Some Spam HTTP Post

26 May, 2019 - 12:37:42


Matthew Deig

I had this idea to checkup on my logs for a web server I'm running and see what type of requests that it was getting. I wasn't planning on writing it any findings up but recovering from my latest hiking trip. I figure I would do something.

What stood out to me when I was looking at the logs. It was getting hit by spam drive-by attacks. Some typical basic ones of getting the myAdmin pages and other unsecured servers might have. Though I found a couple of request that were interesting to me anyways.

SQL in the request header.

The first time this showed up in my logs was May 7th 2019, and coming from China. The url request from my server is usually a hexadecimal url string. What caught my eye the most was in the request header there was a SQL like query in there.

554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"'/*";s:3:"num";s:141:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b24524345275d3b6469652f2a2a2f286d6435284449524543544f52595f534550415241544f5229293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca

I'm not sure what their target was. It looks to me they where looking for a possible a name with ads.

The server I pulled this from doesn't have any databases hooked up to it so this request wasn't harmful to me.

Reconnect to my server?

The first time this request showed up in my logs was May 04 2019, and coming from China. The request has a string of encoded hexadecimal and at the end is http protocol url of server ip address. Why it caught my eye was that it had server ip in the request url. This one I'm not sure what is going on with it. I'm going to take a guess that it might be some type of buffer overflow.


I'm not sure why this are attacks. I did searches on the string to see if anyone was talking about them. I didn't have any luck. I just wanted to write about because I thought they looked interesting. I fairly sure that they are coming from an automated script to see if they can get an easy target, because they do show up in my logs often with other requests from the same place. Just some of my thoughts on these POST requests.