?redir= in GET request
18 views
Skip to first unread message
Blake Rich
Jun 21, 2012, 5:33:29 AM6/21/12
to SANS Internet Storm Center / DShield
Good Morning,
I've been seeing the following types of requests for a month or two
now. It is similar to some of the exploits I've seen when working
with vulnerable wordpress installations, but I haven't been able to
quite decode the redir= string. Has anyone else seen this type of
pattern and been able to figure out what it is doing?
Thanks!
------------------
157.55.18.25 - - [17/Jun/2012:20:38:01 -0600] "GET /outage/index.html?
redir=5DED42894E340C3AB4E114F3703EDFB14620E372DC3B4A0B7E12A1638D98E5C54E1DCE497B70E6D5EA2F47DD5784F0CCF61D612FD8811263BE37E75EDA228027
HTTP/1.1" 200 13156 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://
www.bing.com/bingbot.htm)"
217.95.19.233 - - [17/Jun/2012:21:36:38 -0600] "GET /copyright/?
redir=5DED42894E340C3AB4E114F3703EDFB14620E372DC3B4A0B7E12A1638D98E5C5062154102DDFE4A5691C2B74BE93FEB2F238403D63769937984A4B767F1DBC5DC55D3D844AF772A873B9131B806BA95D2AEE01F5C77B04CB45668524C46D5ED09D55681E0BA49A2873BBF6C78C4D32B8566BB6B47724CE8E94AE347AEB58157A292AE4614FE66B0EBFAE884B33AA2FB570D33365C9738582491B6750C5E3250636864050CE0B09177FA878FBF17C1C5498F943015530C78CF84ADBFDC749951D36D5657586BBA9BA8CBA2A30A63C2D33A65E4F4F5303124EC39F419CE4A0C79F6FDC3CA9203BEBD265183C66E2C3C54F8DEC36406AAD4EA91CE8071E97058881624E8F6E2A842DF1FF8FA54191BBF9914927B7FE58AD1BF66C05028994237CE1D4C2A9FB33CC019405658B13D2FDB8B1824E3CD66C8050A426B87BBEBEAA260DF5C8007B5AA4D40AEF9A45F835D2C78ACAA20F90FE413699B59D280C40F8F526D8C1E3E38F1ED91203564A2B0D50A2AE5DDB108BBB7A1966D1C46E72B0165EDAEC4E66EE7501E85D9FBA0058D64E0443D2C5131058B720680EF80FF588363D8DE3E92233291A1BED71D0524FE142F48C479591258D170B7535F5E1B96F014735C4DE84DF4EA9F7ED16F40149794D7A50D9E0D4C1918A835E6FCDAECFD0724F15F60E7A9D4C1D2AC276EF73BF1D8137AE4E860C0C5C3119E4EEB3E56AE25BB5DE18AB4DE2BB5B30302F4FC05B03F777AB93E5144F8AE6FE283648EECB5F31D55C8ADF967C7A0CFA7F75B24D08EF5988A391602854F4A8DE40BE3C73E101D6519AA8F983A4A538BE60038662D01C2C985067B67F2FFB38D8805BA8564A5B109187F26922B60486170FC68F5E94FFCE510E9406B6E17C6E3266B16AD194D1F2E18125A94216CA331EE64362F630857846AA20BE1A3BC6023705A0780E934536180636D53813528E7E3868DC33D434AE601A951DB6412E882B64A140C42827AF480B3E2F8754FEABA119EE895F0FDEB313D2FA5B93AB717F598D9D4ABE8E5EF64A9F38F49D3649B60216FD83A256895280FB936654E30515CDC262A95E538B948516CA96A16367EC8E023B3B61BC05EF2B55820A4BB60F011DE956542BE49F6327B842A59CB176ED9706CCF41D193B2F818984EE2F59A7BBC7BD9568C8E43801E004ECDE5E3499BCA5F238A283F710A9DBC165F33BB63CADB29420AE99AA4EF5D9F0F0FD6150A713DD5916FB712A4B76FAAB36C5C1D87FF09AB85D9D2EA20C9EAF851A8167E91EEEA083EB1BFAEC8078A9165239CE20712231FB8C65555A486AA612466030C0DAA7D7A748E4F1C30485A0FCE1FD46E0419C4AB1D54C34E66B668119D6CFC98A6F40B7B4F2FAC5E0FCCBD812DB151ACEDA6FC4F7C74875ECA7199B42
HTTP/1.1" 200 24257 "" "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT
5.1)"
217.95.13.27 - - [20/Jun/2012:20:52:30 -0600] "GET /registrar/?
