rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: hati on December 19, 2012, 10:21:22 PM

Title: Hacker?
Post by: hati on December 19, 2012, 10:21:22 PM
Hi again,

I'm not deep in webserver security. During the day I often notice GET requests that make no sense to me. I suppose some hacking attempts, presumably to trigger a stack overflow or something like that?  Does somebody knows more about it? Should I do something against it? Some sample log:

Code: [Select]
13:16:39 Requested GET /?sort=e
17:29:14 Fully downloaded - 2.34 K @ 0 KB/s - /~folder.tar?recursive
17:29:45 Requested GET /?rev=1&sort=d
17:29:52 Requested GET /?sort=s
10:02:53 Requested HEAD /
18:34:43 Requested GET /
21:15:26 Requested GET /?rev=1&sort=t
09:22:40 Requested GET /?rev=1&sort=n
10:26:31 Requested GET /
12:26:53 Requested GET /
12:31:57 Requested GET /
14:36:46 Requested GET /
18:58:56 Requested GET /
22:09:18 Requested GET /
22:09:29 Requested GET /
22:09:47 Requested GET /Kundenserver/
22:10:09 Requested GET /?sort=t
22:10:27 Requested GET /?sort=n
22:10:43 Requested GET /?sort=e
22:11:08 Requested GET /?rev=1
22:11:28 Requested GET /?rev=1&sort=t
22:11:49 Requested GET /?rev=1&sort=n
22:12:09 Requested GET /?rev=1&sort=e
Title: Re: Hacker?
Post by: raybob on December 20, 2012, 03:00:54 AM
?sort and ?rev are just features of the user template that happen when the user tries to sort their files or something... not a big deal, it's normal, not hacking.
Title: Re: Hacker?
Post by: hati on December 20, 2012, 04:30:36 AM
Thanks for your answer.
What makes me nervous is: there ist no public area. You HAVE to log in. You only see the root, no folder, nothing. So there is nothing to sort. It's only for upload. Customers load up their files to print. But several IPs don't log in, just sort not existing files. And after some sorts (and: everybody is doing the same sorts) they leave.
Title: Re: Hacker?
Post by: raybob on December 20, 2012, 10:38:05 PM
It could be a bot that sees via the HTML that there are URL parameters that can change the page, so it tries accessing all of those as well...

Reason being is that some websites use nothing other than URL parameters to show completely different pages, so bots try to account for that.

If you wanna be sure you can try having HFS log the user-agent or do a 'request dump' in the log.
Title: Re: Hacker?
Post by: crazyboris on December 22, 2012, 06:46:37 PM
its probebly a google bot trying to indexing your page.
Title: Re: Hacker?
Post by: hati on December 23, 2012, 12:46:54 AM
seems legit... had a look at it for a while: either there was some html flaw with these GETs a while ago and some script kiddies spend some $$ on ebay for an outdated CD or it's some bot.

Title: Re: Hacker?
Post by: rejetto user on September 25, 2014, 01:08:44 AM
Hi ~

I know this is old but along with the strange log commands noted in the OP, I get many popups of administrator level CMD windows open on my desktop. There are no commands in the cmd windows but I do not think this is a normal behavior.

Here's what my log file looks like which triggers the numerous openings of cmd sessions:

2:19:45 PM Requested GET /?sort=e
2:20:07 PM Requested GET /?search=search=2:20:16 PM Requested GET /?search=2:20:39 PM Requested GET /?search=?
2:20:49 PM Requested GET /?search=?
2:21:03 PM Requested GET /?search=00{.exec|cmd.}
2:21:12 PM Requested GET /?search=00{.exec
2:21:20 PM Requested GET /
2:21:32 PM Requested GET /?tpl=list&folders-filter=\&recursive
2:21:41 PM Requested GET /?tpl=list
Title: Re: Hacker?
Post by: xpl01t on September 26, 2014, 02:04:49 PM
This is an hacking attempt update your version to 2.3c