6

I assume this is some type of hacking attempt. I've try to Google it but all I get are sites that look like they have been exploited already.

I'm seeing requests to one of my pages that looks like this.

/listMessages.asp?page=8&catid=5+%28200+ok%29+ACCEPTED

The '(200 ok) ACCEPTED' is what is odd. But it does not appear to do anything.

I'm running on IIS 5 and ASP 3.0. Is this "hack" meant for some other type of web server?

Edit:

Normal requests look like:

/listMessages.asp?page=8&catid=5
Byran Zaugg
  • 337
  • 1
  • 2
  • 10
  • 2
    IIS 5 (aka Windows 2000) is fairly old - I assume the server is up to date? I once took over a Windows 2000 IIS server that hadn't been restarted (thus updated) in 700 days. A noble uptime effort, but not so great for security. – Mark Henderson Mar 17 '10 at 02:12
  • 4
    Without knowing what kind of requests are normal and valid on your system it's not really possible to give a definitive answer. As for using IIS 5, are you serious? – John Gardeniers Mar 17 '10 at 03:09
  • 4
    Ironically/recursively, the google search now lists this question. – Kzqai Mar 17 '10 at 03:15
  • 5
    @John: No I'm not serious about IIS 5. I was trying to distract you with incorrect information. I'm not in a position to choose the web server. I just get to maintain it. – Byran Zaugg Mar 22 '10 at 17:01
  • @Byran, if you're not going to ask a serious question, complete with accurate and serious information, don't expect us to provide you with a serious answer. I'm voting to close this as not a real question. – John Gardeniers Mar 22 '10 at 22:49
  • @John, I did ask a serious question with accurate information. I'd like to know what this hack, if it is a hack, is trying to exploit. You must have missed my attempt at humor directed at you questioning the IIS version I'm running. – Byran Zaugg Mar 26 '10 at 02:40
  • 5
    @John, When Byran said *No I'm not serious about IIS 5. I was trying to distract you with incorrect information* he was being sarcastic. He is using IIS 5. Why else would he put that in the question? – Josh Mar 27 '10 at 12:48

8 Answers8

2
  1. May be the log is wrong. It looks like some part of answer inside URL. If it appears in IIS logs, try to watch the request URL using packet sniffer to ensure it is really such.
  2. May be some script gets malformed URL, e.g. it may be bug in your ASP site.

In general it may look like either highly specific or specially crafted crack attempt that is made to look like a bug, but I suppose it is not. You should also analyse previous and further requests from this user. If it is sometimes occur from different places with no other suspicious things, it is a bug, not crack attempts.

Vi.
  • 821
  • 11
  • 19
2

Are all the requests coming from one IP range? Have you tried running a packet capture to see what the full request headers look like?

Josh
  • 9,001
  • 27
  • 78
  • 124
  • All different IPs. I can see the form & query string values they enter but I have not done any packet capturing. Thanks for the suggestion. – Byran Zaugg Mar 26 '10 at 17:12
2

Only worthwhile result on Google is this, so ...

Just had this show up on an IIS 6 (Server 2003) site I manage. In this particular case, hitting a ColdFusion page (basic template file which is used across the site, including the home page), and just tacking it on to the end of the URI stem (no query string).

Same request, coming from a number of different IPs, with the following user-agent common amongst them:

Mozilla/3.0 (x86 [en] Windows NT 5.1; Sun)

No referrer information passed. 21 requests over 2 minutes, with a little over half a dozen unique IPs. Countries returned for IP include US, Bosnia, Malaysia, etcetera.

James Skemp
  • 862
  • 2
  • 10
  • 21
2

I find those entries very interesting (and not in a good way).

/listMessages.asp?page=8&catid=5+%28200+ok%29+ACCEPTED

The basic breakdown of this from a program standpoint gives the following variables:

page = 8
catid = "5 " + chr(28) + "200 ok" + chr(29) + " ACCEPTED"

The catid variable is being corrupted here. ASCII code 28 is File Separator, and code 29 is Group Separator.

If possible, I would check processing of the catid variable, and otherwise ignore it if the program handles it correctly (and rejects it).

Mei
  • 4,560
  • 8
  • 44
  • 53
2

Here too several attempts during the Easter.

/+%28200+ok%29+ACCEPTED

(200 ok) ACCEPTED

This seems to be random checks against servers.

The IP can be found at the database of Stopforumspam.

http://www.stopforumspam.com/

admin
  • 21
  • 2
1

I'm getting the same kind of request on a site running classic ASP on IIS 7. The IP addresses I'm tracing all originate with spammers. I also have no idea what they are trying to do, and it does not affect the site adversely other than to annoy us with 404 errors.

As for 200 OK Accepted, it's an HTTP status code: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

1

I don't have sufficient privileges to comment, but I get this as well, with the browser string:

User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; (R1 1.5))
IP address: 94.45.33.18

This is against an Apache server. I don't think it's an attack as it's too infrequent and it wouldn't cause a problem on any HTTP server I can think of, except throw 404 errors.

Adam Nelson
  • 1,557
  • 3
  • 13
  • 12
0

Short answer, it may be. But given the information you give us I would say no. More logs could change the answer.

tore-
  • 1,386
  • 2
  • 10
  • 18