Is it a possible XSS attack or crawler left outs

Forum Moderators: phranque

Message Too Old, No Replies

Is it a possible XSS attack or crawler left outs

phparion

1:28 pm on Jan 30, 2009 (gmt 0)

I am not sure if this is the correct forum to ask this question but anyway, recently I noticed 3 hits on my website with very strange URLs which are as follow

/'+AFv_tag.AF+'templates/'+AFv_tag.VRS+'?tag='+AFv_tag.SN+'&sip='+AFv_tag.IP+'&cnl='+AFv_tag.CH+'&aftid=18&type=c&w='+w+'&h='+h+'&cat='+AFv_tag.CT+'&apr='+AFv_tag.APR+'

/'+AFv_tag.AFR+AFf_T()+

/'+AFv_tag.AF+'images/closeX.gif

I get no clue from these links as there is no such url pattern in my website. Secondly I do not have any TEMPLATE folder as used in the first URL. I do have an IMAGES folder though as used in the third url but there is NO closeX.gif image in it.

I am lost that what kind of hits were that, any idea?

thank you

httpwebwitch

2:19 pm on Feb 8, 2009 (gmt 0)

They're not XSS; there is no JavaScript payload in them

Someone is probing your site. They're using a scraper/probing tool to look for installed CGI's and scripts that have known security vulnerabilities. Ultimately, they're looking for an opening to get shell access or SQL injection.

But the hacker is using it wrong and the "AFv_" variable names are being sent in the request, rather than being replaced by values. Used successfully, their requests would not stand out like that, they'd just be unusual 404's

sometimes you see these kinds of URLs prefaced with "/../../../../../../../../" which means they're also sniffing for path traversal vulnerabilities.

definitely malicious.

phparion

3:06 pm on Feb 8, 2009 (gmt 0)

thank you for your reply. my code base is very solid and i take care of all sql injection etc stuff. what else can i do to make sure such attacks never hurt my applications?

httpwebwitch

4:51 am on Feb 9, 2009 (gmt 0)

Make sure all your errors (4xx - 5xx statuses) are handled in a way that reveals nothing useful to the agent. Set your error reporting to its tightest setting, review your folder permissions, database permissions, and don't put anything secret on the server!

They're probing... just make sure there's nothing to find ;)

phparion

9:47 am on Feb 9, 2009 (gmt 0)

thank you, I am going through the application to double check the security measures.

by the way, I have installed CSF firewall on my linux and have blocked direct root access, changed the default ssh port and firewall blocks the user in case of brute forcing, would that be any useful to prevent these attacks?

httpwebwitch

2:43 pm on Feb 12, 2009 (gmt 0)

It depends what they find.

Throttling/Rate Limiting can stop brute force enumeration or authentication attacks. Like, someone trying every combination of A-Z0-9 to guess your admin password. But if there's a gaping hole in your code, a good attacker can DROP an entire database with one cleverly crafted HTTP request. Ka-BAM!

they could be sniffing for loosely coupled MAIL function that accepts a TO parameter, so they might use your server to send spam. Or they may be looking for the fingerprint of an old version of WordPress, or an outdated Joomla, or a dusty copy of some archaic function from Matt's Script Archive. Who knows.

I don't know whether ports and firewalls are effective against malicious attacks which are otherwise just normal HTTP requests. But it can't hurt. There's peace of mind in having your outward-facing servers locked down and buttoned up tight.

Ultimately it's loose code that lets attackers in