Hi all. Sorry but I wasn't sure of the exact forum to post this in but it is basically security-related:
A couple of months ago my SS site began crashing unexpectedly. In looking into the matter, the site stopped loading because all httpd processes were running but 'hung'.
The cause of this httpd 'hanging' turned out to be repeated and systematic GET requests with malformatted URLs - what appears to be a systematic vulnerability probing. I identified some of the GET's being sent in and tested it myself - when called, the URL's error out, but leave a running and unresponsive httpd process. Many of these requests in a row would then take down the site as the number of apache MaxClients was eventually met.
I wound up banning the attacker's IP space (all were out of the Philipines) but I still haven't seen a mention of this specific scan anywhere else, so I wanted to post it here. I'm still unsure if this is targeted at SilverStripe or just general vulnerability scanning, however I have not seen this on *any* of my other (non-SilverStripe) websites that are hosted in close proximity to this site's IP address.
These are some samples - highlighting is mine:
114.108.192.9 - - [20/Dec/2010:02:45:26 -0800] "GET /\xb0 HTTP/1.1" 404 17106 "http://www.(redacted).com/"
114.108.192.8 - - [20/Dec/2010:07:08:11 -0800] "GET /ThingD\xb0etails/Order/197 HTTP/1.1" 404 17239 "http://www.(redacted).com/"
114.108.192.9 - - [20/Dec/2010:07:08:11 -0800] "GET /Thi\xb0ngDetails/Order/63 HTTP/1.1" 404 17234 "http://www.(redacted).com/"
114.108.192.9 - - [20/Dec/2010:07:08:11 -0800] "GET /MyCollection/Ad\xb0dRemoveThing/51 HTTP/1.1" 404 35497 "http://www.(redacted).com/"
114.108.192.12 - - [20/Dec/2010:07:08:12 -0800] "GET /Comparison/AddRemoveThing/19\xb06/Order HTTP/1.1" 200 46 "http://www.(redacted).com/"
111.68.48.182 - - [24/Jan/2011:18:35:41 -0800] "GET /httheig\xb0v\x8e\xb0v\x8eLp://www.REDACTED.com/themes/nnn/js/Hyphenator/Hyphenator.js HTTP/1.1" 404 17564 "http://www.REDACTED.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
111.68.48.182 - - [25/Jan/2011:09:13:05 -0800] "GET /builstaf\xb0*\xd5\xb0*\xd5\xb8d HTTP/1.1" 404 17078 "http://www.REDACTED.com/" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)"
In all of these cases they are taking real, valid, working URLs and inserting characters (\xb0, or \xb0*\xd5) in random locations in the GET. I assume they are trying to force error conditions in order to produce error messages in an attempt to get info from those error messages.
Has anyone else seen this behavior? (a simple: grep -i \\xb0 yoursite_access.log will help you check)
Is this an attack specifically against SilverStripe sites?
Does anyone have any other information about similar kinds of 'malformatted GET' attacks?
(p.s. I posted this elsewhere - http://ask.metafilter.com/173152/Apache-went-boom-Diagnosis- just to see what folks thought of the attack, but I wanted to run it by the SS community as well and see if this rang any bells with people here.)
-bhance