redir=5DED42894E340C3AB4E114F3703EDFB14620E372DC3B4A0B7E12A1638D98E5C51865BD6C2C3011050B9027687A8665AF58A61801380A097616C5BAACBD9A7966EDB5530B1E036097FFD965131562D5448CA2AE73C12572D7C659550AE0A1444297CF667C8CEAF7ABA8C503E2EC6A830F970679625108B3DCD3448BEC0F7A0B3939B1066EAADB26388264D0C8EB442161C6AEB6810852422443C8DB9E9BE6CD2E54770D23310746CF5DAAEFC679895CDCCF9E4AA73C68D783F02F7487A9E650E6A68ABE3361342136FB7C49207CC94A05B987C0451C281D0551279FC52893BDEB82B49630E2BB690361EA2FEA5EF6424590DBC3836267CFC3C4C236BFFB774D938F446D595FBB418583F3CA80DA26857358F8525D9323DCC811B70B15DF1B08F3A2804F510BA6A3D164D7E32B77DC38D896259221EC5742AB4738F8F16B863A80F354D1497943D1D9C4B7B3CB25D58A230B30D5782F58C60824FFC0F91BB376BCCB2CB05E9BA69E40931933C6CFE19D2E30925EEE6FC756D400ABACFE67308E03F2076D846B113768AC2CE63D2456D639FB6D0E2131E979649D158EEE4166D5D7DADDFCF435707A6E39C30517E906FA6E2CEB4BCC831A9AC7307A81C7BC81E6B24B26FDA2055D24F11CC4520F87B8503FC38E2B9800C3A780706C013D8CA13F3F1678B8D498B5DBF91E6938FC9F9113702462304D6963EEFA877A13DFC623C96AC7849586C45F607D45CF62BBB4624257B492224AE1A8350BC066F2E1D3848CE9D6002EEBAA5B1F6B8FA7A429D3EF66B37DF35BC65EAC7790D0855E1B7692E4711A73E2CAB9F6AF713DA92F967B992C82A55539CFFB2FC0E807E84589BAE6C05D6C5276826C19DDBAB9AD3B1571E0D14FEEC9AEEA845F7580355CD894ACAF2CDD0C72EECBB4F201C1D5189CC15BD2C4EEB89BF039CFB647DD3B0248677A331BF30CEDE48666260B54E918F4700D32FE5ADA38E4BB38B2E8DD961CECAAD75C38E68A00BE1A51A523F2451C9267BFAF2C15F515A2CE3129812AC05B68AD0D3547C56F3440F91276169982209FBB4DAC35C35D81CEBB2589BF70AFF6B4489D00C9749669D00560F56086626A6C7728B04050B14EE5A4A4FB71CF2B093A43E0DD6C331A7D019CA9330D3C4B1E4E020FF2958A3DD6E916442DFCE1817A34302E9428EC9DD7AAC0DC01BC82FDB48D78855234CE1ACE307D2FF4D2682A44BC3A87A6B59680A45E493459E8210EFF8CDC5EB2027A2E7DBAE145C3865BA25D91927C09A5AD00CAAEB8AE560F4484429E8797406A34B81175BB98CBBE9E68AEFC2F37FA84D89FFA1200D407ACDAFFA405D9A77D8A66192CFFB059BACE2C2B501397BC72B5568A95126F3899E3C2276CF7D7B07C9B8DE7928C526E3E31C2C333560BFA15AAE13EAE6B3C9B60F3EE19E007AB0919B08511F328902BADCB975F8263C5437E1873B3BCC9CC9C70AAAC0EACE49334AAF46A3BEB53D1FFB7A5365B031B6AE0DB666AE0C673AEF0CF0D486B0383526B3EF9F7
HTTP/1.1" 404 11257 "" "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT
5.1)"
217.95.8.112 - - [20/Jun/2012:21:32:32 -0600] "GET /?
redir=6D2C5AB83FF0CA268B828F8D431D8E9746CCCE6C0E27A5E0C840348ABABD84A9F4E4AE076C395A956F6F633DEF82D39C406ECB726F3341407BBB226C4FFC0FD3AB462A2E9510570E48FC05B79BD876E3DE90CE0531EDC9049B6EB2DBF8BE7545B62628582156B5194413348F88ED0ED82CC3108231780D296DF2322702072FED78DD888A378C04FB889A1985DF262DB81DD811580F0ACED8B8FEE89A35A54A13A1E30B38B0E8635E8F4CB014C8059312C9B61319CA27D80B591EDEE62F79A8F8D370044F1BF434A47ADF78BE6F7493535386F7B206F82920C0FAB4838A761FD742C758C288017900C757B5FF32F2280CF1A3AF6544B03EF38DC2AF48B2DEDAA8C355E383337E38328684F86BF0A0B17F296BBC90029F1E48E5C064544DC110DA
HTTP/1.1" 200 19941 "" "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT
5.1)"
I've been seeing the following types of requests for a month or two
now. It is similar to some of the exploits I've seen when working
with vulnerable wordpress installations, but I haven't been able to
quite decode the redir= string. Has anyone else seen this type of
pattern and been able to figure out what it is doing?
