At Defcon 2012 a new Tool/Exploit hit the world: HTExploit v0.7 (link here: http://www.mkit.com.ar/labs/htexploit/) which be put some websites at risk. In short it bypasses .htaccess protected Websites by using PHP. It cant download the PHP-Source, but it can download the protected files as if they were to be displayed in your browser (html-code). Pretty neat tool!
In its current release it uses a POTATO request (instead of GET/POST/..) and the Python default User-Agent (e.g. “Python-urllib/2.6”). If you see something in the lines of this in your Logs:
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:45 +0200] “POTATO /mytest/xml.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:45 +0200] “POTATO /mytest/xml.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/xmlelement.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/xmlelement.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/xmlrpc.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/xmlrpc.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/zip.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/zip.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/zipndownload.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
example.com:80 8.8.8.8 – – [02/Aug/2012:13:51:46 +0200] “POTATO /mytest/zipndownload.php HTTP/1.1” 404 3 “-” “Python-urllib/2.6”
Someone has tried to access your .htaccess protected Website using this little tool!