[opensuse] Web attacks on the rise with php and sql injection attempts
Just a heads up to those running web servers, May want to check logs for last day or two as there have been a number of attacks in the past few days (may be all days and they just got to me...) Look for attempts with: /index.php?s=/module/action/param1/${@die(sha1(xyzt))} /index.php/module/action/param1/${@die(sha1(xyzt))} /index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt Which I'm still working to totally understand, but it is apparently an attempt to provide GET code to enable compromising your site. As usual RIPE is the prime candidate, with attacks coming from 54.38.81.0/24 54.196.169.0/24 Just something to keep an eye on. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* David C. Rankin <drankinatty@suddenlinkmail.com> [07-21-20 15:46]:
Just a heads up to those running web servers,
May want to check logs for last day or two as there have been a number of attacks in the past few days (may be all days and they just got to me...)
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))}
/index.php/module/action/param1/${@die(sha1(xyzt))}
/index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
Which I'm still working to totally understand, but it is apparently an attempt to provide GET code to enable compromising your site.
As usual RIPE is the prime candidate, with attacks coming from
54.38.81.0/24 54.196.169.0/24
I have only one hit from those ips in the last 65 days, 54.38.81.231, which I have blacklisted. I have 21 from the first two strings and none from the last: 104.244.72.99 104.244.73.193 123.207.226.105 129.226.160.197 134.175.105.150 149.202.238.204 178.32.123.182 182.254.134.77 185.220.103.4 185.232.52.64 193.218.118.80 193.8.82.126 217.12.204.151 36.248.211.71 45.10.172.11 51.15.235.211 51.75.144.58 51.77.135.89 54.38.81.231 82.221.131.71 all blacklisted. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2020-07-21 20:45, David C. Rankin wrote:
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))} /index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
(Oops, just noticed I accidentally replied to David Rankin directly; I meant to reply to the list.) Presumably both of these are being used on the assumption that some well known / frequently-used code, often in sites' index.php files (maybe for something that lots of people use like blogging or BB software) will directly use the contents of var "s", or parse something out of it and use that, without checking what it is before use?
/index.php/module/action/param1/${@die(sha1(xyzt))}
What would a malformed URL like that do? -- Jeremy Nicoll - my opinions are my own -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Jeremy Nicoll - ml openSUSE <jn.ml.ops.785@wingsandbeaks.org.uk> [07-23-20 04:26]:
On 2020-07-21 20:45, David C. Rankin wrote:
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))} /index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
(Oops, just noticed I accidentally replied to David Rankin directly; I meant to reply to the list.)
Presumably both of these are being used on the assumption that some well known / frequently-used code, often in sites' index.php files (maybe for something that lots of people use like blogging or BB software) will directly use the contents of var "s", or parse something out of it and use that, without checking what it is before use?
/index.php/module/action/param1/${@die(sha1(xyzt))}
What would a malformed URL like that do?
It is probably checking for existence of a particular string of code which it can exploit and when not finding, doesn't bother anymore. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
David C. Rankin -
Jeremy Nicoll - ml openSUSE -
Patrick Shanahan