Mdtryhht

How to install cross-compiler on Ubuntu 18.04?

How to show a landlord what we have in savings?

How to find if SQL server backup is encrypted with TDE without restoring the backup

Why was Sir Cadogan fired?

If a warlock makes a Dancing Sword their pact weapon, is there a way to prevent it from disappearing if it's farther away for more than a minute?

My ex-girlfriend uses my Apple ID to log in to her iPad. Do I have to give her my Apple ID password to reset it?

Did 'Cinema Songs' exist during Hiranyakshipu's time?

What's the meaning of "Sollensaussagen"?

What historical events would have to change in order to make 19th century "steampunk" technology possible?

How dangerous is XSS

Do Iron Man suits sport waste management systems?

Ambiguity in the definition of entropy

What is a Samsaran Word™?

How to stretch the corners of this image so that it looks like a perfect rectangle?

Knowledge-based authentication using Domain-driven Design in C#

How to compactly explain secondary and tertiary characters without resorting to stereotypes?

How to prevent "they're falling in love" trope

Does int main() need a declaration on C++?

What Exploit Are These User Agents Trying to Use?

files created then deleted at every second in tmp directory

Am I breaking OOP practice with this architecture?

In the UK, is it possible to get a referendum by a court decision?

Where would I need my direct neural interface to be implanted?

Different meanings of こわい

What Exploit Are These User Agents Trying to Use?

What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs

1 Mozilla/5.9}print(238947899389478923-34567343546345); 
 
 

8

1

I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).

1 Mozilla/5.9print(238947899389478923-34567343546345);improve this question

asked 8 hours ago

SenorContentoSenorContento

556

asked 8 hours ago

SenorContentoSenorContento

556

1 Mozilla/5.9print(238947899389478923-34567343546345);{
1 Mozilla/5.9$print(238947899389478923-34567343546345)
1 Mozilla/5.9x22$print(238947899389478923-34567343546345)x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22

share|improve this question

asked 8 hours ago

SenorContentoSenorContento

556

share|improve this question

asked 8 hours ago

SenorContentoSenorContento

556

asked 8 hours ago

SenorContentoSenorContento

556

asked 8 hours ago

SenorContentoSenorContento

556

2 Answers
2

active

oldest

votes

11

It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.

In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.

My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.

share|improve this answer

answered 6 hours ago

user52472user52472

2,502614

add a comment | 

6

It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.

share|improve this answer

answered 7 hours ago

DarkMatterDarkMatter

2,1381120

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

11

It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.

In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.

My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.

share|improve this answer

answered 6 hours ago

user52472user52472

2,502614

add a comment | 

11

It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.

In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.

My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.

share|improve this answer

answered 6 hours ago

user52472user52472

2,502614

add a comment | 

It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.

In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.

My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.

share|improve this answer

answered 6 hours ago

user52472user52472

2,502614

share|improve this answer

answered 6 hours ago

user52472user52472

2,502614

answered 6 hours ago

user52472user52472

2,502614

answered 6 hours ago

user52472user52472

2,502614

6

It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.

share|improve this answer

answered 7 hours ago

DarkMatterDarkMatter

2,1381120

add a comment | 

6

It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.

share|improve this answer

answered 7 hours ago

DarkMatterDarkMatter

2,1381120

add a comment | 

It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.

share|improve this answer

answered 7 hours ago

DarkMatterDarkMatter

2,1381120

share|improve this answer

answered 7 hours ago

DarkMatterDarkMatter

2,1381120

answered 7 hours ago

DarkMatterDarkMatter

2,1381120

answered 7 hours ago

DarkMatterDarkMatter

2,1381120