Results 1 to 8 of 8

Thread: Odd Defacement attempts

  1. #1

    Odd Defacement attempts

    When my honeypots are compromised, this command is frequently run:
    Code:
    echo "ÕÙ»½" > index.jsp;
    Always piped into a jsp, then it's attempted to put it into .php, html (because it fails initially, obviously)...

    Which is odd, because it doesn't do anything special in browsers. Those characters aren't google friendly either, making it hard to see what's been discussed about it.

    Any ideas why this is so frequently attempted? Why are many different attackers using it, and why don't they choose an alternative such as "d3f4c3d by 50d4p0p1n5ky"

    I'm assuming the attackers dont' know either... they're just picking it up somewhere. That's how the logs read too.

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    To make you ask questions.

    cheers,

    catch

  3. #3
    Motives for attack:
    • To gain reputation
    • To earn money
    • To protest (hacktivism)
    • To satisfy curiosity
    • To spread mass Confusion???


    What is this, Project Mayhem???

    But seriously, wtf?

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Possibly different character sets ? From a US computer or no ? If it was from somewhere else, you might try looking in their character set and you might also try looking before/after they do it for references to see if that sheds a little more info into it...

    Anyway, tried converting them to unicode: "%D5%D9%BB%BD" to make it a little more search friendly, but google is converting the '%' as well so I am not sure ... Hex didn't work either ...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Each IP resolved to Asia. Will look into into that, thanks!

  6. #6
    Senior Member
    Join Date
    Nov 2005
    Posts
    316
    you know, there is major money here, preventing such attacks. well for the other people causing all this, eventually get caught, if they get too far.
    you are entering the vicinity of an area adjecent to the location.

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Preventing such attacks is only part of the answer... response is the other part:

    Organically Assured and Survivable Information System (OASIS) http://www.tolerantsystems.org/ (only the bottom set of links are public)

    cheers,

    catch

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    My chinese/japanese (it's kanji after all) is not really
    fluent ( ), but it is a formal way to express "call someone"
    (hence nebulus200 was right I assume) )

    Google translates it as "Summoning/consuming?".

    Nothing spectacular
    Maybe the attacker would have modified the file after
    that by hand to add more context?


    Cheers


    /edit: create a html-file and load the simplified chinese character set (kanji,
    in japanese language):

    Code:
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
    
    <h1>ÕÙ»½</h1>
    The characters will result in google's language tool as
    japanese: Summoning/consuming?
    chinese: summons (noun). haven't seen this before



    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •