Strange web exploit attempt (?)

In the search logs for OurAirports, I noticed a series of searches for URLs:

http://www.feliciano.de/Webgalerie/bilder/Italy/une/yiwul/
http://www.unduetretoccaate.it/codice/aseje/wocobo/
http://www.altaiseer-eg.com/ar/articles/jed/umut/

At first, I thought they might be a kind of link spam — some sites display recent searches — but when I checked one of the URLs, I found something totally unexpected:

php echo md5("just_a_test");?>

They’re all the same. This is almost certainly related to passwords: is there a known flaw in a PHP content-management system like Drupal, or in the PHP API for a search engine like Lucene, where this would do some damage, or is it just a test probing for weaknesses? Is the PHP code supposed to be served up literally like that, or should I be seeing the MD5 instead?

About David Megginson

Scholar, tech guy, Canuck, open-source/data/information zealot, urban pedestrian, language geek, tea drinker, pater familias, red tory, amateur musician, private pilot.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

4 Responses to Strange web exploit attempt (?)

  1. They’re probably trying to see if they can get a URL passed to [`require`](http://php.net/require),, if they were successful, that PHP code would execute on your server. If I conjecture correctly, then yes, you are supposed to see PHP code verbatim, since it’s supposed to be interpreted on your server, not theirs.

  2. Frankly I would be VERY attentive as your Server is a victim of a http-Inject attack.
    It is a test to see if one can send your scripts and next step will be http-request with
    PHP code that may infect Your Server.

    What to do ?
    If you do not use ‘http:’ within your URL’s
    Query_String you may simply add the following code
    at the beginning of all of your PHP-Files:

    As long as the above code is on the FIRST Line, there is no way
    your script is able to load external pages, it just gives back an empty Page

    As an alternative, if you are able to change
    your .htaccess file, you may create
    a rewrite rule 403 FORBIDDEN there:

    RewriteEngine on
    RewriteCond %{QUERY_STRING} http[:%] [NC]
    RewriteRule .* /————http———– [F,NC]
    RewriteRule http: /———http———– [F,NC]

    This is the fastest way and works for all files and all CMS Systems
    Source: http://www.whyron.com/http.htm

  3. Rob Kaper says:

    That’s an odd attack..

    It certainly does not look like an SQL injection, those are targetted and would involve SQL control characters.. MD5 strings would really not help an attacker here.

    Then again, it also doesn’t look like a ‘require/include’ attack. Those tend to exploit known problems of software (you’d see a lot of /someforumsoftware/?root_dir= requests), they really don’t perform queries from random forms on web sites.

    Then again, I’ve had spam containing nothing but illegible text. And I’ve have had spam bot registration attempts on my personal site which runs a home-grown CMS.. seriously a waste of time for spammers but hey, whatever keeps them happy.

Comments are closed.