Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Strange vulnerability scans seen in SilverStripe site logs


Reply


3 Posts   984 Views

Avatar
bhance

Community Member, 2 Posts

12 March 2011 at 3:56pm

Hi all. Sorry but I wasn't sure of the exact forum to post this in but it is basically security-related:

A couple of months ago my SS site began crashing unexpectedly. In looking into the matter, the site stopped loading because all httpd processes were running but 'hung'.

The cause of this httpd 'hanging' turned out to be repeated and systematic GET requests with malformatted URLs - what appears to be a systematic vulnerability probing. I identified some of the GET's being sent in and tested it myself - when called, the URL's error out, but leave a running and unresponsive httpd process. Many of these requests in a row would then take down the site as the number of apache MaxClients was eventually met.

I wound up banning the attacker's IP space (all were out of the Philipines) but I still haven't seen a mention of this specific scan anywhere else, so I wanted to post it here. I'm still unsure if this is targeted at SilverStripe or just general vulnerability scanning, however I have not seen this on *any* of my other (non-SilverStripe) websites that are hosted in close proximity to this site's IP address.

These are some samples - highlighting is mine:

114.108.192.9 - - [20/Dec/2010:02:45:26 -0800] "GET /\xb0 HTTP/1.1" 404 17106 "http://www.(redacted).com/"
114.108.192.8 - - [20/Dec/2010:07:08:11 -0800] "GET /ThingD\xb0etails/Order/197 HTTP/1.1" 404 17239 "http://www.(redacted).com/"
114.108.192.9 - - [20/Dec/2010:07:08:11 -0800] "GET /Thi\xb0ngDetails/Order/63 HTTP/1.1" 404 17234 "http://www.(redacted).com/"
114.108.192.9 - - [20/Dec/2010:07:08:11 -0800] "GET /MyCollection/Ad\xb0dRemoveThing/51 HTTP/1.1" 404 35497 "http://www.(redacted).com/"
114.108.192.12 - - [20/Dec/2010:07:08:12 -0800] "GET /Comparison/AddRemoveThing/19\xb06/Order HTTP/1.1" 200 46 "http://www.(redacted).com/"
111.68.48.182 - - [24/Jan/2011:18:35:41 -0800] "GET /httheig\xb0v\x8e\xb0v\x8eLp://www.REDACTED.com/themes/nnn/js/Hyphenator/Hyphenator.js HTTP/1.1" 404 17564 "http://www.REDACTED.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
111.68.48.182 - - [25/Jan/2011:09:13:05 -0800] "GET /builstaf\xb0*\xd5\xb0*\xd5\xb8d HTTP/1.1" 404 17078 "http://www.REDACTED.com/" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)"

In all of these cases they are taking real, valid, working URLs and inserting characters (\xb0, or \xb0*\xd5) in random locations in the GET. I assume they are trying to force error conditions in order to produce error messages in an attempt to get info from those error messages.

Has anyone else seen this behavior? (a simple: grep -i \\xb0 yoursite_access.log will help you check)

Is this an attack specifically against SilverStripe sites?

Does anyone have any other information about similar kinds of 'malformatted GET' attacks?

(p.s. I posted this elsewhere - [url]http://ask.metafilter.com/173152/Apache-went-boom-Diagnosis[/url]- just to see what folks thought of the attack, but I wanted to run it by the SS community as well and see if this rang any bells with people here.)

-bhance

Avatar
Willr

Forum Moderator, 5513 Posts

12 March 2011 at 5:38pm

FYI you should email any security concerns to security@silverstripe.org. Not sure if this would be related to SilverStripe erroring out simply a configuration issue but they would look into the issue in more depth.

Is this an attack specifically against SilverStripe sites?

No, unless the attackers know of a vulnerability specific to SilverStripe hence why they are attacking that site.

Which version of SS are you running?

Avatar
bhance

Community Member, 2 Posts

12 March 2011 at 7:17pm

Thanks - This was on SS 2.4.3