What is this apparent attack trying to do

SUBMITTED BY: Guest

DATE: Nov. 1, 2019, 8:52 a.m.

FORMAT: Text only

SIZE: 5.1 kB

Raw Download

HITS: 387

Report
  1. What is this apparent attack trying to do
  2. Cannot decode these
  3. This is what my (nginx) access log looks like:
  5. ++++++++++++++
  6. list of top cheapest host http://Listfreetop.pw
  8. Top 200 best traffic exchange sites http://Listfreetop.pw/surf
  10. free link exchange sites list http://Listfreetop.pw/links
  11. list of top ptc sites
  12. list of top ptp sites
  13. Listfreetop.pw
  14. Listfreetop.pw
  15. +++++++++++++++
  17. 5.122.140.143 - - [02/Aug/2019:17:56:52 +0000] "\x5CP\xFE\xC5\x97\x9D\x9DA\x19c\x9011ms\xCB\xCFI\x8E\x08\xD7R\x1Cf\x1Cr\xD9\x11_\xE9\x7F\x0F\x86\x18\xB5\xDC\xAB\xA0\xAF\x103o\x22\x97\x12GC\xE8\x9E(e\x06\x0Fk\xB2\x94 \xDA\x7F\x14$|q\xA6\xE2\xDBT&\xAC\xDB\xB5\xB6}\xB2\xE0\x9F\xD4\x96?\xA2\x0C,V\xD7\xB8.u\xBD\x0CG\xA2zs=C)\xC87=|\xC2_7\x13\xB6\xB3GF\xCF&\x5C\x02rp\xA9Q\xC7.\xFC0*9\xEA\x80Z\x18\x99\xFF\x1E\xA9w1;\x10I\x9Dc7\x02<\x82\xD0\x12\x93\xC0\xD0D\xB9\x1Fh\xE7<^\xD0\x12\xDA\x08H\x8A=w1\x12\xCF<n\xDE\x93\x9D\xF8#\xDE\x89Nq\x0F\x1CO\xC7{\xFF\xCBt\x8A\xB3OpCe\xD9\x0CEt#L\x93N\xC5\xDC\xDAM\xA2\xCD\xC9\xFB\xA5\xDC\xC9_j\x01\xBD\xD6D\xCF+\xC9V-\xF9K*\x05\xF6*\xEE\x14?\x08N^-\xB2\xFF\xE3\x9D\xD9<XI\xF9\xDE\xA2\x9D`\x9Ei\xDA\xE4\xBE7\x13Z\x9E\x1B\x1F\x82\xADJ\xA8\xB5\x14G\xD6\xAC\x883\x1CF\x91\x22\x8C\xEC@" 400 173 "-" "-"
  18. 5.252.196.173 - - [02/Aug/2019:17:56:52 +0000] "o\xE4\xCE\xC63svz\x07m\xAF\xBB\x1A\x1E\xA3Y3\xAB\xE4\x91\xDDL\x07B\xF1\xE8\xFA" 400 173 "-" "-"
  21. and lots more
  23. I am also getting
  25. SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long)
  28. from some of the same client IPs.
  30. Does anyone know what this is trying to do?
  31. Most likely up to no good ... check the IP and it resolves to a known bad actor nation state.
  32. Does anyone know what this is trying to do?
  33. Something evil--but the 400 response in logs suggests that not only is it not succeeding, it's not even formulating the attempt correctly. (Notice how the request jumps right in without specifying a method, unless you cut that part.)
  35. In general, the \x blabla represents obfuscated text--but in this case, the bits after the \x read like pure gibberish. I suspect a second- or third-hand script that's been encoded and disencoded too many times ever to make sense.
  36. Good suggestion @tangor. All IPs checked so far are Iranian. Site is hosted in the UK so, given recent events probably a random attack on UK IPs.
  38. Site is for internal use so have shut it down for the night.
  39. @lucy, that would explain why my attempts to decode it have failed.
  40. Attempt of buffer overflow exploit.
  41. Good suggestion @tangor
  43. 5 dollar hosting
  44. domain 77
  45. section 8 housing
  46. carrierhits.com
  47. omeka s hosting
  48. domain of tangent
  49. host based firewall
  50. hosting hostway
  51. domain extensions
  52. lildn.me
  53. 3 domains of learning
  56. These days my USA sites have been hammered by Chinese and Russian Federation states. Consequently I have embarked on complete country denials, EXCEPT for those IPS I know to be good (or clients).
  58. We live in interesting times.
  59. I was thinking of doing a country whitelist. I will probably have to move to a blacklist later, but at the moment a whitelist will do. An IP white list would almost do except for dynamic (especially mobile network) IPs.
  61. That is not done yet. As a stopgap I have added a fail2ban filter and jail using the nginx access log (I had to write them but really just adapted it from existing filters)
  62. I am getting ssh brute force attacks from China. Again, using fail2ban for know, will probably use port knocking in the future.
  63. I was able to reduce my Deny list by about half simply by excluding one Accept-Language header. (The obvious one.) Some day, robots will get smart and start lying plausibly--in the same way that everyone now claims to be Mozilla--but so far they don't. Mwa ha ha.
  64. I do agree with Lucy. The Accept Language has done wonders for me, and hope that this will continue. I continue to seek any and all silver bullets, as you can't have too many. There are some legit bots that are a bit sloppy, so I poke holes for them, if they are nice, well behaved and useful.
  66. As I am fluent in Chinese and welcome Chinese search engines I have an interest in learning about Chinese bots, their activity and tactics. Alas, my learnings are scant. Some Chinese bots use romanized Chinese words such as "Huang" or emperor, for example, but these are rare.
  67. The number of truly beneficial bots can be counted on one hand these days. Even so, I do make an attempt to see if there is any value before I nuke 'em. :)
  69. More concerned with the hackers and hijackers ... and in the regard is just makes more sense to take out geo locations as few (as Dire Straits once sang "speaka my language") would have any interest in the content of the site ... seeking a blast/spam thing instead.
  70. You can toughen up .htaccess, generic example...
  72. ### MALFORMED PARAMETERS
  73. RewriteCond %{QUERY_STRING} base64_(en|de)code [OR]
  74. RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
  75. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  76. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
  77. RewriteRule .* - [F]
comments powered by Disqus