Security Incidents mailing list archives
Weblog software XSS attack?
From: Benjamin Franz <snowhare () nihongo org>
Date: Thu, 4 May 2006 08:39:45 -0700 (PDT)
Something I've started seeing in my Apache logs occasionally in the last month and a helf are entries like these from a small number of IP addresses (N approximately 4 addresses).
Sample entries: 82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 82.36.86.181 - - [21/Apr/2006:00:27:28 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 82.36.86.181 - - [21/Apr/2006:00:27:28 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 82.36.86.181 - - [21/Apr/2006:19:36:02 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html\" onmousedown=\"return clk(this.href,'res','66','') HTTP/1.1" 404 248 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 82.36.86.181 - - [21/Apr/2006:19:36:03 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html\" onmousedown=\"return clk(this.href,'res','66','') HTTP/1.1"404 248 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 82.36.86.181 - - [03/May/2006:14:45:08 -0700] "GET /katrina.html\" onmousedown=\"return clk(this.href,'','','res','339','') HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)" 82.36.86.181 - - [03/May/2006:14:45:08 -0700] "GET /katrina.html\" onmousedown=\"return clk(this.href,'','','res','339','') HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)"It it seems a little unlikely that Googlebot *AND* a Mozilla browser would both come from 82.36.86.181 ;), so my guess is that someone is trying to setup a XSS attack on a log analyzer package (particularly since the above log entries represents _ALL_ the logged traffic from that IP address). It looks like something 'crawled' a few pages and then turned around and attempted to inject an XSS attack sometime later.
Ideas on what it is supposed to actually do given that 'clk' is not a Javascript built in AFAIK? Does anyone know of a specific log analyzer that uses a 'clk' function that is attackable by this?
-- Benjamin Franz If you can't handle reality, it *will* handle you.
Current thread:
- Weblog software XSS attack? Benjamin Franz (May 04)