Comments on: Strange web exploit attempt (?) http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/ XML and the Web. Fri, 29 Aug 2008 08:47:11 +0000 http://wordpress.org/?v=2.5.1 By: Rob Kaper http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-36172 Rob Kaper Mon, 14 Jul 2008 14:00:28 +0000 http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-36172 That's an odd attack.. It certainly does not look like an SQL injection, those are targetted and would involve SQL control characters.. MD5 strings would really not help an attacker here. Then again, it also doesn't look like a 'require/include' attack. Those tend to exploit known problems of software (you'd see a lot of /someforumsoftware/?root_dir= requests), they really don't perform queries from random forms on web sites. Then again, I've had spam containing nothing but illegible text. And I've have had spam bot registration attempts on my personal site which runs a home-grown CMS.. seriously a waste of time for spammers but hey, whatever keeps them happy. That’s an odd attack..

It certainly does not look like an SQL injection, those are targetted and would involve SQL control characters.. MD5 strings would really not help an attacker here.

Then again, it also doesn’t look like a ‘require/include’ attack. Those tend to exploit known problems of software (you’d see a lot of /someforumsoftware/?root_dir= requests), they really don’t perform queries from random forms on web sites.

Then again, I’ve had spam containing nothing but illegible text. And I’ve have had spam bot registration attempts on my personal site which runs a home-grown CMS.. seriously a waste of time for spammers but hey, whatever keeps them happy.

]]> By: ideastofightglobalterrorism.blogspot.com http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-35642 ideastofightglobalterrorism.blogspot.com Thu, 26 Jun 2008 05:22:47 +0000 http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-35642 Follow up: see http://ideastofightglobalterrorism.blogspot.com Follow up: see http://ideastofightglobalterrorism.blogspot.com

]]> By: ideastofightglobalterrorism.blogspot.com http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-35641 ideastofightglobalterrorism.blogspot.com Thu, 26 Jun 2008 05:21:46 +0000 http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-35641 Frankly I would be VERY attentive as your Server is a victim of a http-Inject attack. It is a test to see if one can send your scripts and next step will be http-request with PHP code that may infect Your Server. What to do ? If you do not use 'http:' within your URL's Query_String you may simply add the following code at the beginning of all of your PHP-Files: As long as the above code is on the FIRST Line, there is no way your script is able to load external pages, it just gives back an empty Page As an alternative, if you are able to change your .htaccess file, you may create a rewrite rule 403 FORBIDDEN there: RewriteEngine on RewriteCond %{QUERY_STRING} http[:%] [NC] RewriteRule .* /------------http----------- [F,NC] RewriteRule http: /---------http----------- [F,NC] This is the fastest way and works for all files and all CMS Systems Source: http://www.whyron.com/http.htm Frankly I would be VERY attentive as your Server is a victim of a http-Inject attack.
It is a test to see if one can send your scripts and next step will be http-request with
PHP code that may infect Your Server.

What to do ?
If you do not use ‘http:’ within your URL’s
Query_String you may simply add the following code
at the beginning of all of your PHP-Files:

As long as the above code is on the FIRST Line, there is no way
your script is able to load external pages, it just gives back an empty Page

As an alternative, if you are able to change
your .htaccess file, you may create
a rewrite rule 403 FORBIDDEN there:

RewriteEngine on
RewriteCond %{QUERY_STRING} http[:%] [NC]
RewriteRule .* /————http———– [F,NC]
RewriteRule http: /———http———– [F,NC]

This is the fastest way and works for all files and all CMS Systems
Source: http://www.whyron.com/http.htm

]]> By: Aristotle Pagaltzis http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-33496 Aristotle Pagaltzis Mon, 04 Feb 2008 15:16:39 +0000 http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/#comment-33496 They’re probably trying to see if they can get a URL passed to [`require`](http://php.net/require),, if they were successful, that PHP code would execute on your server. If I conjecture correctly, then yes, you are supposed to see PHP code verbatim, since it’s supposed to be interpreted on your server, not theirs. They’re probably trying to see if they can get a URL passed to [`require`](http://php.net/require),, if they were successful, that PHP code would execute on your server. If I conjecture correctly, then yes, you are supposed to see PHP code verbatim, since it’s supposed to be interpreted on your server, not theirs.

]]>