What Exploit Are These User Agents Trying to Use?What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs

Where would I need my direct neural interface to be implanted?

Avoiding the "not like other girls" trope?

Does the Idaho Potato Commission associate potato skins with healthy eating?

Is it a bad idea to plug the other end of ESD strap to wall ground?

Convert seconds to minutes

What is an equivalently powerful replacement spell for Yuan-Ti's Suggestion spell?

How can a day be of 24 hours?

Can a virus destroy the BIOS of a modern computer?

Standard deduction V. mortgage interest deduction - is it basically only for the rich?

Blending or harmonizing

What is the opposite of "eschatology"?

Were days ever written as ordinal numbers when writing day-month-year?

Am I breaking OOP practice with this architecture?

How can saying a song's name be a copyright violation?

How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?

GFCI outlets - can they be repaired? Are they really needed at the end of a circuit?

Getting extremely large arrows with tikzcd

Bullying boss launched a smear campaign and made me unemployable

Machine learning testing data

Placement of More Information/Help Icon button for Radio Buttons

How badly should I try to prevent a user from XSSing themselves?

How can I prove that a state of equilibrium is unstable?

What reasons are there for a Capitalist to oppose a 100% inheritance tax?

Is it "common practice in Fourier transform spectroscopy to multiply the measured interferogram by an apodizing function"? If so, why?



What Exploit Are These User Agents Trying to Use?


What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs













5















I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9}print(238947899389478923-34567343546345); 










5















I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9print(238947899389478923-34567343546345);
1 Mozilla/5.9$print(238947899389478923-34567343546345)
1 Mozilla/5.9x22$print(238947899389478923-34567343546345)x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22


What exploit was attempted and how can I test to ensure these exploits are not usable?






exploit webserver web nginx anti-exploitation







shareprint(238947899389478923-34567343546345);improve this question














I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (NGinx with PHP). The 1 in front of it is just how many times the user agent was seen in the NGinx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9print(238947899389478923-34567343546345);{
1 Mozilla/5.9$print(238947899389478923-34567343546345)
1 Mozilla/5.9x22$print(238947899389478923-34567343546345)x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22


What exploit was attempted and how can I test to ensure these exploits are not usable?






exploit webserver web nginx anti-exploitation




exploit webserver web nginx anti-exploitation






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 4 hours ago









SenorContentoSenorContento

406




406




















      2 Answers
      2






      active

      oldest

      votes


















      7














      It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



      In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



      My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






      share|improve this answer






























        4














        It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






        share|improve this answer























          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          7














          It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



          In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



          My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






          share|improve this answer



























            7














            It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



            In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



            My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






            share|improve this answer

























              7












              7








              7







              It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



              In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



              My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






              share|improve this answer













              It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



              In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



              My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 3 hours ago









              user52472user52472

              2,462614




              2,462614























                  4














                  It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






                  share|improve this answer



























                    4














                    It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






                    share|improve this answer

























                      4












                      4








                      4







                      It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






                      share|improve this answer













                      It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered 4 hours ago









                      DarkMatterDarkMatter

                      2,1181120




                      2,1181120



























                          draft saved

                          draft discarded
















































                          Thanks for contributing an answer to Information Security Stack Exchange!


                          • Please be sure to answer the question. Provide details and share your research!

                          But avoid


                          • Asking for help, clarification, or responding to other answers.

                          • Making statements based on opinion; back them up with references or personal experience.

                          To learn more, see our tips on writing great answers.




                          draft saved


                          draft discarded














                          StackExchange.ready(
                          function ()
                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

                          );

                          Post as a guest















                          Required, but never shown





















































                          Required, but never shown














                          Required, but never shown












                          Required, but never shown







                          Required, but never shown

































                          Required, but never shown














                          Required, but never shown












                          Required, but never shown







                          Required, but never shown







                          -

                          Popular posts from this blog

                          Log på Navigationsmenu

                          Image
                          DeutschEnglishEsperantofrançaisespañolitalianoNederlands (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003ELuku003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="da" dir="ltr"u003Eu003Cpu003EI u003Ca href="/wiki/Wikipedia:Fokusm%C3%A5ned/maj_2019" title="Wikipedia:Fokusmåned/maj 2019"u003Emaj 2019u003C/au003E fokuserer vi på u003Cbu003Elokaliteter i Danmark som ikke er beskrevet på dansk Wikipediau003C/bu003E.u003Cbr /u003EDu kan desuden deltage i årets u003Ciu003Eu003Ca href="/wiki/Bruger:Ramloser/for%C3%A5rskonkurrence_2019" title="Bruger:Ramloser/forårskonkurrence 2019"u003Eforårskonkurrenceu003C/au003Eu003C/iu...
                          Read more

                          Creating second map without labels using QGIS?How to lock map labels for inset map in Print Composer?How to Force the Showing of Labels of a Vector File in QGISQGIS Valmiera, Labels only show for part of polygonsRemoving duplicate point labels in QGISLabeling every feature using QGIS?Show labels for point features outside map canvasAbbreviate Road Labels in QGIS only when requiredExporting map from composer in QGIS - text labels have moved in output?How to make sure labels in qgis turn up in layout map?Writing label expression with ArcMap and If then Statement?

