Answer the question
In order to leave comments, you need to log in
V
V
Valery Dmitriev2013-01-21 21:38:00
Valery Dmitriev, 2013-01-21 21:38:00
What vulnerability are the bots trying to exploit?
There are a lot of entries in the access.log generated by Nginx that look like this:
80.83.239.83 - - [06/Jan/2013:07:11:06 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00ЪЧ\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75" 400 166 "-" "-"
176.100.70.53 - - [07/Jan/2013:20:39:24 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x02\x00\x00d\x00d\x00\x00ЪЛ\x00\x11Ducky\x00\x01\x00\x04\x00\x00\x002\x00\x00ЪН\x00\x0EAdobe\x00dю\x00\x00\x00\x01Ъш\x00└\x00\x08\x06\x06\x06\x06\x06\x08\x06\x06\x08\x0C\x08\x07\x08\x0C\x0E" 400 166 "-" "-"
46.181.9.236 - - [07/Jan/2013:15:20:03 +0400] "ЪьЪА\x00ФExif\x00\x00II*\x00\x08\x00\x00\x00\x05\x00\x12\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x001\x01\x02\x00\x1C\x00\x00\x00J\x00\x00\x002\x01\x02\x00\x14\x00\x00\x00f\x00\x00\x00\x13\x02\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00i┤\x04\x00\x01\x00\x00\x00z\x00\x00\x00\x00\x00\x00\x00ACD Systems Digital Imaging\x002009:06:21 20:56:21\x00\x05\x00\x00░\x07\x00\x04\x00\x00\x000220░▓\x02\x00\x03\x00\x00\x0046\x00\x00\x02═\x04\x00\x01\x00\x00\x00╗\x02\x00\x00\x03═\x04\x00\x01\x00\x00\x00я\x01\x00\x00\x05═\x04\x00\x01\x00\x00\x00╪\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x02\x00\x04\x00\x00\x00R98\x00\x02\x00\x07\x00\x04\x00\x00\x000100\x00\x00\x00\x00 Ъю\x00\x11\x08\x01я\x02╗\x03\x01!\x00\x02\x11\x01\x03\x11\x01Ъш\x00└\x00\x03\x02\x02\x02\x02\x01\x03\x02\x02\x02\x03\x03\x03\x03\x04\x07\x04\x04\x04\x04\x04\x09\x06\x06\x05\x07" 400 166 "-" "-"
176.213.180.115 - - [07/Jan/2013:16:27:16 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00Ъш\x00C\x00\x02\x01\x01\x02\x01\x01\x02\x02\x02\x02\x02\x02\x02\x02\x03\x05\x03\x03\x03\x03\x03\x06\x04\x04\x03\x05\x07\x06\x07\x07\x07\x06\x07\x07\x08\x09\x0B\x09\x08\x08" 400 166 "-" "-"
31.135.128.178 - - [08/Jan/2013:14:54:29 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00ЪЧ\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 65" 400 166 "-" "-"
176.194.162.192 - - [21/Dec/2012:23:47:57 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x01\x00H\x00H\x00\x00ЪА:2Exif\x00\x00MM\x00*\x00\x00\x00\x08\x00\x0C\x01\x0E\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x02\x00\x00\x00\x05\x00\x00\x08╙\x01\x10\x00\x02\x00\x00\x00" 400 0 "-" "-"
176.15.36.128 - - [25/Dec/2012:22:08:15 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00Ъш\x00C\x00\x03\x02\x02\x03\x02\x02\x03\x03\x03\x03\x04\x03\x03\x04\x05\x08\x05\x05\x04\x04\x05" 400 0 "-" "-"
37.193.38.5 - - [25/Dec/2012:14:21:11 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00Ъш\x00C\x00\x05\x03\x04\x04\x04\x03\x05\x04\x04\x04\x05\x05\x05\x06\x07\x0C\x08\x07\x07\x07\x07\x0F\x0B\x0B\x09\x0C\x11\x0F\x12\x12\x11\x0F\x11\x11\x13\x16\x1C\x17\x13\x14\x1A\x15\x11\x11\x18!\x18\x1A\x1D\x1D\x1F\x1F\x1F\x13\x17\x22$\x22\x1E$\x1C\x1E\x1F\x1EЪш\x00C\x01\x05\x05\x05\x07\x06\x07\x0E\x08\x08\x0E\x1E\x14\x11\x14\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1EЪю\x00\x11\x08\x01t\x02-\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01Ъд\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" 400 0 "-" "-"
Etc.
