What is this apparent attack trying to do - Webmaster General forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

What is this apparent attack trying to do

Cannot decode these

graeme_p

7:02 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

This is what my (nginx) access log looks like:

5.122.140.143 - - [02/Aug/2019:17:56:52 +0000] "\x5CP\xFE\xC5\x97\x9D\x9DA\x19c\x9011ms\xCB\xCFI\x8E\x08\xD7R\x1Cf\x1Cr\xD9\x11_\xE9\x7F\x0F\x86\x18\xB5\xDC\xAB\xA0\xAF\x103o\x22\x97\x12GC\xE8\x9E(e\x06\x0Fk\xB2\x94 \xDA\x7F\x14$|q\xA6\xE2\xDBT&\xAC\xDB\xB5\xB6}\xB2\xE0\x9F\xD4\x96?\xA2\x0C,V\xD7\xB8.u\xBD\x0CG\xA2zs=C)\xC87=|\xC2_7\x13\xB6\xB3GF\xCF&\x5C\x02rp\xA9Q\xC7.\xFC0*9\xEA\x80Z\x18\x99\xFF\x1E\xA9w1;\x10I\x9Dc7\x02<\x82\xD0\x12\x93\xC0\xD0D\xB9\x1Fh\xE7<^\xD0\x12\xDA\x08H\x8A=w1\x12\xCF<n\xDE\x93\x9D\xF8#\xDE\x89Nq\x0F\x1CO\xC7{\xFF\xCBt\x8A\xB3OpCe\xD9\x0CEt#L\x93N\xC5\xDC\xDAM\xA2\xCD\xC9\xFB\xA5\xDC\xC9_j\x01\xBD\xD6D\xCF+\xC9V-\xF9K*\x05\xF6*\xEE\x14?\x08N^-\xB2\xFF\xE3\x9D\xD9<XI\xF9\xDE\xA2\x9D`\x9Ei\xDA\xE4\xBE7\x13Z\x9E\x1B\x1F\x82\xADJ\xA8\xB5\x14G\xD6\xAC\x883\x1CF\x91\x22\x8C\xEC@" 400 173 "-" "-"
5.252.196.173 - - [02/Aug/2019:17:56:52 +0000] "o\xE4\xCE\xC63svz\x07m\xAF\xBB\x1A\x1E\xA3Y3\xAB\xE4\x91\xDDL\x07B\xF1\xE8\xFA" 400 173 "-" "-"

and lots more

I am also getting

SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long)

from some of the same client IPs.

Does anyone know what this is trying to do?

tangor

8:59 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Most likely up to no good ... check the IP and it resolves to a known bad actor nation state.

lucy24

9:07 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Does anyone know what this is trying to do?

Something evil--but the 400 response in logs suggests that not only is it not succeeding, it's not even formulating the attempt correctly. (Notice how the request jumps right in without specifying a method, unless you cut that part.)

In general, the \x blabla represents obfuscated text--but in this case, the bits after the \x read like pure gibberish. I suspect a second- or third-hand script that's been encoded and disencoded too many times ever to make sense.

graeme_p

9:09 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Good suggestion @tangor. All IPs checked so far are Iranian. Site is hosted in the UK so, given recent events probably a random attack on UK IPs.

Site is for internal use so have shut it down for the night.

graeme_p

9:13 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

@lucy, that would explain why my attempts to decode it have failed.

Dimitri

9:39 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

Top Contributors Of The Month

Attempt of buffer overflow exploit.

tangor

10:03 pm on Aug 2, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Good suggestion @tangor

These days my USA sites have been hammered by Chinese and Russian Federation states. Consequently I have embarked on complete country denials, EXCEPT for those IPS I know to be good (or clients).

We live in interesting times.

graeme_p

2:53 pm on Aug 3, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I was thinking of doing a country whitelist. I will probably have to move to a blacklist later, but at the moment a whitelist will do. An IP white list would almost do except for dynamic (especially mobile network) IPs.

That is not done yet. As a stopgap I have added a fail2ban filter and jail using the nginx access log (I had to write them but really just adapted it from existing filters)

graeme_p

3:22 pm on Aug 3, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I am getting ssh brute force attacks from China. Again, using fail2ban for know, will probably use port knocking in the future.

lucy24

4:41 pm on Aug 3, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I was able to reduce my Deny list by about half simply by excluding one Accept-Language header. (The obvious one.) Some day, robots will get smart and start lying plausibly--in the same way that everyone now claims to be Mozilla--but so far they don't. Mwa ha ha.

TorontoBoy

4:57 pm on Aug 4, 2019 (gmt 0)

Top Contributors Of The Month

I do agree with Lucy. The Accept Language has done wonders for me, and hope that this will continue. I continue to seek any and all silver bullets, as you can't have too many. There are some legit bots that are a bit sloppy, so I poke holes for them, if they are nice, well behaved and useful.

As I am fluent in Chinese and welcome Chinese search engines I have an interest in learning about Chinese bots, their activity and tactics. Alas, my learnings are scant. Some Chinese bots use romanized Chinese words such as "Huang" or emperor, for example, but these are rare.

tangor

3:20 am on Aug 5, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The number of truly beneficial bots can be counted on one hand these days. Even so, I do make an attempt to see if there is any value before I nuke 'em. :)

More concerned with the hackers and hijackers ... and in the regard is just makes more sense to take out geo locations as few (as Dire Straits once sang "speaka my language") would have any interest in the content of the site ... seeking a blast/spam thing instead.

JS_Harris

4:27 am on Aug 18, 2019 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

You can toughen up .htaccess, generic example...


### MALFORMED PARAMETERS
RewriteCond %{QUERY_STRING} base64_(en|de)code [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* - [F]