[News]

News:

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

I see this in my logs ALL the time:

78.157.143.202 - - [25/Aug/2008:19:42:21 -0400] "GET /freshwater-discussions/using-pleco%2527s-for-bio-fuel/ HTTP/1.0" 404 - "http://www.fishforu.ms/freshwater-discussions/using
-pleco%2527s-for-bio-fuel/" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1"
78.157.143.202 - - [25/Aug/2008:19:42:23 -0400] "GET / HTTP/1.0" 200 28226 "http://www.fishforu.ms/" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Fi
refox/1.6a1"
78.157.143.202 - - [25/Aug/2008:19:42:24 -0400] "GET /freshwater-discussions/?PHPSESSID=4f86fc23f0923eeee68716374c97be22 HTTP/1.0" 200 53012 "http://www.fishforu.ms/freshwater-d
iscussions/?PHPSESSID=4f86fc23f0923eeee68716374c97be22" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1"
78.157.143.202 - - [25/Aug/2008:19:42:26 -0400] "GET /freshwater-discussions/20/ HTTP/1.0" 200 37510 "http://www.fishforu.ms/freshwater-discussions/20/" "Mozilla/5.0 (Windows; U
; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1"
78.157.143.202 - - [25/Aug/2008:19:42:27 -0400] "GET /freshwater-discussions/how-to-change-the-ph-of-my-water/ HTTP/1.0" 200 31457 "http://www.fishforu.ms/freshwater-discussions
/how-to-change-the-ph-of-my-water/" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1"
78.157.143.202 - - [25/Aug/2008:19:42:28 -0400] "POST /freshwater-discussions/how-to-change-the-ph-of-my-water/?action=quickmod2 HTTP/1.0" 302 - "http://www.fishforu.ms/freshwat
er-discussions/how-to-change-the-ph-of-my-water/" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1"
78.157.143.202 - - [25/Aug/2008:19:42:28 -0400] "GET /freshwater-discussions/how-to-change-the-ph-of-my-water/ HTTP/1.0" 200 31458 "http://www.fishforu.ms/freshwater-discussions
/how-to-change-the-ph-of-my-water/" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1"

The notable feature in this attack is that the first request has a referrer set to the same page that is being retrieved.  I have not been able to determine if that is signficant to the attack attempt.  I really cannot see how it would be, but hard to say for sure.

The actual attack attempt happens on this line:
78.157.143.202 - - [25/Aug/2008:19:42:28 -0400] "POST /freshwater-discussions/how-to-change-the-ph-of-my-water/?action=quickmod2 HTTP/1.0" 302 - "http://www.fishforu.ms/freshwat

I have not had a chance to run packet captures to see the contents of the POST packet(s).  I suspect it must be stuffed withh all manner of fun stuff.  suhosin does not flag any of these hits.  I believe this is an attempted exploit of an old SMF vulnerability.