Weird Entry In Web Logs
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Weird Entry In Web Logs

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Weird Entry In Web Logs

    Hi all, I'm getting some weird lines in my weblogs:

    222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x1f\xdc.\xa0\xa2\x1f\x0f\xe80?c\xe0P\xfa`\xf2]\x1eO\xd6\xb3\xf1W\xd5\x97Ue\xc0\xd0\xbe\xfe\x17+\xff\x95\xab\x8a\xbfU\x17(\x03\xea\xe7\xad\xf2\xa5<\xf0\xf7\xedyM\xe7\xb5\xb3\x01\xcf__\x12\x87\xfe\xf0\x1f\xf8\xf8\xbe*\xd9\x07\xb5W\xe7\xb7\xea\xa1\x7f\xa2\x9c\xcd\xf9u\x85\xf22\xaa\xcf\x9a\xddV$\x17\xaa\x03\xe0s\xf6\x17}Z\xaf\xab\x1e\x17\xcf\x02\x8b\xfeU\xf07\xef_e/.\x96+\x9e\xff\x80\xfa\xa9\xffK\xf8\xef\xff\xf0\xe7\xaf\xafw\xe1\bIT\xaf\xc3\xe5bP\xfdQz\xbc\x1e\x17|\xb9_\x95\xfdMQ\xe5\x1e\xb3n\xdeLn\x9c\xdd\x1f\x89\xc4\xa0<\x07\xf9K\xfd\xff\xa8\xec\xff\x94c\xf1%22\xf9\\\xb2g\xe2\xb1+\xfcH\xce\xc7\x7f\xff\x87=}|%20\xa0\x1f\xf0\x18\x10R\xfe\xcb`\x1c\xffg\x8b\xa0\x97\xfb8\xd4\x12\xbf\xe1\xfd\xac\x17~+\x11\xa9\xfe\x18%\x0f\xe9u\x12\xe0\xf8\xbe\x89^\xb9\xf1\xfcU\xf0=\xeb\xceUx\xa2Q\xdf\xb9\xac\xc2\x7f\xff\xf0\xe7\xaf\xafh|\x10\x07\xe2Z\xa1$\xbc\xbb\xd6\xf8%20\x17\x01\xf2\xfe~\xf1L\xf3\x12\xf7\xb4\xbf\xb8%22\xe2\xff\x83D HTTP/1.0" 503 316 "http://www.irongeek.com/videos/ettercapfiltervid1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
    222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x828\xea\x83?\xf9\x9a\x01\xea\x87\xc5\xd4|\bP\xbf\xcaD\x85E\xea\xd5\x17\xab\xf1}UK\xf7\xea\x80\xef\x8b\x87\xde\xb3\xe2E\x12\x87\xe20\xe8z\xa2\x8e\xe5\x8e\xd4\x1f\x89%20~yT..\x12\x8b\x95_\xfe\x17\x17\x01\xfc\x1e\xabQ\x15\xab\xd1\xf9x\xfd^\xfe\x17\x17L\x1e\xa8\x03\x9c\xf4\xb7\xf5\xfbC\xf2\xfa%\x97\xfc\xbf\xf9\x14\xd1\x1b\xc22\xa8%22*U:\xa0\xb8\xbb\xd8\xa8\xbb\xc2%22\xa9<c\xff\xff\xe8\x04/\x17+\xfa\x85j\x87\xe5\xf6\x88\xca\x8b\x8b\xcb\x84\xa5\xea\xb2\xf5bYz\xa2\xf8\xab\xc5\xd2m\xd5J\x14)/V?.\x85\xc0\xd0\xbe\xe0A\xf0%20\x17?>?\xa2H\x92>V\x01\xe2X\x90\xa9X\x91|%P<$\x02\x82\x82\x84x?.\x1f\xa9\xa5\xfe\x12e\xf1u\xa3\xe1\xe2\x8c\xaa\xea\x90h?\xf4\x04\xa0\x86\x0f\x17\xaa HTTP/1.0" 503 316 "http://www.irongeek.com/videos/slack1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
