What Exploit Are These User Agents Trying to Use?What is SPL exploit?What kind of security injection are...
Is it a bad idea to plug the other end of ESD strap to wall ground?
In the UK, is it possible to get a referendum by a court decision?
How to prevent "they're falling in love" trope
Implication of namely
What historical events would have to change in order to make 19th century "steampunk" technology possible?
How could indestructible materials be used in power generation?
How could sorcerers who are able to produce/manipulate almost all forms of energy communicate over large distances?
How seriously should I take size and weight limits of hand luggage?
How to compactly explain secondary and tertiary characters without resorting to stereotypes?
Can I hook these wires up to find the connection to a dead outlet?
Were days ever written as ordinal numbers when writing day-month-year?
How can I prove that a state of equilibrium is unstable?
What is a Samsaran Word™?
How to stretch the corners of this image so that it looks like a perfect rectangle?
Should I tell management that I intend to leave due to bad software development practices?
Why were 5.25" floppy drives cheaper than 8"?
Sums of two squares in arithmetic progressions
Obtaining database information and values in extended properties
How can a day be of 24 hours?
Why was Sir Cadogan fired?
What is the opposite of "eschatology"?
Different meanings of こわい
Can compressed videos be decoded back to their uncompresed original format?
In Bayesian inference, why are some terms dropped from the posterior predictive?
What Exploit Are These User Agents Trying to Use?
What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
asked 4 hours ago
SenorContentoSenorContento
306
add a comment |
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
asked 4 hours ago
SenorContentoSenorContento
306
add a comment |
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
asked 4 hours ago
SenorContentoSenorContento
306
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
exploit webserver web nginx anti-exploitation
asked 4 hours ago
SenorContentoSenorContento
306
asked 4 hours ago
SenorContentoSenorContento
306
asked 4 hours ago
SenorContentoSenorContento
306
asked 4 hours ago
SenorContentoSenorContento
306
asked 4 hours ago
SenorContentoSenorContento
306
306
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 2 hours ago
user52472user52472
2,432614
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 2 hours ago
user52472user52472
2,432614
add a comment |
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 2 hours ago
user52472user52472
2,432614
add a comment |
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 2 hours ago
user52472user52472
2,432614
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 2 hours ago
user52472user52472
2,432614
answered 2 hours ago
user52472user52472
2,432614
answered 2 hours ago
user52472user52472
2,432614
answered 2 hours ago
user52472user52472
2,432614
2,432614
add a comment |
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
answered 3 hours ago
DarkMatterDarkMatter
2,1181120
2,1181120
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
