• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

hello, question about a possible shellcode in http GET

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
kennypu
Just Arrived
Just Arrived


Joined: 02 Jul 2010
Posts: 0


Offline

PostPosted: Fri Jul 02, 2010 10:25 am    Post subject: hello, question about a possible shellcode in http GET Reply with quote

hello,
sorry if the title confused some of you, but I had a little problem.

I have a site running, and the past few months it has been getting hacked into, and I have no idea how they are exploiting the site. I was going through the access log and found something rather weird, and I decided to post here since you guys should know more about this than i do.
Quote:

"GET mysitehere.com/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93\xe3\x81\xae\xe3\x83\x90\xe3\x82\xb9\xe3\x83\x88\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba\xe3\x82\x92\xe6\xb1\xba\xe3\x82\x81\xe3\x82\x8b\xe3\x81\xa8\xe3\x81\x8d/ HTTP/1.1" 404 - "-" "Yandex/1.01.001 (compatible; Win16; I)"


if you ask me, that looks like a shellcode, but i may be wrong. Can anybody clarify whether this is a malicious act, or an ok one? I looked up Yandex, and they seem to be a russian search engine, but idk. Thanks for any help in advance,
Ken

btw if this is the wrong place to post this, please feel free to move it or delete it. thanks.
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Fri Jul 02, 2010 3:40 pm    Post subject: Reply with quote

Those bytes make up a valid UTF-8 sequence, consisting of several CJK ideographs, plus some hiragana and katakana characters. This may or may not be a coincidence, and it may or may not make sense for your site:
Code:
$ python -c 'print "\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93\xe3\x81\xae\xe3\x83\x90\xe3\x82\xb9\xe3\x83\x88\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba\xe3\x82\x92\xe6\xb1\xba\xe3\x82\x81\xe3\x82\x8b\xe3\x81\xa8\xe3\x81\x8d".decode("utf8")'
豊胸手術/豊胸手術のバストサイズを決めるとき


It doesn't really seem like particularly useful x86 or amd64 shellcode to me, either.

Whatever it is, though, it is definitely incorrectly encoded for appearing in an URI. If anything, it should be example.com/%e8%b1%8a%e8%83%b8%e6%89%8b%e8%a1%93/%e8%b1%8a%e8%83%b8%e6%89%8b%e8%a1%93%e3%81%ae%e3%83%90%e3%82%b9%e3%83%88%e3%82%b5%e3%82%a4%e3%82%ba%e3%82%92%e6%b1%ba%e3%82%81%e3%82%8b%e3%81%a8%e3%81%8d/

It may just be a buggy bot, or it may actually be some kind of exploit attempt, looking to hurt some CGI or server-side script you may be running.
Back to top
View user's profile Send private message
operat0r2
Just Arrived
Just Arrived


Joined: 26 Apr 2010
Posts: 0


Offline

PostPosted: Fri Jul 02, 2010 6:05 pm    Post subject: Reply with quote

* hire a security professional to evaluate the cause and fix the problem
* use mod security this will block 99.9% of skiddie attacks
* http://www.binrev.com/forums/index.php/topic/34774-apache-limit-max-connections-per-ip-and-friends/page__hl__htaccess
Back to top
View user's profile Send private message Visit poster's website
kennypu
Just Arrived
Just Arrived


Joined: 02 Jul 2010
Posts: 0


Offline

PostPosted: Fri Jul 02, 2010 11:49 pm    Post subject: Reply with quote

capi wrote:
Those bytes make up a valid UTF-8 sequence, consisting of several CJK ideographs, plus some hiragana and katakana characters. This may or may not be a coincidence, and it may or may not make sense for your site:
Code:
$ python -c 'print "\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93/\xe8\xb1\x8a\xe8\x83\xb8\xe6\x89\x8b\xe8\xa1\x93\xe3\x81\xae\xe3\x83\x90\xe3\x82\xb9\xe3\x83\x88\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba\xe3\x82\x92\xe6\xb1\xba\xe3\x82\x81\xe3\x82\x8b\xe3\x81\xa8\xe3\x81\x8d".decode("utf8")'
豊胸手術/豊胸手術のバストサイズを決めるとき



that makes sense, our site is in japanese as well. Thanks for the clarification :]
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register