From talexb at gmail.com  Wed Mar 14 18:19:17 2018
From: talexb at gmail.com (Alex Beamish)
Date: Wed, 14 Mar 2018 21:19:17 -0400
Subject: [tpm] March meeting / March 29, 2018
Message-ID: <CANgc-axhfpm35MdXA==dseDsm2ZvUrWvqm8EqiW-cPrvVroj0A@mail.gmail.com>

Hello Toronto,

Happy Pi day to you all! Our monthly meeting is coming up, and I have a
line on one presenter .. so if there is another presentation out there,
please let me now.

I have splashed out on a Hotspot Turbo Stick that will provide me with
mobile Internet, so I'll be able to use my own modest laptop for running
the Google Hangout starting this month. I will be making a burnt offering
to the Gods of the Internet for favourable conditions, and we'll see how
this month goes.

Thanks all!

-- 
Alex Beamish

Software Developer / https://ca.linkedin.com/in/alex-beamish-5111ba3
Speaker Wrangler, Toronto Perlmongers / http://to.pm.org/
Baritone, Board Member, Toronto Northern Lights, 2013 Champions /
www.northernlightschorus.com
Certified Contest Administrator, Barbershop Harmony Society /
www.barbershop.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20180314/abe64897/attachment.html>

From legrady at gmail.com  Tue Mar 27 10:56:07 2018
From: legrady at gmail.com (Tom Legrady)
Date: Tue, 27 Mar 2018 13:56:07 -0400
Subject: [tpm] web crash attempts
Message-ID: <e6b3e807-f48c-0c91-79e8-5264e75eb485@gmail.com>

I'm looking to make some improvements on a friend's web site, and came 
across some odd entries while looking at the apache log file. I get the 
impression these people aren't trying to improve the web. But what are 
they hoping to achieve?

The query URL changes, but the info about the query software remains the 
same.

178.32.200.116 - - [10/Mar/2018:14:21:23 -0800] "GET 
/?cmd=die('===!'.'==='); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 
5.1; rv:32.0) Gecko/20100101 Firefox/32.0"

198.12.153.176 - - [13/Mar/2018:03:03:40 -0700] "GET 
/?cmd=die('===!'.'==='); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 
5.1; rv:32.0) Gecko/20100101 Firefox/32.0"

168.144.187.20 - - [16/Mar/2018:09:17:35 -0700] "POST 
/?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); 
HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) 
Gecko/20100101 Firefox/32.0"

193.104.35.105 - - [18/Mar/2018:15:04:43 -0700] "POST 
/?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); 
HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) 
Gecko/20100101 Firefox/32.0"

Tom

From liam at holoweb.net  Tue Mar 27 11:43:44 2018
From: liam at holoweb.net (Liam R E Quin)
Date: Tue, 27 Mar 2018 14:43:44 -0400
Subject: [tpm] web crash attempts
In-Reply-To: <e6b3e807-f48c-0c91-79e8-5264e75eb485@gmail.com>
References: <e6b3e807-f48c-0c91-79e8-5264e75eb485@gmail.com>
Message-ID: <1522176224.4479.55.camel@holoweb.net>

On Tue, 2018-03-27 at 13:56 -0400, Tom Legrady wrote:
> 
> 178.32.200.116 - - [10/Mar/2018:14:21:23 -0800] "GET 
> /?cmd=die('===!'.'==='); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows
> NT 
> 5.1; rv:32.0) Gecko/20100101 Firefox/32.0"

This is probably a probe to see if the site uses eval() on its CGI
parameters.

I found
https://security.stackexchange.com/questions/181772/whats-so-special-ab
out-evalzax
so unless that's your question, you're not alone :)

Liam

-- 
Liam Quin - web slave for https://www.fromoldbooks.org/
with fabulous vintage art and fascinating texts to read.
Click here to have the slave beaten. Or rewarded. Or not.

From andy at petdance.com  Tue Mar 27 11:46:51 2018
From: andy at petdance.com (Andy Lester)
Date: Tue, 27 Mar 2018 13:46:51 -0500
Subject: [tpm] web crash attempts
In-Reply-To: <e6b3e807-f48c-0c91-79e8-5264e75eb485@gmail.com>
References: <e6b3e807-f48c-0c91-79e8-5264e75eb485@gmail.com>
Message-ID: <D41DB003-6E3E-4B76-8E7F-2B3406B05F9D@petdance.com>

> 178.32.200.116 - - [10/Mar/2018:14:21:23 -0800] "GET /?cmd=die('===!'.'==='); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0?

Looks like they?re sniffing for web servers that have something set up where /?cmd=x lets you execute x.  If they get back a 500, then they know that the command was tried and died.  Then they know to sniff around some more because /?cmd is now a portal to executing things remotely on that server.


> 168.144.187.20 - - [16/Mar/2018:09:17:35 -0700] "POST /?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0?

Looks like they?re trying the same sort of sniffing around with a bunch of different variables, to see if any of them cause the error that they expected above.

In short, they?re trying the doorknob to see if the house is unlocked.  On the plus side, it doesn't look like a focused attack.  They?re just trying the doorknob at every site they can.

This kind of thing is why the idea of ?Why would anyone try to hack my little website? Why do I need to be paranoid about security?? is so wrong-headed.  The bad guys don?t care how big or little your website is.  They just set bots to run and just sniff anywhere that might have a security hole of some kind.  Doesn?t matter to them if they hack microsoft.com <http://microsoft.com/> or mypodunklittlewebsite.com <http://mypodunklittlewebsite.com/>.

Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20180327/cb1d1542/attachment.html>

From talexb at gmail.com  Thu Mar 29 16:04:51 2018
From: talexb at gmail.com (Alex Beamish)
Date: Thu, 29 Mar 2018 19:04:51 -0400
Subject: [tpm] This month's hangout
Message-ID: <CANgc-awuLv2gNHovb1yqXVWhkU0RQ7g1iQSJ_855HsDxXg5eYg@mail.gmail.com>

Hi all,

Here's the Hangout:
https://hangouts.google.com/hangouts/_/ytl/wAkcy7h0jjaBkZbdVdzFqOLbBmAGrDxpajiAk7PdoLY=?hl=en_US&authuser=1

-- 
Alex Beamish

Software Developer / https://ca.linkedin.com/in/alex-beamish-5111ba3
Speaker Wrangler, Toronto Perlmongers / http://to.pm.org/
Baritone, Board Member, Toronto Northern Lights, 2013 Champions /
www.northernlightschorus.com
Certified Contest Administrator, Barbershop Harmony Society /
www.barbershop.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20180329/7406c4cd/attachment.html>