More script kiddie douchebaggery

A little while ago I mentioned some work I’d been doing with regard to 404 error processing with this blog’s engine. As part of that post, I disclosed some examples of remarkably stupid attempts to discover the whereabouts of standard PHP pages on this site. Except that this site does not use PHP, it’s not using WordPress of some ancient vintage, but instead uses an ASP.NET blogging engine.

Notice: this blog is patrolled by security servicesSince that time nearly three months ago, I’ve been continuing to monitor the 404 error logs. Some of the “not-found URLs have been beneficial (I discovered a bug in GraffitiCMS with regard to commenting, for example, that I’ve since fixed), but mostly they’ve been either of the aforementioned PHP persuasion or downright bizarre (such that I can’t imagine how they came about automatically, in which case there are some remarkably stupid script kiddies out there).

Until this morning, when I came across an entirely new type of URL in the logs. Here’s an example:

http://blog.boyet.com/blog/blog/fishing-expeditions-and-404s/+++++Result:+chosen+nickname+"Gerav8s";+success;

That is some bizarre type of code injection going on, I must say. But, it’s not unknown. If you do a search for “Result: chosen nickname”, you quickly get to this question on the IT Security StackExchange site: Strange request URI with lot of + (spaces) and “chosen nickname”. It seems to be fishing for a particular (but unidentified) bug and is almost certainly propagated by a botnet.

The other bizarre, yet utterly fascinating, thing about this particular injection attack is that it only occurs with the blog post where I talk about 404 errors and the attempt to discover standard PHP pages. None of the other hundreds of blog posts on this site are getting these injection searches, only that particular one. The “nickname” changes on occasion, sometimes the double quotes are escaped, but the only URL this “chosen nickname” hack is tacked onto is my previous PHP-and-404 post. Interesting, no?

And now I shall be checking to see whether this post attracts these injection attempts…

(Before anyone asks: the image is a picture of a sign outside a building near here. I felt the original “BLDG” was sufficiently close to “BLOG” that I should photograph and PhotoShop it.)

Now playing:
Les Negresses Vertes - Face à la Mer [Massive Attack Remix-Full Version]
(from Café del Mar, Vol. 5)

Loading similar posts...   Loading links to posts on similar topics...

1 Response

 avatar
#1 flapane said...
11-Oct-14 11:51 AM

"The other bizarre, yet utterly fascinating, thing about this particular injection attack is that it only occurs with the blog post where I talk about 404 errors and the attempt to discover standard PHP pages"

For somewhat reason, it doesn't target my Wordpress blog, but the PHP guestbook I myself wrote a while ago, and the word "result" doesn't begin with a capital letter anymore.

I've just added the htaccess restriction suggested on StackExcange, the only difference being a '- [F]' redirection. Those stupid bots don't deserve my custom 404 error page.

Leave a response

Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.

  •  Emphasize with italics: surround word with underscores _emphasis_
  •  Emphasize strongly: surround word with double-asterisks **strong**
  •  Link: surround text with square brackets, url with parentheses [text](url)
  •  Inline code: surround text with backticks `IEnumerable`
  •  Unordered list: start each line with an asterisk, space * an item
  •  Ordered list: start each line with a digit, period, space 1. an item
  •  Insert code block: start each line with four spaces
  •  Insert blockquote: start each line with right-angle-bracket, space > Now is the time...
Preview of response