Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Weblog software XSS attack?

From: Benjamin Franz <snowhare () nihongo org>
Date: Thu, 4 May 2006 08:39:45 -0700 (PDT)
Something I've started seeing in my Apache logs occasionally in the last month and a helf are entries like these from a small number of IP addresses (N approximately 4 addresses). 

Sample entries:

82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" 
"Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" 
"Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:00:27:28 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" 
"Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:00:27:28 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" 
"Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:19:36:02 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html\" onmousedown=\"return 
clk(this.href,'res','66','') HTTP/1.1" 404 248 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:19:36:03 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html\" onmousedown=\"return 
clk(this.href,'res','66','') HTTP/1.1"404 248 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [03/May/2006:14:45:08 -0700] "GET /katrina.html\" onmousedown=\"return clk(this.href,'','','res','339','') HTTP/1.1" 404 
216 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)"
82.36.86.181 - - [03/May/2006:14:45:08 -0700] "GET /katrina.html\" onmousedown=\"return clk(this.href,'','','res','339','') HTTP/1.1" 404 
216 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)"
It it seems a little unlikely that Googlebot *AND* a Mozilla browser would both come from 82.36.86.181 ;), so my guess is that someone is trying to setup a XSS attack on a log analyzer package (particularly since the above log entries represents _ALL_ the logged traffic from that IP address). It looks like something 'crawled' a few pages and then turned around and attempted to inject an XSS attack sometime later.
Ideas on what it is supposed to actually do given that 'clk' is not a Javascript built in AFAIK? Does anyone know of a specific log analyzer that uses a 'clk' function that is attackable by this? 

--
Benjamin Franz

If you can't handle reality, it *will* handle you.
Previous By Date Next
Previous By Thread Next

Current thread: