9

I've noticed a few requests like this to a Rails application I am maintaining:

GET http://mydomain.com/?f=4&t=252751+++++++++++++++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%F3%E5%EC+%EF%F0%EE%EA%F1%E8+85.17.122.209:6188;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+GET-%F2%E0%E9%EC%E0%F3%F2%EE%E2+1;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;

It looks like an attempt to exploit some vulnerability to me, but I can't make sense out of what it's supposed to do, and it's kind of hard to google. Any insights would be appreciated.

Thilo
  • 193
  • 6

2 Answers2

28

The request parameter is encoded with Windows Codepage 1251 and contains an apparently harmless error message in Russian:

используем прокси 85.17.122.209:6188; не нашлось формы для отправки; Result: GET-таймаутов 1; не нашлось формы для отправки;

Roughly translated to English, the message reads:

using proxy 85.17.122.209:6188; there were no forms to be sent; Result: GET-timeout 1; there were no forms to be sent;

It surely does not look as if someone is trying to hack you. I would rather assume that something is trying to report an error and due to misconfiguration is calling your server instead of whatever is supposed to track or handle the problem.

Anders
  • 64,406
  • 24
  • 178
  • 215
jarnbjo
  • 396
  • 2
  • 4
4

It might be that someone is trying to fuzz your website in the hope of finding a vulnerability. It's actually quite normal to see these passing by. It's called internet background noise (well in this case you are running a service, so the description isn't entirely correct).

I ran this through a URL decoder: 

?????????? ?????? 85.17.122.209:6188; ?? ??????? ????? ??? ????????; Result: GET-????????? 1; ?? ??????? ????? ??? ????????

I'm not entirely sure what he is trying to achieve (could this be your IP?) but it might be that he's hoping to find a SQL injection which allows escalation to command injection. I also suspect that they are using a different character encoding for some of the fields in the hope your code will directly pass it to your database backend (this is called multi byte exploit SQL injection, have a look here Multibyte character exploits - PHP/MySQL ). I haven't been able to identify the character encoding used though.

I've had them as well on my websites, generally I'm not too worried about them (you just need to keep track of all security updates). I'd advise you to get a Host Based Intrusion Detection system. My favorite on is called OSSEC and will (sometimes after a bit of finetuning) will automatically block these offenders. It's also nice to note that it incorporates a rootkit hunter so that if they breached you, it will start notifying file changes (it also triggers when you perform updates or edit critical files, so it's for those situations where you are sure you weren't doing anything).

Community
  • 1
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196