                          Image
                          Why is the Eisenstein ideal paper so great? What would prevent living skin from being a good conductor for magic? Using too much dialogue? Fixie: how to learn to ride: step by step Who knighted this character? The Maltese Falcon Expected maximum number of unpaired socks If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe? Why does Bran want to find Drogon? Why isn't Tyrion mentioned in 'A song of Ice and Fire'? Did this character show any indication of wanting to rule before S8E6? Should I split timestamp parts into separate columns? What were the Ethiopians doing in Xerxes' army? “For nothing” = “pour rien”? Can you still travel to America on the ESTA waiver program if you have been to Iran in transit? Can a UK national work as a paid shop assistant in the USA? Why does the Starter Set wizard have six spells in their spellbook? Why does sp...
                          Read more

                          Nuuk Indholdsfortegnelse Etyomologi | Historie | Geografi | Transport og infrastruktur | Politik og administration | Uddannelsesinstitutioner | Kultur | Venskabsbyer | Noter | Eksterne henvisninger | Se også | Navigationsmenuwww.sermersooq.gl64°10′N 51°45′V / 64.167°N 51.750°V / 64.167; -51.75064°10′N 51°45′V / 64.167°N 51.750°V / 64.167; -51.750DMI - KlimanormalerSalmonsen, s. 850Grønlands Naturinstitut undersøger rensdyr i Akia og Maniitsoq foråret 2008Grønlands NaturinstitutNy vej til Qinngorput indviet i dagAntallet af biler i Nuuk må begrænsesNy taxacentral mødt med demonstrationKøreplan. Rute 1, 2 og 3SnescootersporNuukNord er for storSkoler i Kommuneqarfik SermersooqAtuarfik Samuel KleinschmidtKangillinguit AtuarfiatNuussuup AtuarfiaNuuk Internationale FriskoleIlinniarfissuaq, Grønlands SeminariumLedelseÅrsberetning for 2008Kunst og arkitekturÅrsberetning for 2008Julie om naturenNuuk KunstmuseumSilamiutGrønlands Nationalmuseum og ArkivStatistisk ÅrbogGrønlands LandsbibliotekStore koncerter på stribeVandhund nummer 1.000.000Kommuneqarfik Sermersooq – MalikForsidenVenskabsbyerLyngby-Taarbæk i GrønlandArctic Business NetworkWinter Cities 2008 i NuukDagligt opdaterede satellitbilleder fra NuukområdetKommuneqarfik Sermersooqs hjemmesideTurist i NuukGrønlands Statistiks databankGrønlands Hjemmestyres valgresultaterrrWorldCat124325457671310-5

                          Image
                          CentrumNuussuaqKolonihavnenQernertunnguitQinngorputQuassussuup TungaaMyggedalenRadiofjeldetKatuaqNuuk CenterGrønlands Nationalmuseum og ArkivHotel Hans EgedeBrættetHerrnhuthusetNuuk KunstmuseumVor Frelser KirkeHans Egede KirkeNuuk TuristkontorSømandshjemmetHans Egedes statueArctic Umiaq LineNuuk LufthavnNuuk HavnNuup BussiiTaxagutNuuk TaxiRoyal Arctic LineRoyal GreenlandIlulissat (Jakobshavn)Qaanaaq (Thule)UpernavikUummannaqAappilattoqIkerasak (Sundet)Ilimanaq (Claushavn)IllorsuitInnaarsuitKangersuatsiaq (Prøven)Kullorsuaq (Djævelens Tommelfinger)MoriusaqNaajaatNiaqornatNutaarmiutNuugaatsiaqNuussuaq (Kraulshavn)Oqaatsut (Rodebay)QaarsutQeqertaqQeqertatSaattutSaqqaqSavissivikSiorapalukTasiusaqTussaaqUkkusissatUpernavik Kujalleq (Søndre Upernavik)Maniitsoq (Sukkertoppen)Sisimiut (Holsteinsborg)AtammikItilleqKangaamiut (Gammel Sukkertoppen)Kangerlussuaq (Søndre Strømfjord)NapasoqSarfannguitNanortalikNarsaqQaqortoq (Julianehåb)AappilattoqAlluitsu...
                          Read more