|
-
March 1st, 2006, 08:07 PM
#1
Weird Entry In Web Logs
Hi all, I'm getting some weird lines in my weblogs:
222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x1f\xdc.\xa0\xa2\x1f\x0f\xe80?c\xe0P\xfa`\xf2]\x1eO\xd6\xb3\xf1W\xd5\x97Ue\xc0\xd0\xbe\xfe\x17+\xff\x95\xab\x8a\xbfU\x17(\x03\xea\xe7\xad\xf2\xa5<\xf0\xf7\xedyM\xe7\xb5\xb3\x01\xcf__\x12\x87\xfe\xf0\x1f\xf8\xf8\xbe*\xd9\x07\xb5W\xe7\xb7\xea\xa1\x7f\xa2\x9c\xcd\xf9u\x85\xf22\xaa\xcf\x9a\xddV$\x17\xaa\x03\xe0s\xf6\x17}Z\xaf\xab\x1e\x17\xcf\x02\x8b\xfeU\xf07\xef_e/.\x96+\x9e\xff\x80\xfa\xa9\xffK\xf8\xef\xff\xf0\xe7\xaf\xafw\xe1\bIT\xaf\xc3\xe5bP\xfdQz\xbc\x1e\x17|\xb9_\x95\xfdMQ\xe5\x1e\xb3n\xdeLn\x9c\xdd\x1f\x89\xc4\xa0<\x07\xf9K\xfd\xff\xa8\xec\xff\x94c\xf1%22\xf9\\\xb2g\xe2\xb1+\xfcH\xce\xc7\x7f\xff\x87=}|%20\xa0\x1f\xf0\x18\x10R\xfe\xcb`\x1c\xffg\x8b\xa0\x97\xfb8\xd4\x12\xbf\xe1\xfd\xac\x17~+\x11\xa9\xfe\x18%\x0f\xe9u\x12\xe0\xf8\xbe\x89^\xb9\xf1\xfcU\xf0=\xeb\xceUx\xa2Q\xdf\xb9\xac\xc2\x7f\xff\xf0\xe7\xaf\xafh|\x10\x07\xe2Z\xa1$\xbc\xbb\xd6\xf8%20\x17\x01\xf2\xfe~\xf1L\xf3\x12\xf7\xb4\xbf\xb8%22\xe2\xff\x83D HTTP/1.0" 503 316 "http://www.irongeek.com/videos/ettercapfiltervid1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x828\xea\x83?\xf9\x9a\x01\xea\x87\xc5\xd4|\bP\xbf\xcaD\x85E\xea\xd5\x17\xab\xf1}UK\xf7\xea\x80\xef\x8b\x87\xde\xb3\xe2E\x12\x87\xe20\xe8z\xa2\x8e\xe5\x8e\xd4\x1f\x89%20~yT..\x12\x8b\x95_\xfe\x17\x17\x01\xfc\x1e\xabQ\x15\xab\xd1\xf9x\xfd^\xfe\x17\x17L\x1e\xa8\x03\x9c\xf4\xb7\xf5\xfbC\xf2\xfa%\x97\xfc\xbf\xf9\x14\xd1\x1b\xc22\xa8%22*U:\xa0\xb8\xbb\xd8\xa8\xbb\xc2%22\xa9<c\xff\xff\xe8\x04/\x17+\xfa\x85j\x87\xe5\xf6\x88\xca\x8b\x8b\xcb\x84\xa5\xea\xb2\xf5bYz\xa2\xf8\xab\xc5\xd2m\xd5J\x14)/V?.\x85\xc0\xd0\xbe\xe0A\xf0%20\x17?>?\xa2H\x92>V\x01\xe2X\x90\xa9X\x91|%P<$\x02\x82\x82\x84x?.\x1f\xa9\xa5\xfe\x12e\xf1u\xa3\xe1\xe2\x8c\xaa\xea\x90h?\xf4\x04\xa0\x86\x0f\x17\xaa HTTP/1.0" 503 316 "http://www.irongeek.com/videos/slack1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x1f\xdc.\xa0\xa2\x1f\x0f\xe80?c\xe0P\xfa`\xf2]\x1eO\xd6\xb3\xf1W\xd5\x97Ue\xc0\xd0\xbe\xfe\x17+\xff\x95\xab\x8a\xbfU\x17(\x03\xea\xe7\xad\xf2\xa5<\xf0\xf7\xedyM\xe7\xb5\xb3\x01\xcf__\x12\x87\xfe\xf0\x1f\xf8\xf8\xbe*\xd9\x07\xb5W\xe7\xb7\xea\xa1\x7f\xa2\x9c\xcd\xf9u\x85\xf22\xaa\xcf\x9a\xddV$\x17\xaa\x03\xe0s\xf6\x17}Z\xaf\xab\x1e\x17\xcf\x02\x8b\xfeU\xf07\xef_e/.\x96+\x9e\xff\x80\xfa\xa9\xffK\xf8\xef\xff\xf0\xe7\xaf\xafw\xe1\bIT\xaf\xc3\xe5bP\xfdQz\xbc\x1e\x17|\xb9_\x95\xfdMQ\xe5\x1e\xb3n\xdeLn\x9c\xdd\x1f\x89\xc4\xa0<\x07\xf9K\xfd\xff\xa8\xec\xff\x94c\xf1%22\xf9\\\xb2g\xe2\xb1+\xfcH\xce\xc7\x7f\xff\x87=}|%20\xa0\x1f\xf0\x18\x10R\xfe\xcb`\x1c\xffg\x8b\xa0\x97\xfb8\xd4\x12\xbf\xe1\xfd\xac\x17~+\x11\xa9\xfe\x18%\x0f\xe9u\x12\xe0\xf8\xbe\x89^\xb9\xf1\xfcU\xf0=\xeb\xceUx\xa2Q\xdf\xb9\xac\xc2\x7f\xff\xf0\xe7\xaf\xafh|\x10\x07\xe2Z\xa1$\xbc\xbb\xd6\xf8%20\x17\x01\xf2\xfe~\xf1L\xf3\x12\xf7\xb4\xbf\xb8%22\xe2\xff\x83D HTTP/1.0" 503 316 "http://www.irongeek.com/videos/ettercapfiltervid1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x828\xea\x83?\xf9\x9a\x01\xea\x87\xc5\xd4|\bP\xbf\xcaD\x85E\xea\xd5\x17\xab\xf1}UK\xf7\xea\x80\xef\x8b\x87\xde\xb3\xe2E\x12\x87\xe20\xe8z\xa2\x8e\xe5\x8e\xd4\x1f\x89%20~yT..\x12\x8b\x95_\xfe\x17\x17\x01\xfc\x1e\xabQ\x15\xab\xd1\xf9x\xfd^\xfe\x17\x17L\x1e\xa8\x03\x9c\xf4\xb7\xf5\xfbC\xf2\xfa%\x97\xfc\xbf\xf9\x14\xd1\x1b\xc22\xa8%22*U:\xa0\xb8\xbb\xd8\xa8\xbb\xc2%22\xa9<c\xff\xff\xe8\x04/\x17+\xfa\x85j\x87\xe5\xf6\x88\xca\x8b\x8b\xcb\x84\xa5\xea\xb2\xf5bYz\xa2\xf8\xab\xc5\xd2m\xd5J\x14)/V?.\x85\xc0\xd0\xbe\xe0A\xf0%20\x17?>?\xa2H\x92>V\x01\xe2X\x90\xa9X\x91|%P<$\x02\x82\x82\x84x?.\x1f\xa9\xa5\xfe\x12e\xf1u\xa3\xe1\xe2\x8c\xaa\xea\x90h?\xf4\x04\xa0\x86\x0f\x17\xaa HTTP/1.0" 503 316 "http://www.irongeek.com/videos/slack1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
Does anyone recognize this as some sort of attack? Here is some info on the host:
x:~# whois 222.110.47.149
Çѱ¹ÀÎÅͳÝÁøÈï¿ø(NIDA)ÀÇ ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(KRNIC)°¡ Á¦°øÇÏ´Â Whois ¼_ºñ½º ÀÔ´Ï´Ù.
query: 222.110.47.149
# KOREAN
Á¶È¸°á°ú´Â ¾Æ·¡¿Í °°À¸¸ç, ½ÇÁ¦ Á¤º¸¿Í »óÀÌÇÒ ¼ö ÀÖ½À´Ï´Ù.
IPv4 ÁÖ¼Ò : 222.110.47.128-222.110.47.255
³×Æ®¿öÅ© À̸§ : KORNET-INFRA000001
¿¬°á ISP¸* : KORNET
ÇÒ´çÁ¤º¸°ø°³¿©ºÎ : N
[ IPv4 »ç¿ë ±â°ü Á¤º¸ ]
±â°ü°*À¯¹øÈ£ : ORG1600
±â°ü¸* : Çѱ¹Åë½Å
ÁÖ¼Ò : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ
¿ìÆ* ¹øÈ£ : 463-711
[ ³×Æ®¿öÅ© ´ã´çÀÚ Àι° Á¤º¸ ]
±â°ü¸* : Çѱ¹Åë½Å
ÁÖ¼Ò : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ
¿ìÆ* ¹øÈ£ : 463-711
ÀüÀÚ ¿ìÆ* : ip@ns.kornet.net
--------------------------------------------------------------------------------
¸¸¾* À§ÀÇ IPv4ÁÖ¼Ò »ç¿ë±â°ü Á¤º¸°¡ ¿Ã¹Ù¸£Áö ¾ÊÀ» °æ¿ì
¾Æ·¡ÀÇ ÇØ´ç ¿¬°á ISP ´ç´çÀÚ¿¡°Ô ¹®ÀÇÇϽñ⠹ٶø´Ï´Ù.
[ ¿¬°áISPÀÇ IPv4ÁÖ¼Ò Ã¥ÀÓÀÚ Á¤º¸ ]
À̸§ : IPÁÖ¼Ò°ü¸®ÀÚ
ÀüÈ_ ¹øÈ£ : +82-2-3674-5708
ÀüÀÚ ¿ìÆ* : ip@ns.kornet.net
[ ¿¬°áISPÀÇ IPv4ÁÖ¼Ò °ü¸®ÀÚ Á¤º¸ ]
À̸§ : IPÁÖ¼Ò´ã´çÀÚ
ÀüÈ_ ¹øÈ£ : +82-2-3674-5708
ÀüÀÚ ¿ìÆ* : ip@ns.kornet.net
[ ¿¬°áISPÀÇ Network Abuse ´ã´çÀÚ Á¤º¸ ]
À̸§ : ½ºÆÔ/ÇØÅ·´ã´ç
ÀüÈ_ ¹øÈ£ : 080-223-5577
ÀüÀÚ ¿ìÆ* : abuse@kornet.net
# ENGLISH
KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The followings is organization information that is using the IPv4 address.
IPv4 Address : 222.110.47.128-222.110.47.255
Network Name : KORNET-INFRA000001
Connect ISP Name : KORNET
Publishes : N
[ Organization Information ]
Organization ID : ORG1600
Org Name : Korea Telecom
Address : GYUNGGI
Zip Code : 463-711
[ Technical Contact Information ]
Org Name : Korea Telecom
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
E-Mail : ip@ns.kornet.net
--------------------------------------------------------------------------------
If the above contacts are not reachable, please contact following ISP
for further information.
[ ISP IPv4 Admin Contact Information ]
Name : IP Administrator
Phone : +82-2-3674-5708
E-Mail : ip@ns.kornet.net
[ ISP IPv4 Tech Contact Information ]
Name : IP Manager
Phone : +82-2-3674-5708
E-Mail : ip@ns.kornet.net
[ ISP Network Abuse Contact Information ]
Name : Network Abuse
Phone : 080-223-5577
E-Mail : abuse@kornet.net
x:~# nmap -P0 -A 222.110.47.149
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-03-02 01:57 CET
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 222.110.47.149:
(The 1671 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
8080/tcp open http Linksys WRT54G wireless-G router http config
Device type: router|broadband router|general purpose
Running: Cisco IOS 12.X, Conexant embedded, Draytek embedded, FreeSCO Linux 2.0.X, Linksys embedded, Linux 2.4.X|2.5.X, D-Link embedded, Siemens embedded
Too many fingerprints match this host to give specific OS details
Uptime 0.111 days (since Wed Mar 1 23:20:26 2006)
Service Info: Device: router
Nmap finished: 1 IP address (1 host up) scanned in 177.791 seconds
-
March 1st, 2006, 08:17 PM
#2
have you tried translation to hex, or even octal? looks like tetris to me...
