Odd Defacement attempts

Printable View

November 21st, 2005, 11:59 PM
Soda_Popinsky

Odd Defacement attempts

When my honeypots are compromised, this command is frequently run:

Code:

echo "ÕÙ»½" > index.jsp;

Always piped into a jsp, then it's attempted to put it into .php, html (because it fails initially, obviously)...

Which is odd, because it doesn't do anything special in browsers. Those characters aren't google friendly either, making it hard to see what's been discussed about it.

Any ideas why this is so frequently attempted? Why are many different attackers using it, and why don't they choose an alternative such as "d3f4c3d by 50d4p0p1n5ky"

I'm assuming the attackers dont' know either... they're just picking it up somewhere. That's how the logs read too.
November 22nd, 2005, 12:03 AM
catch

To make you ask questions. ;)

cheers,

catch
November 22nd, 2005, 12:10 AM
Soda_Popinsky
Motives for attack:
- To gain reputation
- To earn money
- To protest (hacktivism)
- To satisfy curiosity
- To spread mass Confusion???
What is this, Project Mayhem??? :eek:

But seriously, wtf?
November 22nd, 2005, 12:18 AM
nebulus200

Possibly different character sets ? From a US computer or no ? If it was from somewhere else, you might try looking in their character set and you might also try looking before/after they do it for references to see if that sheds a little more info into it...

Anyway, tried converting them to unicode: "%D5%D9%BB%BD" to make it a little more search friendly, but google is converting the '%' as well so I am not sure ... Hex didn't work either ...
November 22nd, 2005, 12:22 AM
Soda_Popinsky

Each IP resolved to Asia. Will look into into that, thanks!
November 22nd, 2005, 12:26 AM
bagggi

you know, there is major money here, preventing such attacks. well for the other people causing all this, eventually get caught, if they get too far.
November 22nd, 2005, 12:32 AM
catch

Preventing such attacks is only part of the answer... response is the other part:

Organically Assured and Survivable Information System (OASIS) http://www.tolerantsystems.org/ (only the bottom set of links are public)

cheers,

catch
November 22nd, 2005, 09:31 AM
sec_ware

Hi

My chinese/japanese (it's kanji after all) is not really
fluent ( :) ), but it is a formal way to express "call someone"
(hence nebulus200 was right I assume) )

Google translates it as "Summoning/consuming?".

Nothing spectacular :(
Maybe the attacker would have modified the file after
that by hand to add more context?

Cheers

/edit: create a html-file and load the simplified chinese character set (kanji,
in japanese language):

Code:

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312"> <h1>ÕÙ»½</h1>

The characters will result in google's language tool as
japanese: Summoning/consuming?
chinese: summons (noun). haven't seen this before