[tpm] web crash attempts

Andy Lester andy at petdance.com
Tue Mar 27 11:46:51 PDT 2018


> 178.32.200.116 - - [10/Mar/2018:14:21:23 -0800] "GET /?cmd=die('===!'.'==='); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”

Looks like they’re sniffing for web servers that have something set up where /?cmd=x lets you execute x.  If they get back a 500, then they know that the command was tried and died.  Then they know to sniff around some more because /?cmd is now a portal to executing things remotely on that server.


> 168.144.187.20 - - [16/Mar/2018:09:17:35 -0700] "POST /?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”

Looks like they’re trying the same sort of sniffing around with a bunch of different variables, to see if any of them cause the error that they expected above.

In short, they’re trying the doorknob to see if the house is unlocked.  On the plus side, it doesn't look like a focused attack.  They’re just trying the doorknob at every site they can.

This kind of thing is why the idea of “Why would anyone try to hack my little website? Why do I need to be paranoid about security?” is so wrong-headed.  The bad guys don’t care how big or little your website is.  They just set bots to run and just sniff anywhere that might have a security hole of some kind.  Doesn’t matter to them if they hack microsoft.com <http://microsoft.com/> or mypodunklittlewebsite.com <http://mypodunklittlewebsite.com/>.

Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20180327/cb1d1542/attachment.html>


More information about the toronto-pm mailing list