Re: [Full-disclosure] Random HTTP-Requests



Hi Andres,
thanks for your Ideas.

2009/3/31 Andres Riancho <andres.riancho@xxxxxxxxx>:
Jan,

On Tue, Mar 31, 2009 at 11:30 AM, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote:
Hi there,

I've noticed that some weird requests are showing up in the error logs
of one of my apache webservers.
The requests seem to have the following in common:

* GET Request on some random alphanumeric string like "GET /hDMe9NS"

w3af [0] uses these types of requests to identify the 404 response of
a web application. Maybe its somebody using w3af to scan your website?
Are you seeing a lot of requests coming from the same IP address after
the "random" request?

nope, at least not always:



Looking up the corresponding request in the access log was a good idea..

Here's one example:
221.204.*.* - - [30/Mar/2009:10:21:30 +0200] "GET
/mtERuE0/osOAJo/3dK/tUekE2Ws.gif HTTP/1.1" 404 293 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"

and another one (with referer)

124.236.*.* - - [31/Mar/2009:17:01:59 +0200] "GET
/XePDcSx/BabcSF/4GabcNO0/ncabc/abcf/Babcf-XS/abc/abcFEl/gSabcUs-z/UlabcbF/gib_.gif
HTTP/1.1" 404 362
"http://www.labcdl.com/B2abcBfV-j/zabcZ/33z/NBxab2H6/Bvgzabc/NEabc/20Xab4/lxJabc4x/HnabcE/BabcZU/ezBf/nnx/xUBabcX/0S4Z-SnzG.html";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


Grepping these IPs in access log shows up
www:/var/log/apache2# grep "124.236.*.*" access.log|wc -l
12
www:/var/log/apache2# grep "221.204.*.*" access.log|wc -l
1

All these requests are totally random and ending in with .gif. UA is
always the evil IE6. What sane developer would use such a UA? ;)




* Referer has some randomized, invalid URL like
http://www.kSJn32.com/ckJMSC/kSMSR/mndm/sads.html

w3af [0] doesn't perform requests with invalid referers; at least not
in the original version. Someone could have modified it to behave like
this.


Why would someone want to do this? It makes no sense for me.





Every domain that showed up wasn't registered - no DNS reply or whatsoever.


Here's an example out of my Log file ( I slightly modified the random
strings - just in case ;))

[Tue Mar 30 10:12:41 2009] [error] [client 124.236.*.*] File does not
exist: /var/www/foo.bar/web/hFBeX7EK, referer:
http://www.ruyidqpg.com/SJQubgQP/QenlI/_n2Pn/_px/Uph/wSBf_l/leJB/C8Y00EIPfD07U/AO8lnzhgAl/SD70gA8Jg/nfA013J/ZOWAgYCZ/DOf7hg.html

How does the corresponding entry in the access.log file look like? It
should show you some user agent... To find this just:

grep hFBeX7EK access.log

The amount of random directories isn't constant.

Any Ideas what is causing these requests? Is it a well known worm?
What could it be.. what for..?
The Server is Running Apache with PHP, the main application is made
with the symfony framework.

Thanks, Regards



PS: You believe this doesn't belong into this mailing list? Sorry, I'm
not interested - keep it to yourself.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



[0] http://w3af.sf.net/

Cheers,
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] Random HTTP-Requests
    ... I've noticed that some weird requests are showing up in the error logs ... of one of my apache webservers. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Random HTTP-Requests
    ... I've noticed that some weird requests are showing up in the error logs ... of one of my apache webservers. ... Maybe its somebody using w3af to scan your website? ...
    (Full-Disclosure)
  • Re: [Full-disclosure] iiscan results
    ... these requests are not the same. ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • RE: [Full-disclosure] Strange HTTP requests
    ... It's all from one source IP, but the requests are for various files from ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • [Full-disclosure] New awstats.pl vulnerability?
    ... I have been seeing thousands of requests ... I am dropping these requests due to previous issues ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)