Thanks!
------------------
157.55.18.25 - - [17/Jun/2012:20:38:01 -0600] "GET /outage/index.html?
redir=5DED42894E340C3AB4E114F3703EDFB14620E372DC3B4A0B7E12A1638D98E5C54E1DCE497B70E6D5EA2F47DD5784F0CCF61D612FD8811263BE37E75EDA228027
HTTP/1.1" 200 13156 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://
www.bing.com/bingbot.htm)"
217.95.19.233 - - [17/Jun/2012:21:36:38 -0600] "GET /copyright/?
redir=5DED42894E340C3AB4E114F3703EDFB14620E372DC3B4A0B7E12A1638D98E5C5062154102DDFE4A5691C2B74BE93FEB2F238403D63769937984A4B767F1DBC5DC55D3D844AF772A873B9131B806BA95D2AEE01F5C77B04CB45668524C46D5ED09D55681E0BA49A2873BBF6C78C4D32B8566BB6B47724CE8E94AE347AEB58157A292AE4614FE66B0EBFAE884B33AA2FB570D33365C9738582491B6750C5E3250636864050CE0B09177FA878FBF17C1C5498F943015530C78CF84ADBFDC749951D36D5657586BBA9BA8CBA2A30A63C2D33A65E4F4F5303124EC39F419CE4A0C79F6FDC3CA9203BEBD265183C66E2C3C54F8DEC36406AAD4EA91CE8071E97058881624E8F6E2A842DF1FF8FA54191BBF9914927B7FE58AD1BF66C05028994237CE1D4C2A9FB33CC019405658B13D2FDB8B1824E3CD66C8050A426B87BBEBEAA260DF5C8007B5AA4D40AEF9A45F835D2C78ACAA20F90FE413699B59D280C40F8F526D8C1E3E38F1ED91203564A2B0D50A2AE5DDB108BBB7A1966D1C46E72B0165EDAEC4E66EE7501E85D9FBA0058D64E0443D2C5131058B720680EF80FF588363D8DE3E92233291A1BED71D0524FE142F48C479591258D170B7535F5E1B96F014735C4DE84DF4EA9F7ED16F40149794D7A50D9E0D4C1918A835E6FCDAECFD0724F15F60E7A9D4C1D2AC276EF73BF1D8137AE4E860C0C5C3119E4EEB3E56AE25BB5DE18AB4DE2BB5B30302F4FC05B03F777AB93E5144F8AE6FE283648EECB5F31D55C8ADF967C7A0CFA7F75B24D08EF5988A391602854F4A8DE40BE3C73E101D6519AA8F983A4A538BE60038662D01C2C985067B67F2FFB38D8805BA8564A5B109187F26922B60486170FC68F5E94FFCE510E9406B6E17C6E3266B16AD194D1F2E18125A94216CA331EE64362F630857846AA20BE1A3BC6023705A0780E934536180636D53813528E7E3868DC33D434AE601A951DB6412E882B64A140C42827AF480B3E2F8754FEABA119EE895F0FDEB313D2FA5B93AB717F598D9D4ABE8E5EF64A9F38F49D3649B60216FD83A256895280FB936654E30515CDC262A95E538B948516CA96A16367EC8E023B3B61BC05EF2B55820A4BB60F011DE956542BE49F6327B842A59CB176ED9706CCF41D193B2F818984EE2F59A7BBC7BD9568C8E43801E004ECDE5E3499BCA5F238A283F710A9DBC165F33BB63CADB29420AE99AA4EF5D9F0F0FD6150A713DD5916FB712A4B76FAAB36C5C1D87FF09AB85D9D2EA20C9EAF851A8167E91EEEA083EB1BFAEC8078A9165239CE20712231FB8C65555A486AA612466030C0DAA7D7A748E4F1C30485A0FCE1FD46E0419C4AB1D54C34E66B668119D6CFC98A6F40B7B4F2FAC5E0FCCBD812DB151ACEDA6FC4F7C74875ECA7199B42
HTTP/1.1" 200 24257 "" "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT
5.1)"
217.95.13.27 - - [20/Jun/2012:20:52:30 -0600] "GET /registrar/?
