What Exploit Are These User Agents Trying to Use?What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs

Car headlights in a world without electricity

My singleton can be called multiple times

What is the fastest integer factorization to break RSA?

Do Iron Man suits sport waste management systems?

What is a Samsaran Word™?

Could neural networks be considered metaheuristics?

How seriously should I take size and weight limits of hand luggage?

When handwriting 黄 (huáng; yellow) is it incorrect to have a disconnected 草 (cǎo; grass) radical on top?

Should I tell management that I intend to leave due to bad software development practices?

Is it "common practice in Fourier transform spectroscopy to multiply the measured interferogram by an apodizing function"? If so, why?

Placement of More Information/Help Icon button for Radio Buttons

What historical events would have to change in order to make 19th century "steampunk" technology possible?

Do creatures with a speed 0ft., fly 30ft. (hover) ever touch the ground?

What reasons are there for a Capitalist to oppose a 100% inheritance tax?

Knowledge-based authentication using Domain-driven Design in C#

How to prevent "they're falling in love" trope

Is it possible to map the firing of neurons in the human brain so as to stimulate artificial memories in someone else?

How badly should I try to prevent a user from XSSing themselves?

How can I prove that a state of equilibrium is unstable?

In the UK, is it possible to get a referendum by a court decision?

Did 'Cinema Songs' exist during Hiranyakshipu's time?

Were days ever written as ordinal numbers when writing day-month-year?

Convert seconds to minutes

How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?



What Exploit Are These User Agents Trying to Use?


What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs













2















I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9}print(238947899389478923-34567343546345);
1 Mozilla/5.9$print(238947899389478923-34567343546345)
1 Mozilla/5.9x22$print(238947899389478923-34567343546345)x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22


What exploit was attempted and how can I test to ensure these exploits are not usable?






exploit webserver web nginx anti-exploitation







shareprint(238947899389478923-34567343546345); 









2












2








2








I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9print(238947899389478923-34567343546345);improve this question














I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9print(238947899389478923-34567343546345);{
1 Mozilla/5.9$print(238947899389478923-34567343546345)
1 Mozilla/5.9x22$print(238947899389478923-34567343546345)x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22


What exploit was attempted and how can I test to ensure these exploits are not usable?






exploit webserver web nginx anti-exploitation




exploit webserver web nginx anti-exploitation






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 3 hours ago









SenorContentoSenorContento

256




256




















      2 Answers
      2






      active

      oldest

      votes


















      3














      It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



      In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



      My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






      share|improve this answer






























        3














        It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






        share|improve this answer























          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3














          It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



          In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



          My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






          share|improve this answer



























            3














            It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



            In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



            My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






            share|improve this answer

























              3












              3








              3







              It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



              In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



              My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






              share|improve this answer













              It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



              In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



              My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 2 hours ago









              user52472user52472

              2,422614




              2,422614























                  3














                  It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






                  share|improve this answer



























                    3














                    It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






                    share|improve this answer

























                      3












                      3








                      3







                      It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






                      share|improve this answer













                      It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered 3 hours ago









                      DarkMatterDarkMatter

                      2,1081120




                      2,1081120



























                          draft saved

                          draft discarded
















































                          Thanks for contributing an answer to Information Security Stack Exchange!


                          • Please be sure to answer the question. Provide details and share your research!

                          But avoid


                          • Asking for help, clarification, or responding to other answers.

                          • Making statements based on opinion; back them up with references or personal experience.

                          To learn more, see our tips on writing great answers.




                          draft saved


                          draft discarded














                          StackExchange.ready(
                          function ()
                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

                          );

                          Post as a guest















                          Required, but never shown





















































                          Required, but never shown














                          Required, but never shown












                          Required, but never shown







                          Required, but never shown

































                          Required, but never shown














                          Required, but never shown












                          Required, but never shown







                          Required, but never shown







                          -

                          Popular posts from this blog

                          Are there any AGPL-style licences that require source code modifications to be public? Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Force derivative works to be publicAre there any GPL like licenses for Apple App Store?Do you violate the GPL if you provide source code that cannot be compiled?GPL - is it distribution to use libraries in an appliance loaned to customers?Distributing App for free which uses GPL'ed codeModifications of server software under GPL, with web/CLI interfaceDoes using an AGPLv3-licensed library prevent me from dual-licensing my own source code?Can I publish only select code under GPLv3 from a private project?Is there published precedent regarding the scope of covered work that uses AGPL software?If MIT licensed code links to GPL licensed code what should be the license of the resulting binary program?If I use a public API endpoint that has its source code licensed under AGPL in my app, do I need to disclose my source?

                          Image
                          Flight departed from the gate 5 min before scheduled departure time. Refund options How to show a density matrix is in a pure/mixed state? Can we cancel the equality mark here? How to ask rejected full-time candidates to apply to teach individual courses? Are there any AGPL-style licences that require source code modifications to be public? Why did Israel vote against lifting the American embargo on Cuba? What should one know about term logic before studying propositional and predicate logic? Why is Rajasthan pro BJP in the LS elections but not in the state elections? New Order #6: Easter Egg Question on Gÿongy' lemma proof How to resize main filesystem Is it OK if I do not take the receipt in Germany? My mentor says to set image to Fine instead of RAW — how is this different from JPG? Can I feed enough spin up electron to a black hole to affect it's angular momentum? How do I find my Spellcasting Ability for my D&D character? Is my guitar...
                          Read more

                          2013 GY136 Descoberta | Órbita | Referências Menu de navegação«List Of Centaurs and Scattered-Disk Objects»«List of Known Trans-Neptunian Objects»