I understand that bots are trying to find some kind of vulnerability in Nginx (or other web server).
What?
You can look in your logs like this:
cat access.log | grep '" 400' | grep -v '"-" 400 0 "-" "-"' > 400.logSOLVED
These are not bots, but browser glitches.
Thanks to all who answered.
4 answer(s)
@rotor
*.*.*.* is my IP address.
The implementation of sending a file via XMLHttpRequest was implemented as follows:
Here file is an object of type File
I haven't figured it out yet, but it looks like Opera breaks the request body on certain files. And the server perceives one request from it as two invalid requests to one open connection.
Altered the block of sending a file. Did it like this:
Everything worked.
PS valums/file-uploader has already grown to version 3.2 (and even renamed), but as the developer himself writes, he refused to support Opera. So, perhaps this problem is relevant in the current version.
@justeen
@lubezniy
V
Valery Dmitriev, 2013-01-29 @rotor
The answer came unexpectedly. Maybe someone will come in handy, so I'll write it here.
I have an Ajax photo upload form on my site - a slightly modified github.com/valums/file-uploader/ . I installed it when it was still in version 0.x.
A site visitor writes to me - his photos are not uploaded through this form. I find out, the Opera browser. Checked - I have everything loaded. Please send photos. Sent, really does not load.
I got into the logs, I look, and there is this:
*.*.*.* - - [28/Jan/2013:23:06:55 +0400] "яШяа\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00яю\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75" 400 0 "-" "-"
*.*.*.* is my IP address.
The implementation of sending a file via XMLHttpRequest was implemented as follows:
xhr. open ( "POST" , queryString , true ) ;
xhr. setRequestHeader ( "X-Requested-With" , "XMLHttpRequest" ) ;
xhr. setRequestHeader ( "X-File-Name" , encodeURIComponent ( name ) ) ;
xhr. setRequestHeader ( "Content-Type" , "application/octet-stream" ) ;
xhr. send ( file ) ;
Here file is an object of type File
I haven't figured it out yet, but it looks like Opera breaks the request body on certain files. And the server perceives one request from it as two invalid requests to one open connection.
Altered the block of sending a file. Did it like this:
xhr. open ( "POST" , queryString , true ) ;
xhr. setRequestHeader ( "X-Requested-With" , "XMLHttpRequest" ) ;
if ( typeof FormData != 'undefined' ) {
var formData = new FormData ( ) ;
formData. append ( 'imgfile' , file ) ;
file = formData ;
} else {
xhr. setRequestHeader ( "Content-Type" , "application/octet-stream" ) ;
xhr. setRequestHeader ( "X-File-Name" , encodeURIComponent ( name ) ) ;
if ( typeof file. type != 'undefined' && file. type . length ) {
xhr. setRequestHeader ( "X-Mime-Type" , file. type ) ;
}
xhr. setRequestHeader( "Cache-Control" , "no-cache" ) ;
}
xhr. send ( file ) ;
Everything worked.
PS valums/file-uploader has already grown to version 3.2 (and even renamed), but as the developer himself writes, he refused to support Opera. So, perhaps this problem is relevant in the current version.
J
justeen, 2013-01-22 @justeen
Of course this is just a guess. They are trying to upload a file to you that is disguised as an image, but contains scripts. If it manages to be uploaded to you and executed, PROFIT awaits the attackers.
L
lubezniy, 2013-01-21 @lubezniy
Perhaps this is not a search for a vulnerability, but simply a port scan for the presence of aliens of some other service (not HTTP).
Similar questions
N
K
L
D
W
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question