Welcome to WebmasterWorld Guest from 18.232.171.18

Forum Moderators: phranque

What is this apparent attack trying to do

Cannot decode these

     
7:02 pm on Aug 2, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2980
votes: 201


This is what my (nginx) access log looks like:

5.122.140.143 - - [02/Aug/2019:17:56:52 +0000] "\x5CP\xFE\xC5\x97\x9D\x9DA\x19c\x9011ms\xCB\xCFI\x8E\x08\xD7R\x1Cf\x1Cr\xD9\x11_\xE9\x7F\x0F\x86\x18\xB5\xDC\xAB\xA0\xAF\x103o\x22\x97\x12GC\xE8\x9E(e\x06\x0Fk\xB2\x94 \xDA\x7F\x14$|q\xA6\xE2\xDBT&\xAC\xDB\xB5\xB6}\xB2\xE0\x9F\xD4\x96?\xA2\x0C,V\xD7\xB8.u\xBD\x0CG\xA2zs=C)\xC87=|\xC2_7\x13\xB6\xB3GF\xCF&\x5C\x02rp\xA9Q\xC7.\xFC0*9\xEA\x80Z\x18\x99\xFF\x1E\xA9w1;\x10I\x9Dc7\x02<\x82\xD0\x12\x93\xC0\xD0D\xB9\x1Fh\xE7<^\xD0\x12\xDA\x08H\x8A=w1\x12\xCF<n\xDE\x93\x9D\xF8#\xDE\x89Nq\x0F\x1CO\xC7{\xFF\xCBt\x8A\xB3OpCe\xD9\x0CEt#L\x93N\xC5\xDC\xDAM\xA2\xCD\xC9\xFB\xA5\xDC\xC9_j\x01\xBD\xD6D\xCF+\xC9V-\xF9K*\x05\xF6*\xEE\x14?\x08N^-\xB2\xFF\xE3\x9D\xD9<XI\xF9\xDE\xA2\x9D`\x9Ei\xDA\xE4\xBE7\x13Z\x9E\x1B\x1F\x82\xADJ\xA8\xB5\x14G\xD6\xAC\x883\x1CF\x91\x22\x8C\xEC@" 400 173 "-" "-"
5.252.196.173 - - [02/Aug/2019:17:56:52 +0000] "o\xE4\xCE\xC63svz\x07m\xAF\xBB\x1A\x1E\xA3Y3\xAB\xE4\x91\xDDL\x07B\xF1\xE8\xFA" 400 173 "-" "-"


and lots more

I am also getting

SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long)


from some of the same client IPs.

Does anyone know what this is trying to do?
8:59 pm on Aug 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10136
votes: 1010


Most likely up to no good ... check the IP and it resolves to a known bad actor nation state.
9:07 pm on Aug 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15756
votes: 828


Does anyone know what this is trying to do?
Something evil--but the 400 response in logs suggests that not only is it not succeeding, it's not even formulating the attempt correctly. (Notice how the request jumps right in without specifying a method, unless you cut that part.)

In general, the \x blabla represents obfuscated text--but in this case, the bits after the \x read like pure gibberish. I suspect a second- or third-hand script that's been encoded and disencoded too many times ever to make sense.
9:09 pm on Aug 2, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2980
votes: 201


Good suggestion @tangor. All IPs checked so far are Iranian. Site is hosted in the UK so, given recent events probably a random attack on UK IPs.

Site is for internal use so have shut it down for the night.
9:13 pm on Aug 2, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2980
votes: 201


@lucy, that would explain why my attempts to decode it have failed.
9:39 pm on Aug 2, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1193
votes: 280


Attempt of buffer overflow exploit.
10:03 pm on Aug 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10136
votes: 1010


Good suggestion @tangor


These days my USA sites have been hammered by Chinese and Russian Federation states. Consequently I have embarked on complete country denials, EXCEPT for those IPS I know to be good (or clients).

We live in interesting times.
2:53 pm on Aug 3, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2980
votes: 201


I was thinking of doing a country whitelist. I will probably have to move to a blacklist later, but at the moment a whitelist will do. An IP white list would almost do except for dynamic (especially mobile network) IPs.

That is not done yet. As a stopgap I have added a fail2ban filter and jail using the nginx access log (I had to write them but really just adapted it from existing filters)
3:22 pm on Aug 3, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2980
votes: 201


I am getting ssh brute force attacks from China. Again, using fail2ban for know, will probably use port knocking in the future.
4:41 pm on Aug 3, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15756
votes: 828


I was able to reduce my Deny list by about half simply by excluding one Accept-Language header. (The obvious one.) Some day, robots will get smart and start lying plausibly--in the same way that everyone now claims to be Mozilla--but so far they don't. Mwa ha ha.
4:57 pm on Aug 4, 2019 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts:562
votes: 55


I do agree with Lucy. The Accept Language has done wonders for me, and hope that this will continue. I continue to seek any and all silver bullets, as you can't have too many. There are some legit bots that are a bit sloppy, so I poke holes for them, if they are nice, well behaved and useful.

As I am fluent in Chinese and welcome Chinese search engines I have an interest in learning about Chinese bots, their activity and tactics. Alas, my learnings are scant. Some Chinese bots use romanized Chinese words such as "Huang" or emperor, for example, but these are rare.
3:20 am on Aug 5, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10136
votes: 1010


The number of truly beneficial bots can be counted on one hand these days. Even so, I do make an attempt to see if there is any value before I nuke 'em. :)

More concerned with the hackers and hijackers ... and in the regard is just makes more sense to take out geo locations as few (as Dire Straits once sang "speaka my language") would have any interest in the content of the site ... seeking a blast/spam thing instead.
4:27 am on Aug 18, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:2011
votes: 211


You can toughen up .htaccess, generic example...

### MALFORMED PARAMETERS
RewriteCond %{QUERY_STRING} base64_(en|de)code [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* - [F]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members