Anybody know what these POST requests are trying to do?
Locked
Anybody know what these POST requests are trying to do?
 
|
Recently our Seaside site has been getting a bunch of requests that are
resulting in the following stack trace (pasted below).
Somebody is hitting our site via an expired session URL, but attempting to post a bunch of stuff in the process. It appears to be harmless to the site, as the post arguments they are putting in the request are not recognized or being acted upon. But this is very curious. Notice the "http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/" URL they are using in the one I pasted below. I'm seeing dozens of these, with this exact URL. I'm also seeing a bunch with "http://sahel55.com/articles/omaduro/kimumid/", as well as some with "http://www.ce-cioceoforum.com/talk/t1/roda/ilubov/" in some of the other requests. I've seen these off-and-on over the months. Sometimes I would get a few, then I'd go weeks without seeing anything. But today there has (so far) been a total of 25 of these types of request come in. And there was a bunch yesterday, too. It looks like a bot of some sort doing this. But just what do you think these nuts are trying to do? Nevin ****************** Dictionary(Object)>>error:
self a Dictionary('1'->a WAActionCallback '10'->a WAActionCallback '11'->a WAActionCallback '12'->a WAAct...etc...
aString 'key not found'
--------
Dictionary>>errorKeyNotFound
self a Dictionary('1'->a WAActionCallback '10'->a WAActionCallback '11'->a WAActionCallback '12'->a WAAct...etc...
--------
[] in Dictionary>>at:
self a Dictionary('1'->a WAActionCallback '10'->a WAActionCallback '11'->a WAActionCallback '12'->a WAAct...etc...
key 'http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'
--------
Dictionary>>at:ifAbsent:
self a Dictionary('1'->a WAActionCallback '10'->a WAActionCallback '11'->a WAActionCallback '12'->a WAAct...etc...
key 'http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'
aBlock [] in Dictionary>>at:
assoc nil
--------
Dictionary>>at:
self a Dictionary('1'->a WAActionCallback '10'->a WAActionCallback '11'->a WAActionCallback '12'->a WAAct...etc...
key 'http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'
--------
WACallbackStore>>evaluateCallbackAt:with:
self a WACallbackStore
callbackKey 'http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'
anObject ''
--------
[] in WACallbackStore>>processRequest:
self a WACallbackStore
aRequest a WARequest
assoc 'http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'->''
--------
SortedCollection(OrderedCollection)>>do:
self a SortedCollection('http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'->'')
aBlock [] in WACallbackStore>>processRequest:
index 2
--------
WACallbackStore>>processRequest:
self a WACallbackStore
aRequest a WARequest
assoc 'http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/'->''
--------
[] in BBSession(WAControllerSession)>>render
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
request a WARequest
callbacks a WACallbackStore
url nil
n nil
--------
BlockContext>>on:do:
self [] in BBSession(WAControllerSession)>>render
exception WARenderNotification
handlerAction [] in BBSession(WAControllerSession)>>render
handlerActive true
--------
BBSession(WAControllerSession)>>render
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
request a WARequest
callbacks a WACallbackStore
url nil
n nil
--------
[] in BBSession(WAControllerSession)>>start:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aRequest a WARequest
--------
BlockContext>>repeat
self [] in BBSession(WAControllerSession)>>start:
--------
BBSession(WAControllerSession)>>start:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aRequest a WARequest
--------
[] in BBSession(WASession)>>enterSessionWithRequest:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aRequest a WARequest
--------
[] in BBSession(WASession)>>enterSession:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aBlock [] in BBSession(WASession)>>enterSessionWithRequest:
--------
BlockContext>>on:do:
self [] in BBSession(WASession)>>enterSession:
exception Error
handlerAction MessageSend(#handleError: -> a BBSession(/seaside/index/@zpeSshbDYdkoJZVi))
handlerActive true
--------
BBSession(WASession)>>withErrorHandler:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aBlock [] in BBSession(WASession)>>enterSession:
--------
[] in BBSession(WASession)>>enterSession:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aBlock [] in BBSession(WASession)>>enterSessionWithRequest:
--------
[] in BBSession(WASession)>>withEscapeContinuation:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aBlock [] in BBSession(WASession)>>enterSession:
cc a Continuation
--------
Continuation class>>currentDo:
self Continuation
aBlock [] in BBSession(WASession)>>withEscapeContinuation:
--------
BBSession(WASession)>>withEscapeContinuation:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aBlock [] in BBSession(WASession)>>enterSession:
cc a Continuation
--------
BBSession(WASession)>>enterSession:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aBlock [] in BBSession(WASession)>>enterSessionWithRequest:
--------
BBSession(WASession)>>enterSessionWithRequest:
self a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
aRequest a WARequest
--------
WAApplication>>handleDefaultRequest:
self a WAApplication
aRequest a WARequest
session a BBSession(/seaside/index/@zpeSshbDYdkoJZVi)
--------
WAApplication(WARegistry)>>handleRequest:
self a WAApplication
aRequest a WARequest
--------
WADispatcher>>handleRequest:
self a WADispatcher
aRequest a WARequest
--------
ComancheInterface>>handleRequest:
self a ComancheInterface
aRequest a WARequest
url nil
sel nil
--------
ComancheInterface>>processSeaside:
self a ComancheInterface
komRequest HttpRequest (URL=/seaside/index/home; protocol=HTTP/1.0; header=a Dictionary('accept'->'image/gif, i...etc...
request a WARequest
response nil
komResponse nil
assoc nil
--------
ComancheInterface>>process:
self a ComancheInterface
aRequest HttpRequest (URL=/seaside/index/home; protocol=HTTP/1.0; header=a Dictionary('accept'->'image/gif, i...etc...
url '/seaside/index/home'
searchIndex ''
removeEmail ''
--------
ComancheNetService>>processNetworkRequest:
self Service: borges[running] port: 80
aNetworkRequest HttpRequest (URL=/seaside/index/home; protocol=HTTP/1.0; header=a Dictionary('accept'->'image/gif, i...etc...
