Answer the question
In order to leave comments, you need to log in
What vulnerability are the bots trying to exploit?
There are a lot of entries in the access.log generated by Nginx that look like this:
80.83.239.83 - - [06/Jan/2013:07:11:06 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00ЪЧ\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75" 400 166 "-" "-"
176.100.70.53 - - [07/Jan/2013:20:39:24 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x02\x00\x00d\x00d\x00\x00ЪЛ\x00\x11Ducky\x00\x01\x00\x04\x00\x00\x002\x00\x00ЪН\x00\x0EAdobe\x00dю\x00\x00\x00\x01Ъш\x00└\x00\x08\x06\x06\x06\x06\x06\x08\x06\x06\x08\x0C\x08\x07\x08\x0C\x0E" 400 166 "-" "-"
46.181.9.236 - - [07/Jan/2013:15:20:03 +0400] "ЪьЪА\x00ФExif\x00\x00II*\x00\x08\x00\x00\x00\x05\x00\x12\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x001\x01\x02\x00\x1C\x00\x00\x00J\x00\x00\x002\x01\x02\x00\x14\x00\x00\x00f\x00\x00\x00\x13\x02\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00i┤\x04\x00\x01\x00\x00\x00z\x00\x00\x00\x00\x00\x00\x00ACD Systems Digital Imaging\x002009:06:21 20:56:21\x00\x05\x00\x00░\x07\x00\x04\x00\x00\x000220░▓\x02\x00\x03\x00\x00\x0046\x00\x00\x02═\x04\x00\x01\x00\x00\x00╗\x02\x00\x00\x03═\x04\x00\x01\x00\x00\x00я\x01\x00\x00\x05═\x04\x00\x01\x00\x00\x00╪\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x02\x00\x04\x00\x00\x00R98\x00\x02\x00\x07\x00\x04\x00\x00\x000100\x00\x00\x00\x00 Ъю\x00\x11\x08\x01я\x02╗\x03\x01!\x00\x02\x11\x01\x03\x11\x01Ъш\x00└\x00\x03\x02\x02\x02\x02\x01\x03\x02\x02\x02\x03\x03\x03\x03\x04\x07\x04\x04\x04\x04\x04\x09\x06\x06\x05\x07" 400 166 "-" "-"
176.213.180.115 - - [07/Jan/2013:16:27:16 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00Ъш\x00C\x00\x02\x01\x01\x02\x01\x01\x02\x02\x02\x02\x02\x02\x02\x02\x03\x05\x03\x03\x03\x03\x03\x06\x04\x04\x03\x05\x07\x06\x07\x07\x07\x06\x07\x07\x08\x09\x0B\x09\x08\x08" 400 166 "-" "-"
31.135.128.178 - - [08/Jan/2013:14:54:29 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00ЪЧ\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 65" 400 166 "-" "-"
176.194.162.192 - - [21/Dec/2012:23:47:57 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x01\x00H\x00H\x00\x00ЪА:2Exif\x00\x00MM\x00*\x00\x00\x00\x08\x00\x0C\x01\x0E\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x02\x00\x00\x00\x05\x00\x00\x08╙\x01\x10\x00\x02\x00\x00\x00" 400 0 "-" "-"
176.15.36.128 - - [25/Dec/2012:22:08:15 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00Ъш\x00C\x00\x03\x02\x02\x03\x02\x02\x03\x03\x03\x03\x04\x03\x03\x04\x05\x08\x05\x05\x04\x04\x05" 400 0 "-" "-"
37.193.38.5 - - [25/Dec/2012:14:21:11 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00Ъш\x00C\x00\x05\x03\x04\x04\x04\x03\x05\x04\x04\x04\x05\x05\x05\x06\x07\x0C\x08\x07\x07\x07\x07\x0F\x0B\x0B\x09\x0C\x11\x0F\x12\x12\x11\x0F\x11\x11\x13\x16\x1C\x17\x13\x14\x1A\x15\x11\x11\x18!\x18\x1A\x1D\x1D\x1F\x1F\x1F\x13\x17\x22$\x22\x1E$\x1C\x1E\x1F\x1EЪш\x00C\x01\x05\x05\x05\x07\x06\x07\x0E\x08\x08\x0E\x1E\x14\x11\x14\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1EЪю\x00\x11\x08\x01t\x02-\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01Ъд\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" 400 0 "-" "-"
cat access.log | grep '" 400' | grep -v '"-" 400 0 "-" "-"' > 400.log
Answer the question
In order to leave comments, you need to log in
The answer came unexpectedly. Maybe someone will come in handy, so I'll write it here.
I have an Ajax photo upload form on my site - a slightly modified github.com/valums/file-uploader/ . I installed it when it was still in version 0.x.
A site visitor writes to me - his photos are not uploaded through this form. I find out, the Opera browser. Checked - I have everything loaded. Please send photos. Sent, really does not load.
I got into the logs, I look, and there is this:
*.*.*.* - - [28/Jan/2013:23:06:55 +0400] "яШяа\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00яю\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75" 400 0 "-" "-"
xhr. open ( "POST" , queryString , true ) ;
xhr. setRequestHeader ( "X-Requested-With" , "XMLHttpRequest" ) ;
xhr. setRequestHeader ( "X-File-Name" , encodeURIComponent ( name ) ) ;
xhr. setRequestHeader ( "Content-Type" , "application/octet-stream" ) ;
xhr. send ( file ) ;
xhr. open ( "POST" , queryString , true ) ;
xhr. setRequestHeader ( "X-Requested-With" , "XMLHttpRequest" ) ;
if ( typeof FormData != 'undefined' ) {
var formData = new FormData ( ) ;
formData. append ( 'imgfile' , file ) ;
file = formData ;
} else {
xhr. setRequestHeader ( "Content-Type" , "application/octet-stream" ) ;
xhr. setRequestHeader ( "X-File-Name" , encodeURIComponent ( name ) ) ;
if ( typeof file. type != 'undefined' && file. type . length ) {
xhr. setRequestHeader ( "X-Mime-Type" , file. type ) ;
}
xhr. setRequestHeader( "Cache-Control" , "no-cache" ) ;
}
xhr. send ( file ) ;
Of course this is just a guess. They are trying to upload a file to you that is disguised as an image, but contains scripts. If it manages to be uploaded to you and executed, PROFIT awaits the attackers.
Perhaps this is not a search for a vulnerability, but simply a port scan for the presence of aliens of some other service (not HTTP).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question