    222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x1f\xdc.\xa0\xa2\x1f\x0f\xe80?c\xe0P\xfa`\xf2]\x1eO\xd6\xb3\xf1W\xd5\x97Ue\xc0\xd0\xbe\xfe\x17+\xff\x95\xab\x8a\xbfU\x17(\x03\xea\xe7\xad\xf2\xa5<\xf0\xf7\xedyM\xe7\xb5\xb3\x01\xcf__\x12\x87\xfe\xf0\x1f\xf8\xf8\xbe*\xd9\x07\xb5W\xe7\xb7\xea\xa1\x7f\xa2\x9c\xcd\xf9u\x85\xf22\xaa\xcf\x9a\xddV$\x17\xaa\x03\xe0s\xf6\x17}Z\xaf\xab\x1e\x17\xcf\x02\x8b\xfeU\xf07\xef_e/.\x96+\x9e\xff\x80\xfa\xa9\xffK\xf8\xef\xff\xf0\xe7\xaf\xafw\xe1\bIT\xaf\xc3\xe5bP\xfdQz\xbc\x1e\x17|\xb9_\x95\xfdMQ\xe5\x1e\xb3n\xdeLn\x9c\xdd\x1f\x89\xc4\xa0<\x07\xf9K\xfd\xff\xa8\xec\xff\x94c\xf1%22\xf9\\\xb2g\xe2\xb1+\xfcH\xce\xc7\x7f\xff\x87=}|%20\xa0\x1f\xf0\x18\x10R\xfe\xcb`\x1c\xffg\x8b\xa0\x97\xfb8\xd4\x12\xbf\xe1\xfd\xac\x17~+\x11\xa9\xfe\x18%\x0f\xe9u\x12\xe0\xf8\xbe\x89^\xb9\xf1\xfcU\xf0=\xeb\xceUx\xa2Q\xdf\xb9\xac\xc2\x7f\xff\xf0\xe7\xaf\xafh|\x10\x07\xe2Z\xa1$\xbc\xbb\xd6\xf8%20\x17\x01\xf2\xfe~\xf1L\xf3\x12\xf7\xb4\xbf\xb8%22\xe2\xff\x83D HTTP/1.0" 503 316 "http://www.irongeek.com/videos/ettercapfiltervid1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
    222.110.47.149 - - [01/Mar/2006:11:00:39 -0800] "GET /\x828\xea\x83?\xf9\x9a\x01\xea\x87\xc5\xd4|\bP\xbf\xcaD\x85E\xea\xd5\x17\xab\xf1}UK\xf7\xea\x80\xef\x8b\x87\xde\xb3\xe2E\x12\x87\xe20\xe8z\xa2\x8e\xe5\x8e\xd4\x1f\x89%20~yT..\x12\x8b\x95_\xfe\x17\x17\x01\xfc\x1e\xabQ\x15\xab\xd1\xf9x\xfd^\xfe\x17\x17L\x1e\xa8\x03\x9c\xf4\xb7\xf5\xfbC\xf2\xfa%\x97\xfc\xbf\xf9\x14\xd1\x1b\xc22\xa8%22*U:\xa0\xb8\xbb\xd8\xa8\xbb\xc2%22\xa9<c\xff\xff\xe8\x04/\x17+\xfa\x85j\x87\xe5\xf6\x88\xca\x8b\x8b\xcb\x84\xa5\xea\xb2\xf5bYz\xa2\xf8\xab\xc5\xd2m\xd5J\x14)/V?.\x85\xc0\xd0\xbe\xe0A\xf0%20\x17?>?\xa2H\x92>V\x01\xe2X\x90\xa9X\x91|%P<$\x02\x82\x82\x84x?.\x1f\xa9\xa5\xfe\x12e\xf1u\xa3\xe1\xe2\x8c\xaa\xea\x90h?\xf4\x04\xa0\x86\x0f\x17\xaa HTTP/1.0" 503 316 "http://www.irongeek.com/videos/slack1.swf" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
    Does anyone recognize this as some sort of attack? Here is some info on the host:

    x:~# whois 222.110.47.149
    한국인터넷진흥원(NIDA)의 인터넷정보센터(KRNIC)가 제공하는 Whois _비스 입니다.

