Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Web server logs containing RS=^ ? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Web server logs containing RS=^ ?

A SANS ISC reader sent us the following Apache log snippet earlier today

108.178.x.x - [11/Mar/2014:04:21:14 +0100] "GET /index.shtml/RK=0/RS=o_wLEbyzxJDMeXhdrhZU9KN7uD4- HTTP/1.0" 302 206
196.196.x.x - [11/Mar/2014:07:43:19 +0100] "GET /index.shtml/RS=^ADAY1N1JxWPFnnOEW3FpVC1g.n4rec- HTTP/1.0" 302 206
88.80.x.x   - [11/Mar/2014:15:02:01 +0100] "GET /index.shtml/RS=^ADAw5eOsxy0br6iGm1BZPRs2wtnyAE- HTTP/1.1" 302 206

index.shtml exists on the reader's server, but the RS= / RK= stuff is bogus. The RS= looks like it could be a regular expression for a pattern match of sorts, since it is starting with an anchor "^", but that's guessing. We don't really know. Googling for the pattern shows that this sort of thing has been around for a while, but I didn't find any definite explanation about which software or toolkit these requests are attempting to exploit, if any. If you have information on what this is, please share in the comments below, or via our contact form.


 

Daniel

367 Posts
ISC Handler
There is SSI injection with the header.
see: http://www.cgisecurity.com/papers/header-based-exploitation.txt
GuardMoony

3 Posts Posts
it emerged in some web server logs, + someone?
R. Oliveira

1 Posts Posts
+1 ; lots of similar entries similar, not for index.shtml but for other resources
'GET //RK=0/RS=rgzp9...'

Searching for the other resources that were accessed by the same IP, around the same time, I saw requests for
GET /wp-login.php?action=register
POST /xmlrpc.php

Not all IPs doing a GET for RK=/RS= were accessing the Wordpress resources but I did noticed that they seemed to share the same browser ID ""Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
cudeso

6 Posts Posts
Isn't that a syntax for requests against wordpress pages? Where RS= is a hash of something? I know i have seen that syntax associated with queries against a content manager but can't remember which one.

If you google for URI's like that your will find thousands of websites that have URI's formatted like that. Just didn't have the time to dig through them to figure out which content management system they were using.

Google on:

allinurl: RS "RK=0"
pktman

14 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!