redir=5DED42894E340C3AB4E114F3703EDFB14620E372DC3B4A0B7E12A1638D98E5C51865BD6C2C3011050B9027687A8665AF58A61801380A097616C5BAACBD9A7966EDB5530B1E036097FFD965131562D5448CA2AE73C12572D7C659550AE0A1444297CF667C8CEAF7ABA8C503E2EC6A830F970679625108B3DCD3448BEC0F7A0B3939B1066EAADB26388264D0C8EB442161C6AEB6810852422443C8DB9E9BE6CD2E54770D23310746CF5DAAEFC679895CDCCF9E4AA73C68D783F02F7487A9E650E6A68ABE3361342136FB7C49207CC94A05B987C0451C281D0551279FC52893BDEB82B49630E2BB690361EA2FEA5EF6424590DBC3836267CFC3C4C236BFFB774D938F446D595FBB418583F3CA80DA26857358F8525D9323DCC811B70B15DF1B08F3A2804F510BA6A3D164D7E32B77DC38D896259221EC5742AB4738F8F16B863A80F354D1497943D1D9C4B7B3CB25D58A230B30D5782F58C60824FFC0F91BB376BCCB2CB05E9BA69E40931933C6CFE19D2E30925EEE6FC756D400ABACFE67308E03F2076D846B113768AC2CE63D2456D639FB6D0E2131E979649D158EEE4166D5D7DADDFCF435707A6E39C30517E906FA6E2CEB4BCC831A9AC7307A81C7BC81E6B24B26FDA2055D24F11CC4520F87B8503FC38E2B9800C3A780706C013D8CA13F3F1678B8D498B5DBF91E6938FC9F9113702462304D6963EEFA877A13DFC623C96AC7849586C45F607D45CF62BBB4624257B492224AE1A8350BC066F2E1D3848CE9D6002EEBAA5B1F6B8FA7A429D3EF66B37DF35BC65EAC7790D0855E1B7692E4711A73E2CAB9F6AF713DA92F967B992C82A55539CFFB2FC0E807E84589BAE6C05D6C5276826C19DDBAB9AD3B1571E0D14FEEC9AEEA845F7580355CD894ACAF2CDD0C72EECBB4F201C1D5189CC15BD2C4EEB89BF039CFB647DD3B0248677A331BF30CEDE48666260B54E918F4700D32FE5ADA38E4BB38B2E8DD961CECAAD75C38E68A00BE1A51A523F2451C9267BFAF2C15F515A2CE3129812AC05B68AD0D3547C56F3440F91276169982209FBB4DAC35C35D81CEBB2589BF70AFF6B4489D00C9749669D00560F56086626A6C7728B04050B14EE5A4A4FB71CF2B093A43E0DD6C331A7D019CA9330D3C4B1E4E020FF2958A3DD6E916442DFCE1817A34302E9428EC9DD7AAC0DC01BC82FDB48D78855234CE1ACE307D2FF4D2682A44BC3A87A6B59680A45E493459E8210EFF8CDC5EB2027A2E7DBAE145C3865BA25D91927C09A5AD00CAAEB8AE560F4484429E8797406A34B81175BB98CBBE9E68AEFC2F37FA84D89FFA1200D407ACDAFFA405D9A77D8A66192CFFB059BACE2C2B501397BC72B5568A95126F3899E3C2276CF7D7B07C9B8DE7928C526E3E31C2C333560BFA15AAE13EAE6B3C9B60F3EE19E007AB0919B08511F328902BADCB975F8263C5437E1873B3BCC9CC9C70AAAC0EACE49334AAF46A3BEB53D1FFB7A5365B031B6AE0DB666AE0C673AEF0CF0D486B0383526B3EF9F7
HTTP/1.1" 404 11257 "" "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT
5.1)"
217.95.8.112 - - [20/Jun/2012:21:32:32 -0600] "GET /?
redir=6D2C5AB83FF0CA268B828F8D431D8E9746CCCE6C0E27A5E0C840348ABABD84A9F4E4AE076C395A956F6F633DEF82D39C406ECB726F3341407BBB226C4FFC0FD3AB462A2E9510570E48FC05B79BD876E3DE90CE0531EDC9049B6EB2DBF8BE7545B62628582156B5194413348F88ED0ED82CC3108231780D296DF2322702072FED78DD888A378C04FB889A1985DF262DB81DD811580F0ACED8B8FEE89A35A54A13A1E30B38B0E8635E8F4CB014C8059312C9B61319CA27D80B591EDEE62F79A8F8D370044F1BF434A47ADF78BE6F7493535386F7B206F82920C0FAB4838A761FD742C758C288017900C757B5FF32F2280CF1A3AF6544B03EF38DC2AF48B2DEDAA8C355E383337E38328684F86BF0A0B17F296BBC90029F1E48E5C064544DC110DA
HTTP/1.1" 200 19941 "" "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT
5.1)"
Reply all
Reply to author
Forward
0 new messages