--------
HttpAdaptor(NetworkProtocolAdaptor)>>dispatchRequest:
self a HttpAdaptor
aNetworkRequest HttpRequest (URL=/seaside/index/home; protocol=HTTP/1.0; header=a Dictionary('accept'->'image/gif, i...etc...
--------
[] in HttpAdaptor>>pvtGetResponseAndDo:
self a HttpAdaptor
blk [] in HttpAdaptor>>beginConversation
ex nil
--------
BlockContext>>on:do:
self [] in HttpAdaptor>>pvtGetResponseAndDo:
exception Error
handlerAction [] in HttpAdaptor>>pvtGetResponseAndDo:
handlerActive true
--------
HttpAdaptor>>pvtGetResponseAndDo:
self a HttpAdaptor
blk [] in HttpAdaptor>>beginConversation
ex nil
--------
[] in HttpAdaptor>>beginConversation
self a HttpAdaptor
ex nil
--------
BlockContext>>on:do:
self [] in HttpAdaptor>>beginConversation
exception Error
handlerAction [] in HttpAdaptor>>beginConversation
handlerActive true
--------
HttpAdaptor>>beginConversation
self a HttpAdaptor
ex nil
--------
HttpAdaptor class(NetworkProtocolAdaptor class)>>readAndWriteTo:target:
self HttpAdaptor
aStream a SocketStream
aTarget Service: borges[running] port: 80
--------
ComancheNetService>>serve:
self Service: borges[running] port: 80
aSocket a Socket[destroyed]
--------
[] in ComancheServer>>value:
self ComancheServer port: 80 [running]
aSocket a Socket[destroyed]
--------
[] in BlockContext>>newProcess
self [] in ComancheServer>>value:
--------
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
On Mon, 04 Feb 2008 12:56:02 -0800, Nevin Pratt <[hidden email]>
wrote: > It looks like a bot of some sort doing this. But just what do you think > these nuts are trying to do? WAG: SPAM. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Anybody know what these POST requests are trying to do?
|
|
Blake wrote:
> On Mon, 04 Feb 2008 12:56:02 -0800, Nevin Pratt > <[hidden email]> wrote: >> It looks like a bot of some sort doing this. But just what do you think >> these nuts are trying to do? > > WAG: SPAM. I think it's a bit deeper than that. I think some sites are vulnerable to malicious redirects-- sort of like using an open email relay, but with http requests instead of email. And there's a bunch of bots whose mission in life is to seek out and exploit such sites. At least, that's my suspicion. But I really don't know. That's why I'd love some further speculation from other Seasiders. Nevin _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Anybody know what these POST requests are trying to do?
|
|
Nevin Pratt wrote:
> Blake wrote: >> On Mon, 04 Feb 2008 12:56:02 -0800, Nevin Pratt >> <[hidden email]> wrote: >>> It looks like a bot of some sort doing this. But just what do you >>> think >>> these nuts are trying to do? >> >> WAG: SPAM. > > I think it's a bit deeper than that. I think some sites are > vulnerable to malicious redirects-- sort of like using an open email > relay, but with http requests instead of email. And there's a bunch > of bots whose mission in life is to seek out and exploit such sites. > At least, that's my suspicion. > > But I really don't know. That's why I'd love some further speculation > from other Seasiders. > > Nevin > And I just got 6 more of these requests. The stack trace on all six are just like I posted earlier. What are these guys trying to accomplish by doing this? Nevin _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Anybody know what these POST requests are trying to do?
|
|
If you Google "http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/" (copied from the stack trace), you get this as one of the Google hits: http://www.aceepc.com/webstats/summary/cgi.html This page has: 11/9/2007 to 2/4/2008: Top 100 CGI Scripts
|
Re: Anybody know what these POST requests are trying to do?
|
|
In reply to this post by Nevin Pratt
On Mon, 04 Feb 2008 16:18:34 -0700
Nevin Pratt <[hidden email]> wrote: > > What are these guys trying to accomplish by doing this? Gaining access to a valuable resource. I've seen php-based sites allowing admin access to folks having admin access on remote machines totally unrelated to the one they "hacked". My guess would be that they harvested the referrer logs of some site and are just blindly trying for access. It does not cost them anything. s. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Anybody know what these POST requests are trying to do?
|
|
Stefan Schmiedl wrote:
On Mon, 04 Feb 2008 16:18:34 -0700 Nevin Pratt [hidden email] wrote: This sounds very believable. I appreciate the insight. To me this is the #1 theory so far. Nevin _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Anybody know what these POST requests are trying to do?
|
|
> This sounds very believable. I appreciate the insight. To me this is the
> #1 theory so far. Newer versions of Seaside don't seem to be affected by this bug. On www.squeaksource.com I fixed the problem by replacing that #at: in #evaluateCallbackAt:with: with an #at:...ifAbsent: [ ^self ]. Cheers, Lukas -- Lukas Renggli http://www.lukas-renggli.ch _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Anybody know what these POST requests are trying to do?
|
|
Lukas Renggli wrote:
Ah, I was hoping for something more devious, like forwarding the offending request to http://www.microsoft.com or something :-) Just kidding. Your fix looks good. Nevin _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |