Jump to:

23493 Posts in 18996 Topics by 2878 members

General Questions

SilverStripe Forums » General Questions » Strange vulnerability scans seen in SilverStripe site logs

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 925 Views
  • bhance
    Avatar
    Community Member
    2 Posts

    Strange vulnerability scans seen in SilverStripe site logs Link to this post

    Hi all. Sorry but I wasn't sure of the exact forum to post this in but it is basically security-related:

    A couple of months ago my SS site began crashing unexpectedly. In looking into the matter, the site stopped loading because all httpd processes were running but 'hung'.

    The cause of this httpd 'hanging' turned out to be repeated and systematic GET requests with malformatted URLs - what appears to be a systematic vulnerability probing. I identified some of the GET's being sent in and tested it myself - when called, the URL's error out, but leave a running and unresponsive httpd process. Many of these requests in a row would then take down the site as the number of apache MaxClients was eventually met.

    I wound up banning the attacker's IP space (all were out of the Philipines) but I still haven't seen a mention of this specific scan anywhere else, so I wanted to post it here. I'm still unsure if this is targeted at SilverStripe or just general vulnerability scanning, however I have not seen this on *any* of my other (non-SilverStripe) websites that are hosted in close proximity to this site's IP address.

    These are some samples - highlighting is mine:

    114.108.192.9 - - [20/Dec/2010:02:45:26 -0800] "GET /\xb0 HTTP/1.1" 404 17106 "http://www.(redacted).com/"
    114.108.192.8 - - [20/Dec/2010:07:08:11 -0800] "GET /ThingD\xb0etails/Order/197 HTTP/1.1" 404 17239 "http://www.(redacted).com/"
    114.108.192.9 - - [20/Dec/2010:07:08:11 -0800] "GET /Thi\xb0ngDetails/Order/63 HTTP/1.1" 404 17234 "http://www.(redacted).com/"
    114.108.192.9 - - [20/Dec/2010:07:08:11 -0800] "GET /MyCollection/Ad\xb0dRemoveThing/51 HTTP/1.1" 404 35497 "http://www.(redacted).com/"
    114.108.192.12 - - [20/Dec/2010:07:08:12 -0800] "GET /Comparison/AddRemoveThing/19\xb06/Order HTTP/1.1" 200 46 "http://www.(redacted).com/"
    111.68.48.182 - - [24/Jan/2011:18:35:41 -0800] "GET /httheig\xb0v\x8e\xb0v\x8eLp://www.REDACTED.com/themes/nnn/js/Hyphenator/Hyphenator.js HTTP/1.1" 404 17564 "http://www.REDACTED.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    111.68.48.182 - - [25/Jan/2011:09:13:05 -0800] "GET /builstaf\xb0*\xd5\xb0*\xd5\xb8d HTTP/1.1" 404 17078 "http://www.REDACTED.com/" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)"

    In all of these cases they are taking real, valid, working URLs and inserting characters (\xb0, or \xb0*\xd5) in random locations in the GET. I assume they are trying to force error conditions in order to produce error messages in an attempt to get info from those error messages.

    Has anyone else seen this behavior? (a simple: grep -i \\xb0 yoursite_access.log will help you check)

    Is this an attack specifically against SilverStripe sites?

    Does anyone have any other information about similar kinds of 'malformatted GET' attacks?

    (p.s. I posted this elsewhere - http://ask.metafilter.com/173152/Apache-went-boom-Diagnosis- just to see what folks thought of the attack, but I wanted to run it by the SS community as well and see if this rang any bells with people here.)

    -bhance

  • Willr
    Avatar
    Forum Moderator
    5508 Posts

    Re: Strange vulnerability scans seen in SilverStripe site logs Link to this post

    FYI you should email any security concerns to security@silverstripe.org. Not sure if this would be related to SilverStripe erroring out simply a configuration issue but they would look into the issue in more depth.

    Is this an attack specifically against SilverStripe sites?

    No, unless the attackers know of a vulnerability specific to SilverStripe hence why they are attacking that site.

    Which version of SS are you running?

  • bhance
    Avatar
    Community Member
    2 Posts

    Re: Strange vulnerability scans seen in SilverStripe site logs Link to this post

    Thanks - This was on SS 2.4.3

    925 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.