                          Image
                          Objetos do disco dispersoObjetos transnetunianos objeto transnetunianodisco dispersoSistema Solarcorpo celesteressonância orbitalplanetaplanetamagnitude absolutadiâmetro9 de abril2013Outer Solar System Origins Surveyórbitaexcentricidadesemieixo maiorUAperiélioSolafélio 2013 GY136 Data da descoberta 9 de abril de 2013 Descoberto por Outer Solar System Origins Survey Categoria Transnetuniano Objeto do disco disperso Elementos orbitais Semieixo maior 55,961 UA Perélio 32,595 UA Afélio 79,327 UA Excentricidade 0,418 Inclinação 10,9° Características físicas Dimensões 133 km Magnitude absoluta 7,6 ver 2013 GY 136 , também escrito como 2013 GY136 , é um objeto transnetuniano que está localizado no disco disperso, uma região do Sistema Solar. Este corpo celeste está em uma ressonância orbital de 2:5 com o planeta planeta. Ele possui uma magnitude absoluta de 7,6 [ 1 ] e tem um diâmetro estimad...
                          Read more

                          Mortes em março de 2019 Referências Menu de navegação«Zhores Alferov, Nobel de Física bielorrusso, morre aos 88 anos - Ciência»«Fallece Rafael Torija, o bispo emérito de Ciudad Real»«Peter Hurford dies at 88»«Keith Flint, vocalista do The Prodigy, morre aos 49 anos»«Luke Perry, ator de 'Barrados no baile' e 'Riverdale', morre aos 52 anos»«Former Rangers and Scotland captain Eric Caldow dies, aged 84»«Morreu, aos 61 anos, a antiga lenda do wrestling King Kong Bundy»«Fallece el actor y director teatral Abraham Stavans»«In Memoriam Guillaume Faye»«Sidney Sheinberg, a Force Behind Universal and Spielberg, Is Dead at 84»«Carmine Persico, Colombo Crime Family Boss, Is Dead at 85»«Dirigent Michael Gielen gestorben»«Ciclista tricampeã mundial e prata na Rio 2016 é encontrada morta em casa aos 23 anos»«Pagan Community Notes: Raven Grimassi dies, Indianapolis pop-up event cancelled, Circle Sanctuary announces new podcast, and more!»«Hal Blaine, Wrecking Crew Drummer, Dies at 90»«Morre Coutinho, que editou dupla lendária com Pelé no Santos»«Cantor Demétrius, ídolo da Jovem Guarda, morre em SP»«Ex-presidente do Vasco, Eurico Miranda morre no Rio de Janeiro»«Bronze no Mundial de basquete de 1971, Laís Elena morre aos 76 anos»«Diretor de Corridas da F1, Charlie Whiting morre aos 66 anos às vésperas do GP da Austrália»«Morreu o cardeal Danneels, da Bélgica»«Morreu o cartoonista Augusto Cid»«Morreu a atriz Maria Isabel de Lizandra, de "Vale Tudo" e novelas da Tupi»«WS Merwin, prize-winning poet of nature, dies at 91»«Atriz Márcia Real morre em São Paulo aos 88 anos»«Mauritanie: décès de l'ancien président Mohamed Mahmoud ould Louly»«Morreu Dick Dale, o rei da surf guitar e de "Pulp Fiction"»«Falleció Víctor Genes»«João Carlos Marinho, autor de 'O Gênio do Crime', morre em SP»«Legendary Horror Director and SFX Artist John Carl Buechler Dies at 66»«Morre em Salvador a religiosa Makota Valdina»«مرگ بازیکن‌ سابق نساجی بر اثر سقوط سنگ در مازندران»«Domingos Oliveira morre no Rio»«Morre Airton Ravagniani, ex-São Paulo, Fla, Vasco, Grêmio e Sport - Notícias»«Morre o escritor Flavio Moreira da Costa»«Larry Cohen, Writer-Director of 'It's Alive' and 'Hell Up in Harlem,' Dies at 77»«Scott Walker, experimental singer-songwriter, dead at 76»«Joseph Pilato, Day of the Dead Star and Horror Favorite, Dies at 70»«Sheffield United set to pay tribute to legendary goalkeeper Ted Burgin who has died at 91»«Morre Rafael Henzel, sobrevivente de acidente aéreo da Chapecoense»«Morre Valery Bykovsky, um dos primeiros cosmonautas da União Soviética»«Agnès Varda, cineasta da Nouvelle Vague, morre aos 90 anos»«Agnès Varda, cineasta francesa, morre aos 90 anos»«Tania Mallet, James Bond Actress and Helen Mirren's Cousin, Dies at 77»e

                          Image
                          Mortos em 2019Eventos de março de 2019 ←JaneiroFevereiroMarçoAbrilMaioJunhoJulhoAgostoSetembroOutubroNovembroDezembro→https://g1.globo.com/pop-arte/noticia/2019/04/01/rapper-nipsey-hussle-e-morto-a-tiros-em-los-angeles.ghtml Mortes em 2019 : ← Janeiro – Fevereiro – Março – Abril – Maio – Junho – Julho – Agosto – Setembro – Outubro – Novembro – Dezembro → Está é uma relação de pessoas notáveis que morreram durante o mês de março de 2019, listando nome, nacionalidade, ocupação e ano de nascimento. Keith Flint , músico inglês. Luke Perry , ator e dublador americano. Coutinho , futebolista brasileiro. Eurico Miranda , dirigente esportivo e político brasileiro. Charlie Whiting , diretor de provas britânico. Valery Bykovsky , cosmonauta russo. Agnès Varda , cineasta belgo-francesa. Dia Nome Profissão ou motivo de...
                          Read more