November 21st, 2005 10:59 PM
Odd Defacement attempts
When my honeypots are compromised, this command is frequently run:
Always piped into a jsp, then it's attempted to put it into .php, html (because it fails initially, obviously)...
echo "ÕÙ»½" > index.jsp;
Which is odd, because it doesn't do anything special in browsers. Those characters aren't google friendly either, making it hard to see what's been discussed about it.
Any ideas why this is so frequently attempted? Why are many different attackers using it, and why don't they choose an alternative such as "d3f4c3d by 50d4p0p1n5ky"
I'm assuming the attackers dont' know either... they're just picking it up somewhere. That's how the logs read too.
November 21st, 2005 11:03 PM
To make you ask questions.
November 21st, 2005 11:10 PM
Motives for attack:
- To gain reputation
- To earn money
- To protest (hacktivism)
- To satisfy curiosity
- To spread mass Confusion???
What is this, Project Mayhem???
But seriously, wtf?
November 21st, 2005 11:18 PM
Possibly different character sets ? From a US computer or no ? If it was from somewhere else, you might try looking in their character set and you might also try looking before/after they do it for references to see if that sheds a little more info into it...
Anyway, tried converting them to unicode: "%D5%D9%BB%BD" to make it a little more search friendly, but google is converting the '%' as well so I am not sure ... Hex didn't work either ...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
November 21st, 2005 11:22 PM
Each IP resolved to Asia. Will look into into that, thanks!
November 21st, 2005 11:26 PM
you know, there is major money here, preventing such attacks. well for the other people causing all this, eventually get caught, if they get too far.
you are entering the vicinity of an area adjecent to the location.
November 21st, 2005 11:32 PM
Preventing such attacks is only part of the answer... response is the other part:
Organically Assured and Survivable Information System (OASIS) http://www.tolerantsystems.org/ (only the bottom set of links are public)
November 22nd, 2005 08:31 AM
My chinese/japanese (it's kanji after all) is not really
fluent ( ), but it is a formal way to express "call someone"
(hence nebulus200 was right I assume) )
Google translates it as "Summoning/consuming?".
Maybe the attacker would have modified the file after
that by hand to add more context?
/edit: create a html-file and load the simplified chinese character set (kanji,
in japanese language):
The characters will result in google's language tool as
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
chinese: summons (noun). haven't seen this before
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)