basically WebDav can be access like ftp server if you know the username & Password. since Xampp places the default username & password the user doesn't restrict the access to xampp directory after the xampp installtion attackers can places their files & execute remotely. they can use your PC to DDoS their targets.


Quite a strange my machine generating 80Mbps traffic towards one of the host.
as usual i searched through process explore (sysinternal ) for any unwanted process + tcp connection, Nothing suspicious.But Anti-Virus logs points out http.exe trying to access IRC ports http.exe is xammp apache server process.

1/21/2011 10:02:23 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 173.192.66.130:6666
1/21/2011 10:35:45 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6668
1/21/2011 10:37:04 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6666
1/21/2011 10:39:36 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 74.53.201.162:6668

so i was suspicious over the xampp and started to google around vulnerability for Xampp and found xampp webdav has default password , anybody can access it and place files in the folder it. through that they can access whole server content.
Next step the apache logs ,
Access log points that too ( watch the PUT) :


50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "GET /webdav/ HTTP/1.1" 200 313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 401 1369 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PUT /webdav/info.php HTTP/1.1" 201 332 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:36 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - - [18/Jan/2011:14:02:41 +0530] "GET /webdav/info.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "DELETE /webdav/info.php HTTP/1.1" 204 - "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "PUT /webdav/x32.php HTTP/1.1" 201 331 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PUT /webdav/servconfig.php HTTP/1.1" 201 338 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:52 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3958 "-" "WEBDAV Client"

3 files placed by the attackers leaf.php,servconfig.php, x32.php ( no idea what is leaf.php anybody have any idea ? here i've attached the php files. :

01/22/2011 03:03 AM 1,107 leaf.php
01/21/2011 08:56 PM 3,775 servconfig.php
12/20/2009 12:00 AM 277 webdav.txt
01/18/2011 02:02 PM 1,975 x32.php

rar file .
http://hotfile.com/dl/100076218/c618307/webdav.rar.html

x32.php gives basic interface where you can place host & time duration for the attack. Sample attack request : This may be vary depend on the php /active content the attacker places.

"91.121.2.103 - - [27/Jan/2011:15:09:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:51 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:13:48 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
"

workaround:
Change the default username and password on the webdav folder that placed by the xampp
X:/xampp/security/webdav.htpasswd

Delete the webdev folder / search google XAMPP WebDAV vulnerability.