    query: 222.110.47.149

    # KOREAN

    조회결과는 아래와 같으며, 실제 정보와 상이할 수 있습니다.

    IPv4 주소 : 222.110.47.128-222.110.47.255
    네트워크 이름 : KORNET-INFRA000001
    연결 ISP명 : KORNET
    할당정보공개여부 : N

    [ IPv4 사용 기관 정보 ]
    기관고유번호 : ORG1600
    기관명 : 한국통신
    주소 : 성남시 분당구 정자동 206 한국통신 e-Biz본부 기획팀
    우편 번호 : 463-711

    [ 네트워크 담당자 인물 정보 ]
    기관명 : 한국통신
    주소 : 성남시 분당구 정자동 206 한국통신 e-Biz본부 기획팀
    우편 번호 : 463-711
    전자 우편 : ip@ns.kornet.net

    --------------------------------------------------------------------------------

    만약 위의 IPv4주소 사용기관 정보가 올바르지 않을 경우
    아래의 해당 연결 ISP 당당자에게 문의하시기 바랍니다.

    [ 연결ISP의 IPv4주소 책임자 정보 ]
    이름 : IP주소관리자
    전_ 번호 : +82-2-3674-5708
    전자 우편 : ip@ns.kornet.net

    [ 연결ISP의 IPv4주소 관리자 정보 ]
    이름 : IP주소담당자
    전_ 번호 : +82-2-3674-5708
    전자 우편 : ip@ns.kornet.net

    [ 연결ISP의 Network Abuse 담당자 정보 ]
    이름 : 스팸/해킹담당
    전_ 번호 : 080-223-5577
    전자 우편 : abuse@kornet.net

    # ENGLISH

    KRNIC is not an ISP but a National Internet Registry similar to APNIC.
    The followings is organization information that is using the IPv4 address.

    IPv4 Address : 222.110.47.128-222.110.47.255
    Network Name : KORNET-INFRA000001
    Connect ISP Name : KORNET
    Publishes : N

    [ Organization Information ]
    Organization ID : ORG1600
    Org Name : Korea Telecom
    Address : GYUNGGI
    Zip Code : 463-711

    [ Technical Contact Information ]
    Org Name : Korea Telecom
    Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
    Zip Code : 463-711
    E-Mail : ip@ns.kornet.net

    --------------------------------------------------------------------------------

    If the above contacts are not reachable, please contact following ISP
    for further information.

    [ ISP IPv4 Admin Contact Information ]
    Name : IP Administrator
    Phone : +82-2-3674-5708
    E-Mail : ip@ns.kornet.net

    [ ISP IPv4 Tech Contact Information ]
    Name : IP Manager
    Phone : +82-2-3674-5708
    E-Mail : ip@ns.kornet.net

    [ ISP Network Abuse Contact Information ]
    Name : Network Abuse
    Phone : 080-223-5577
    E-Mail : abuse@kornet.net


    x:~# nmap -P0 -A 222.110.47.149

    Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-03-02 01:57 CET
    Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    Interesting ports on 222.110.47.149:
    (The 1671 ports scanned but not shown below are in state: filtered)
    PORT STATE SERVICE VERSION
    8080/tcp open http Linksys WRT54G wireless-G router http config
    Device type: router|broadband router|general purpose
    Running: Cisco IOS 12.X, Conexant embedded, Draytek embedded, FreeSCO Linux 2.0.X, Linksys embedded, Linux 2.4.X|2.5.X, D-Link embedded, Siemens embedded
    Too many fingerprints match this host to give specific OS details
    Uptime 0.111 days (since Wed Mar 1 23:20:26 2006)
    Service Info: Device: router

    Nmap finished: 1 IP address (1 host up) scanned in 177.791 seconds

  2. #2
    Banned
    Join Date
    Jul 2004
    Posts
    297
    have you tried translation to hex, or even octal? looks like tetris to me...

