Security Incidents mailing list archives
Re: PHP injection attempt from 200.222.244.154
From: Jez Hancock <jez.hancock () gmail com>
Date: Sun, 5 Dec 2004 00:00:50 +0000
On Mon, 22 Nov 2004 20:09:22 -0600, Kirby Angell <kangell () alertra com> wrote:
Haha... note to self, do not include the actual attack URL in the message. Judging from this referer: Referer: http://gmail.google.com/gmail?view=cv&search=inbox&th=10063111e32eb17b&lvp=-1&cvp=0&zx=18acabd2b173f0d8528652499 I'd say someone got my message from this list and then clicked on the URLs :-)
That's something I noticed - I only started to get injection attempts on some URLs once that URL began to have content about the particular injection technique/vulnerability. For example in one weblog article I discussed the myegallery vulnerability and within a week or so I noticed a massive increase in the number of attacks on that article trying to employ injection techniques to exploit the hole the article talked about! I'd not noticed any search engines in the referer logs, but just presumed this was how the attack was being seeded. Such a waste of bandwidth. I'd thought about doing something similar to KEM Hosting's script above regarding turning tables or automating in some how an abuse complaint procedure. For a while I started to notify the owners of domains that were hosting the injection scripts that they possibly had a problem, but this got tedious quite quickly. Automating the procedure by intercepting the requests for bad URIs and redirecting them to a script that drafts together an abuse report might be interesting and save some time though. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://freebsd.munk.nu/ - A FreeBSD Diary http://ipfwstats.sf.net/ - ipfw peruser traffic logging
Current thread:
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 06)
- Re: PHP injection attempt from 200.222.244.154 Barrie Dempster (Dec 07)
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 08)
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 09)
- Re: PHP injection attempt from 200.222.244.154 James Eaton-Lee (Dec 17)
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 08)
- Re: PHP injection attempt from 200.222.244.154 Barrie Dempster (Dec 07)