View previous topic :: View next topic |
Author |
Message |
kennypu Just Arrived
Joined: 02 Jul 2010 Posts: 0
|
Posted: Fri Jul 02, 2010 10:25 am Post subject: hello, question about a possible shellcode in http GET |
|
|
hello,
sorry if the title confused some of you, but I had a little problem.
I have a site running, and the past few months it has been getting hacked into, and I have no idea how they are exploiting the site. I was going through the access log and found something rather weird, and I decided to post here since you guys should know more about this than i do.
Quote: |
"GET mysitehere.com/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93\xe3\x81\xae\xe3\x83\x90\xe3\x82\xb9\xe3\x83\x88\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba\xe3\x82\x92\xe6\xb1\xba\xe3\x82\x81\xe3\x82\x8b\xe3\x81\xa8\xe3\x81\x8d/ HTTP/1.1" 404 - "-" "Yandex/1.01.001 (compatible; Win16; I)"
|
if you ask me, that looks like a shellcode, but i may be wrong. Can anybody clarify whether this is a malicious act, or an ok one? I looked up Yandex, and they seem to be a russian search engine, but idk. Thanks for any help in advance,
Ken
btw if this is the wrong place to post this, please feel free to move it or delete it. thanks.
|
|
Back to top |
|
|
capi SF Senior Mod
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
|
Posted: Fri Jul 02, 2010 3:40 pm Post subject: |
|
|
Those bytes make up a valid UTF-8 sequence, consisting of several CJK ideographs, plus some hiragana and katakana characters. This may or may not be a coincidence, and it may or may not make sense for your site:
Code: |
$ python -c 'print "\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93\xe3\x81\xae\xe3\x83\x90\xe3\x82\xb9\xe3\x83\x88\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba\xe3\x82\x92\xe6\xb1\xba\xe3\x82\x81\xe3\x82\x8b\xe3\x81\xa8\xe3\x81\x8d".decode("utf8")'
豊胸手術/豊胸手術のバストサイズを決めるとき |
It doesn't really seem like particularly useful x86 or amd64 shellcode to me, either.
Whatever it is, though, it is definitely incorrectly encoded for appearing in an URI. If anything, it should be example.com/%e8%b1%8a%e8%83%b8%e6%89%8b%e8%a1%93/%e8%b1%8a%e8%83%b8%e6%89%8b%e8%a1%93%e3%81%ae%e3%83%90%e3%82%b9%e3%83%88%e3%82%b5%e3%82%a4%e3%82%ba%e3%82%92%e6%b1%ba%e3%82%81%e3%82%8b%e3%81%a8%e3%81%8d/
It may just be a buggy bot, or it may actually be some kind of exploit attempt, looking to hurt some CGI or server-side script you may be running.
|
|
Back to top |
|
|
operat0r2 Just Arrived
Joined: 26 Apr 2010 Posts: 0
|
|
Back to top |
|
|
kennypu Just Arrived
Joined: 02 Jul 2010 Posts: 0
|
Posted: Fri Jul 02, 2010 11:49 pm Post subject: |
|
|
capi wrote: |
Those bytes make up a valid UTF-8 sequence, consisting of several CJK ideographs, plus some hiragana and katakana characters. This may or may not be a coincidence, and it may or may not make sense for your site:
Code: |
$ python -c 'print "\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93\xe3\x81\xae\xe3\x83\x90\xe3\x82\xb9\xe3\x83\x88\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba\xe3\x82\x92\xe6\xb1\xba\xe3\x82\x81\xe3\x82\x8b\xe3\x81\xa8\xe3\x81\x8d".decode("utf8")'
豊胸手術/豊胸手術のバストサイズを決めるとき |
|
that makes sense, our site is in japanese as well. Thanks for the clarification :]
|
|
Back to top |
|
|
|