| www.example.com/directory/////file.html?
Suddenly getting weird referrers |
NGene
msg:894641 | 2:10 pm on May 11, 2003 (gmt 0) |
I suddenly noticed a huge amount of weird referrers in my logs. Suppose I have directories called /directory, /directory2 and /directory3 in my site. Yesterday, when I peeked at my logs, everything was normal. Today I saw about 100 referrers in form of /directory///file.html
/directory/////////file.html
/directory2////////file2.html
/directory3////////file3.html and so on. When I looked at my 404 errors, I noticed the same trend: /directory//////////directory2/
/directory//////////directory3/ and so on. I've never seen anything like this in my logs before, and all these entries have occurred in a short period of time. What's going on?
|
jdMorgan
msg:894642 | 10:13 pm on May 13, 2003 (gmt 0) |
NGene, Could be a human probing your site, or more likely a badly-written robot. Block the IP address or IP address range just in case it's malicious. Jim
|
mischief
msg:894643 | 5:28 am on May 14, 2003 (gmt 0) |
There's been a few exploits in various web servers that take advantage of bugs in the server's directory handling abilities by confusing it into showing what it shouldn't. eg, going to "http://www.example.com/../../../../etc/" might possibly reveal the contents of a machine's "etc" directory and allow someone to steal a passwd file or something. Maybe some new kiddie scanning tool has come out that looks for something similar and leaves those weird referrers behind?
|
pawel
msg:894644 | 11:00 am on May 13, 2003 (gmt 0) |
Exactly,
typing URLs like this is the first thing a wanna-be hacker does, though a character sequence like ///// looks rather weird (or, more likely, I haven't heard of it yet), but /../../../../ can get you to the top of the directory structure and then straight to /etc/passwd, or, say, /winnnt/system32/cmd.exe.
|
|
|
