Web server logs containing RS=^ ?

Published: 2014-03-13
Last Updated: 2014-03-13 09:55:17 UTC
by Daniel Wesemann (Version: 1)
4 comment(s)

A SANS ISC reader sent us the following Apache log snippet earlier today

108.178.x.x - [11/Mar/2014:04:21:14 +0100] "GET /index.shtml/RK=0/RS=o_wLEbyzxJDMeXhdrhZU9KN7uD4- HTTP/1.0" 302 206
196.196.x.x - [11/Mar/2014:07:43:19 +0100] "GET /index.shtml/RS=^ADAY1N1JxWPFnnOEW3FpVC1g.n4rec- HTTP/1.0" 302 206
88.80.x.x   - [11/Mar/2014:15:02:01 +0100] "GET /index.shtml/RS=^ADAw5eOsxy0br6iGm1BZPRs2wtnyAE- HTTP/1.1" 302 206

index.shtml exists on the reader's server, but the RS= / RK= stuff is bogus. The RS= looks like it could be a regular expression for a pattern match of sorts, since it is starting with an anchor "^", but that's guessing. We don't really know. Googling for the pattern shows that this sort of thing has been around for a while, but I didn't find any definite explanation about which software or toolkit these requests are attempting to exploit, if any. If you have information on what this is, please share in the comments below, or via our contact form.


 

Keywords: apache Log Analysis
4 comment(s)

Comments

There is SSI injection with the header.
see: http://www.cgisecurity.com/papers/header-based-exploitation.txt
it emerged in some web server logs, + someone?
+1 ; lots of similar entries similar, not for index.shtml but for other resources
'GET //RK=0/RS=rgzp9...'

Searching for the other resources that were accessed by the same IP, around the same time, I saw requests for
GET /wp-login.php?action=register
POST /xmlrpc.php

Not all IPs doing a GET for RK=/RS= were accessing the Wordpress resources but I did noticed that they seemed to share the same browser ID ""Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
Isn't that a syntax for requests against wordpress pages? Where RS= is a hash of something? I know i have seen that syntax associated with queries against a content manager but can't remember which one.

If you google for URI's like that your will find thousands of websites that have URI's formatted like that. Just didn't have the time to dig through them to figure out which content management system they were using.

Google on:

allinurl: RS "RK=0"

Diary Archives