3

Some of the 404 error logs I see on my website are obviously caused by vulnerably scanners and in most cases, I can understand what it is scanning! (and it's mainly about sql-injection)

However I've seen a couple of logs which I don't quite understand. You can see sample of the requested urls below:

http://example.com/}];this.forHtmlScript(SyntaxHighlighter.regexLib.aspScriptTags)}typeof
http://example.com/System.Web.AspNetHostingPermission,

I understand that former is somehow trying to exploit some bug in syntax highlighter I used in site (from http://alexgorbatchev.com) and the the latter is trying to make use of ASP.NET hosting bugs.

My question is:

First of all, am I right about assuming these logs as some kind of vulnerably scanner activity?

Moreover, what issue are they trying to take advantage of?

Jørgen R
  • 10,568
  • 7
  • 42
  • 59
Mahdi
  • 55
  • 1
  • 7

1 Answers1

3
http://example.com/}];this.forHtmlScript(SyntaxHighlighter.regexLib.aspScriptTags)}typeof

I can say that the first line is possible a script error, probably you send this from javascript and looks line bug, you or any other auto-translate web program, a false redirect (a bug on the redirect)

Have nothing to exploit with this line

About the System.Web.AspNetHostingPermission Nether this looks like exploit, to me looks like you try to make a redirect somewhere and you get a throw exception with this inside this throw System.Web.AspNetHostingPermission, and you redirect him to this throw message that starts with this System.Web.AspNetHostingPermission

look a throw message like that, you see starts the same as your directory.

System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

So to end up, they are 99.9% bugs and not exploit commands.

Last word

Check the ips that this coming from and see if its google, msn, or other indexer that usually find pages and combinations on links that you not have check. Even I think the first is from auto-translate page that try to high light some text.

Aristos
  • 66,005
  • 16
  • 114
  • 150
  • Thanks for the tips but frankly I don't believe it'd be a correct assumption. First of all, this site uses drupal and it's hosted on a linux server. so there can't be any AspNetHostingPermission excpetion. Furthermore, these two logs come from an IP (which doesn't seem to be a known crawler) that crawls trough lots of different non-existent pages like "Default.aspx" and also tries to exploit possible sql injection bugs with queries like `http://example.com/test"` (note the qoutation mark at the end) – Mahdi Mar 28 '12 at 16:45
  • @Mahdi the first is javascript error - nothing to do with server, the second also have nothing to do with server. What are the ip that this coming from ? (in any case this are not dangerous nether can see anything.) Maybe this are bugs from the other side - this can not be dangerous - if they scan you this is something else, but this can not do anything. – Aristos Mar 28 '12 at 18:00
  • This happens from time to time, each time with a different IP address but the log pattern stays intact! Some of the IP addresses include: 108.166.76.87 96.44.145.188 86.82.129.150 194.219.204.240 109.169.54.141 – Mahdi Mar 28 '12 at 19:17
  • 1
    @Mahdi this ips are from users with dsl lines, one from my country and my provider :) Something else is your issue... Check what else this ips check out, what else they see, what is the previous page that they see. The log pattern stay intact because is a bug, or is a plugin that make thus bug, or is somthing similar for a browser. – Aristos Mar 28 '12 at 19:48
  • I just checked the logs again and I think you are right about it being a bug, but surely it's a bug in a crawler that tries to crawl my site! The user-agent string is "Java/1.6.0_17" so this should be a crawler written in Java. Furthermore it seems that it tries to discover links according to the content of my site. I've written mostly about ASP.NET and that's where these .aspx request and also some other strange requests come from! So, I believe that you are right and it's just a bug; a bug in some unknown crawler. – Mahdi Mar 29 '12 at 17:36