Top 10 exploits used by hackers to easily take control of servers

Every week, multiple security vulnerabilities are reported in various technological developments. According to cloud security course specialists, it is critical to detect and correct these flaws before threat actors manage to develop an exploit to complete an attack, although it is not possible to prevent 100% of attacks.

An exploit is usually done using automated device scanning and detection software and other vulnerable deployments on the network. To investigate this malicious behavior, multiple cybersecurity firms resort to implementing sensors and honeypots that run various services to attract the attention of bots and hackers, generating millions of events daily.

Based on a thorough analysis, Radware’s cloud security course specialists have drawn up a list of the ten most-used exploits used by threat actors. These attacks are primarily used to exploit known vulnerabilities on popular servers.

/TP/public/index.php

This exploit is used to abuse CVE-2018-20062, a remote code execution vulnerability in NoneCMS ThinkPHP. ThinkPHP is a PHP-based web application development framework widely used in enterprise environments. This vulnerability was discovered in December 2018 and affects NoneCMS ThinkPHP 5.x with maintenance releases earlier than v5.0.23 and v5.1.31.

Other Uniform Resource Identifiers (URIs) related to the same vulnerability:

  • /TP/index.php
  • /thinkphp/html/public/index.php
  • /thinkphp/public/index.php
  • /TP/html/public/index.php
  • /html/public/index.php

This exploit was used in 25% of reported server attacks over the past year.

/wp-config.php

This is a very important configuration file for WordPress. A threat actor with access to ‘wp-config.php’ could trigger a sensitive file exposure vulnerability in the Content Management System (CMS). This vulnerability was exploited in 14% of server attacks, cloud security course specialists say.

/ctrlt/DeviceUpgrade_1

The Huawei HG532 router is widely used in homes and small businesses. A couple of years ago, the company issued a security alert about a Remote Code Execution Vulnerability (RCE) identified as CVE-2017-17215. When sending malicious requests to port 37215, a threat actor might execute arbitrary code without authenticating to the user interface.

This attack represents 11% of total attacks on servers reported last year.

/nice%20ports%2C/Tri%6Eity.txt%2ebak

Nmap is a widely used network scanner. In a specific request, the attacker uses ASCII escape characters to generate an HTTP 404 error message and parse a web server. A successful scan could have revealed important information about the web server code; 9% of server attacks are associated with this exploit.

/phpMyAdmin/scripts/setup.php

phpMyAdmin is a free and open source management tool for MySQL and MariaDB. The remote code execution vulnerability identified as CVE-2009-1151 would allow a remote hacker to inject arbitrary PHP code into a configuration file by saving, compromising the target system. This exploit was used in 9% of server attacks.

/wls-wsat/CoordinatorPortType11

The CVE-2017-10271 vulnerability could be exploited by unauthenticated remote hackers using a malicious HTML request to take control of an Oracle WebLogic server deployment. 7% of server attacks are associated with this exploit.

/editBlackAndWhiteList

In April 2018, Shenzhen TVT released a critical warning and firmware update to fix a remote code execution vulnerability in NVMS-9000 Digital Video Recorder. An unauthenticated remote attacker could have used the encoded administrator credentials to run their code on the victim’s machine. The exploit was identified in 5% of server attacks, cloud security course experts mentioned.

/HNAP1

HNAP is a network device management protocol patented by Pure Networks and acquired by Cisco that enables advanced programmatic configuration and management by remote entities. The CVE-2014-8244 vulnerability allows you to abuse multiple HNAP devices, such as D-Link and Linksys routers.

/_async/AsyncResponseService

This exploit allowed hackers to abuse CVE-2019-2725, a remote code execution vulnerability that affects Oracle WebLogic components that do not adequately deserialize input data; 1% of server attacks are related to this failure.

/GponForm/diag_Form?images/

Vulnerabilities CVE-2018-10561 and CVE-2018-1056 allowed multiple threat actors to execute arbitrary commands on the affected versions of Gpon routers. This attack is associated with 1% of reported incidents over the past year.

The International Institute of Cyber Security (IICS) recommends visiting the official platforms of technology companies for more details on these attacks and the vulnerabilities exploited by hackers.