What Exploit Are These User Agents Trying to Use?What is SPL exploit?What kind of security injection are...
Bullying boss launched a smear campaign and made me unemployable
Am I breaking OOP practice with this architecture?
How to show a landlord what we have in savings?
Are British MPs missing the point, with these 'Indicative Votes'?
How can I prove that a state of equilibrium is unstable?
GFCI outlets - can they be repaired? Are they really needed at the end of a circuit?
Do creatures with a listed speed of "0 ft., fly 30 ft. (hover)" ever touch the ground?
Implication of namely
Unlock My Phone! February 2018
Processor speed limited at 0.4 Ghz
Rotate ASCII Art by 45 Degrees
Car headlights in a world without electricity
how do we prove that a sum of two periods is still a period?
Why is the sentence "Das ist eine Nase" correct?
Why didn't Boeing produce its own regional jet?
Notepad++ delete until colon for every line with replace all
Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?
In Bayesian inference, why are some terms dropped from the posterior predictive?
Does marriage to a non-Numenorean disqualify a candidate for the crown of Gondor?
What is required to make GPS signals available indoors?
Placement of More Information/Help Icon button for Radio Buttons
Send out email when Apex Queueable fails and test it
How to coordinate airplane tickets?
What's the meaning of "Sollensaussagen"?
What Exploit Are These User Agents Trying to Use?
What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
asked 6 hours ago
SenorContentoSenorContento
456
add a comment |
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
asked 6 hours ago
SenorContentoSenorContento
456
add a comment |
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
asked 6 hours ago
SenorContentoSenorContento
456
I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).
1 Mozilla/5.9}print(238947899389478923-34567343546345);{
1 Mozilla/5.9{${print(238947899389478923-34567343546345)}}
1 Mozilla/5.9x22{${print(238947899389478923-34567343546345)}}x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22
What exploit was attempted and how can I test to ensure these exploits are not usable?
exploit webserver web nginx anti-exploitation
exploit webserver web nginx anti-exploitation
asked 6 hours ago
SenorContentoSenorContento
456
asked 6 hours ago
SenorContentoSenorContento
456
asked 6 hours ago
SenorContentoSenorContento
456
asked 6 hours ago
SenorContentoSenorContento
456
asked 6 hours ago
SenorContentoSenorContento
456
456
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 5 hours ago
user52472user52472
2,482614
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 5 hours ago
user52472user52472
2,482614
add a comment |
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 5 hours ago
user52472user52472
2,482614
add a comment |
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 5 hours ago
user52472user52472
2,482614
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
answered 5 hours ago
user52472user52472
2,482614
answered 5 hours ago
user52472user52472
2,482614
answered 5 hours ago
user52472user52472
2,482614
answered 5 hours ago
user52472user52472
2,482614
2,482614
add a comment |
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
add a comment |
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
answered 5 hours ago
DarkMatterDarkMatter
2,1181120
2,1181120
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