    
    
    
     

  3. #3
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Yeah, that's an attempt to bust into your web site using one of the various buffer overflow attacks. Fortunately, you're responding with a 503, not a 200. Looks like some of the older nimda and CodeRed stuff, expanded. If you are not running IIS, this shouldn't be too much of a concern. If you are, you may want to look at how well your site is locked down, just for grins and giggles.


  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    It's Apache. It's just annoying having my log files filled with junk when I'm trying to look at recent visitors.

  5. #5
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Do you have a way of filtering this type of incoming at a firewall or application firewall? That will help keep it out of your site logs.

  6. #6
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Nope, it's not my box and my hosting provider does not seem to have an option for that.

  7. #7
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    If they are a commercial hosting service, you'd think they would have a perimeter filter in place. That would prevent most of this kind of thing. Granted, it doesn't directly attack your Apache installation at this time, but ...

    'Course, it does just look like recon. Someone trying to find the odd vulnerable web server.

  8. #8
    Banned
    Join Date
    Jul 2004
    Posts
    297
    hmm, did find this, and I do quote:
    "If you see these characters in any log file there is a good chance an attacker
    is trying to mask his requests, or even trying to get around an IDS product.

    Encoded characters mentioned in last paper/this paper.

    %2e = . (Example: .. requests)
    %3e = > (Example: Html/Javascript/SSI insertion. Mentioned in last paper)
    %3c = < (Example: Html/Javascript/SSI insertion. Mentioned in last paper)
    %2a = * (Examples Listed in chapter 2 of this paper)
    %2b = + (Example: cmd.exe backdoor request. Also used as space)
    %60 = ` (Examples Command execution. Mentioned in last paper)
    %21 = ! (Example: SSI insertion. Mentioned in last paper)
    %7c = | (Example: Command execution. Mentioned in last paper)
    %3b = ; (Example: Command execution. Mentioned in last paper)
    %7e = ~ (Examples Listed in chapter2 of this paper)
    %3f = ? (Example: Php/Mentioned in last paper)
    %5c = \ (Example: Possible Encoded Windows Directory Transversal Attempt)
    %2f = / (Example: Possible Encoded Unix Directory Transversal Attempt)
    %7b = { (Example: Possible trojan/backdoor upload attempt, possible command argument)
    %7d = } (Example: Possible trojan/backdoor upload attempt, possible command argument)
    %28 = ( (Example: Possible Cross Site Scripting attempt)
    %29 = ) (Example: Possible Cross Site Scripting attempt)
    %5b = [ (Example: Possible trojan/backdoor upload attempt, possible command argument)
    %5d = ] (Example: Possible trojan/backdoor upload attempt, possible command argument)
    %5e = ^ (Example: Possible trojan/backdoor upload attempt, possible command argument)


    For a complete list of characters in Unix type "man ascii" and a list will be provided.
    Below is what An example of directory transversal would look like while trying to fetch
    the server's password file.


    Example 1 :

    h t t p:// host/ script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 <----- edited so this wouldnt turn into a url

    This looks similar, info is at http://www.cgisecurity.com/papers/fi...nting-2.html#1

    im going back to lurking now

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks, I'd give you antipoints but it says I have to spread them around.

  10. #10
    Looks like they're trying to dig into directories that are deeper than most Windows computers allow. What they're trying to find, I don't know. Normally a hacked FTP server will have seemingly bottomless directories so that the person administering the FTP server can't easily delete them. The IP that did that is still online as I type this though.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides