rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: hati on December 19, 2012, 10:21:22 PM

Title: Hacker?
Post by: hati on December 19, 2012, 10:21:22 PM
Hi again,

I'm not deep in webserver security. During the day I often notice GET requests that make no sense to me. I suppose some hacking attempts, presumably to trigger a stack overflow or something like that?  Does somebody knows more about it? Should I do something against it? Some sample log:

Code: [Select]
13:16:39 208.115.113.82:51863 Requested GET /?sort=e
17:29:14 208.115.113.82:52870 Fully downloaded - 2.34 K @ 0 KB/s - /~folder.tar?recursive
17:29:45 208.115.113.82:48512 Requested GET /?rev=1&sort=d
17:29:52 208.115.113.82:58665 Requested GET /?sort=s
10:02:53 132.211.133.161:60260 Requested HEAD /
18:34:43 157.56.229.190:19375 Requested GET /
21:15:26 208.115.113.82:48243 Requested GET /?rev=1&sort=t
09:22:40 208.115.113.82:45384 Requested GET /?rev=1&sort=n
10:26:31 173.199.114.75:45426 Requested GET /
12:26:53 141.8.147.1:29049 Requested GET /
12:31:57 141.8.147.1:16621 Requested GET /
14:36:46 178.77.126.55:42080 Requested GET /
18:58:56 157.56.229.190:54420 Requested GET /
22:09:18 85.25.71.119:58954 Requested GET /
22:09:29 85.25.71.119:59116 Requested GET /
22:09:47 85.25.71.119:59401 Requested GET /Kundenserver/
22:10:09 85.25.71.119:59724 Requested GET /?sort=t
22:10:27 85.25.71.119:59969 Requested GET /?sort=n
22:10:43 85.25.71.119:60235 Requested GET /?sort=e
22:11:08 85.25.71.119:60628 Requested GET /?rev=1
22:11:28 85.25.71.119:32781 Requested GET /?rev=1&sort=t
22:11:49 85.25.71.119:33160 Requested GET /?rev=1&sort=n
22:12:09 85.25.71.119:33435 Requested GET /?rev=1&sort=e
Title: Re: Hacker?
Post by: raybob on December 20, 2012, 03:00:54 AM
?sort and ?rev are just features of the user template that happen when the user tries to sort their files or something... not a big deal, it's normal, not hacking.
Title: Re: Hacker?
Post by: hati on December 20, 2012, 04:30:36 AM
Thanks for your answer.
What makes me nervous is: there ist no public area. You HAVE to log in. You only see the root, no folder, nothing. So there is nothing to sort. It's only for upload. Customers load up their files to print. But several IPs don't log in, just sort not existing files. And after some sorts (and: everybody is doing the same sorts) they leave.
Title: Re: Hacker?
Post by: raybob on December 20, 2012, 10:38:05 PM
It could be a bot that sees via the HTML that there are URL parameters that can change the page, so it tries accessing all of those as well...

Reason being is that some websites use nothing other than URL parameters to show completely different pages, so bots try to account for that.

If you wanna be sure you can try having HFS log the user-agent or do a 'request dump' in the log.
Title: Re: Hacker?
Post by: crazyboris on December 22, 2012, 06:46:37 PM
its probebly a google bot trying to indexing your page.
Title: Re: Hacker?
Post by: hati on December 23, 2012, 12:46:54 AM
seems legit... had a look at it for a while: either there was some html flaw with these GETs a while ago and some script kiddies spend some $$ on ebay for an outdated CD or it's some bot.

Thanks!
Title: Re: Hacker?
Post by: rejetto user on September 25, 2014, 01:08:44 AM
Hi ~

I know this is old but along with the strange log commands noted in the OP, I get many popups of administrator level CMD windows open on my desktop. There are no commands in the cmd windows but I do not think this is a normal behavior.

Here's what my log file looks like which triggers the numerous openings of cmd sessions:

2:19:45 PM 199.193.117.44:50574 Requested GET /?sort=e
2:20:07 PM 199.193.117.44:50579 Requested GET /?search=search=2:20:16 PM 199.193.117.44:50574 Requested GET /?search=2:20:39 PM 199.193.117.44:50574 Requested GET /?search=?
2:20:49 PM 199.193.117.44:50574 Requested GET /?search=?
2:21:03 PM 199.193.117.44:50574 Requested GET /?search=00{.exec|cmd.}
2:21:12 PM 199.193.117.44:50626 Requested GET /?search=00{.exec
2:21:20 PM 199.193.117.44:50626 Requested GET /
2:21:32 PM 199.193.117.44:50629 Requested GET /?tpl=list&folders-filter=\&recursive
2:21:41 PM 199.193.117.44:50631 Requested GET /?tpl=list
Title: Re: Hacker?
Post by: xpl01t on September 26, 2014, 02:04:49 PM
This is an hacking attempt update your version to 2.3c