���������������
�������
������
�������������������������������������������������������
-
March 1st, 2006, 08:22 PM
#3
Yeah, that's an attempt to bust into your web site using one of the various buffer overflow attacks. Fortunately, you're responding with a 503, not a 200. Looks like some of the older nimda and CodeRed stuff, expanded. If you are not running IIS, this shouldn't be too much of a concern. If you are, you may want to look at how well your site is locked down, just for grins and giggles.
-
March 1st, 2006, 08:24 PM
#4
It's Apache. It's just annoying having my log files filled with junk when I'm trying to look at recent visitors.
-
March 1st, 2006, 08:25 PM
#5
Do you have a way of filtering this type of incoming at a firewall or application firewall? That will help keep it out of your site logs.
-
March 1st, 2006, 08:27 PM
#6
Nope, it's not my box and my hosting provider does not seem to have an option for that.
-
March 1st, 2006, 08:37 PM
#7
If they are a commercial hosting service, you'd think they would have a perimeter filter in place. That would prevent most of this kind of thing. Granted, it doesn't directly attack your Apache installation at this time, but ...
'Course, it does just look like recon. Someone trying to find the odd vulnerable web server.
-
March 1st, 2006, 08:48 PM
#8
hmm, did find this, and I do quote:
"If you see these characters in any log file there is a good chance an attacker
is trying to mask his requests, or even trying to get around an IDS product.
Encoded characters mentioned in last paper/this paper.
%2e = . (Example: .. requests)
%3e = > (Example: Html/Javascript/SSI insertion. Mentioned in last paper)
%3c = < (Example: Html/Javascript/SSI insertion. Mentioned in last paper)
%2a = * (Examples Listed in chapter 2 of this paper)
%2b = + (Example: cmd.exe backdoor request. Also used as space)
%60 = ` (Examples Command execution. Mentioned in last paper)
%21 = ! (Example: SSI insertion. Mentioned in last paper)
%7c = | (Example: Command execution. Mentioned in last paper)
%3b = ; (Example: Command execution. Mentioned in last paper)
%7e = ~ (Examples Listed in chapter2 of this paper)
%3f = ? (Example: Php/Mentioned in last paper)
%5c = \ (Example: Possible Encoded Windows Directory Transversal Attempt)
%2f = / (Example: Possible Encoded Unix Directory Transversal Attempt)
%7b = { (Example: Possible trojan/backdoor upload attempt, possible command argument)
%7d = } (Example: Possible trojan/backdoor upload attempt, possible command argument)
%28 = ( (Example: Possible Cross Site Scripting attempt)
%29 = ) (Example: Possible Cross Site Scripting attempt)
%5b = [ (Example: Possible trojan/backdoor upload attempt, possible command argument)
%5d = ] (Example: Possible trojan/backdoor upload attempt, possible command argument)
%5e = ^ (Example: Possible trojan/backdoor upload attempt, possible command argument)
For a complete list of characters in Unix type "man ascii" and a list will be provided.
Below is what An example of directory transversal would look like while trying to fetch
the server's password file.
Example 1 :
h t t p:// host/ script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 <----- edited so this wouldnt turn into a url
This looks similar, info is at http://www.cgisecurity.com/papers/fi...nting-2.html#1
im going back to lurking now
-
March 1st, 2006, 08:54 PM
#9
Thanks, I'd give you antipoints but it says I have to spread them around. 
-
March 1st, 2006, 10:27 PM
#10
Looks like they're trying to dig into directories that are deeper than most Windows computers allow. What they're trying to find, I don't know. Normally a hacked FTP server will have seemingly bottomless directories so that the person administering the FTP server can't easily delete them. The IP that did that is still online as I type this though. 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote