&status=900 -- does this mean someone is trying to hack?

neerav

Over time, I have found a suspicious argument/value pair in some request uri's on my site. For example, the last one looked like:

Requested URI: /&status=900&status=900&status=900&status=900&status=900&status=900
&status=900&status=900&status=900&status=900&status=900&status=900
&status=900&status=900&status=900&status=900&status=900&status=900
&status=900&status=900&status=900&status=900

I've noticed the repeating argument a number of times, always "&status=900". Sometimes, but rarely, it is added to the end of a valid script name

My question to the php Gods who reside here: is this a known hacking attempt at some vulnerability? I have searched this board, and many search engines for some information, but have found absolutely nothing. So I'm hoping that I can ignore this oddity. But then again, I have heard that 4.4.1 fixes a huge vulnerability in $_GLOBAL. Don't know if this is related.

I use register_globals OFF and I declare all variables in my scripts. My server admin will be going to php 4.4.1 as soon as zend optimizer is compatible with that version. So, I feel that I am safe, but then worry that it's only a false sense of security.

Any comments are appreciated.

justsomeone

It certainly looks suspicious. But it's not one I've heard of before.

I would suggest that you err on the side of the caution and use a firewall sinbin. Update each of your scripts to check for this variable, and if they find it update a firewall rule to block any further requests from that IP for some minutes.

tunage

I had a problem with a pagination script, whereby i was using $_SERVER['REQUEST_URI'] to get the page url, then the next/previous page links added the page number onto the end of this, so if the url was
mysite.com?page=1 the page links would add another page to the end of the url to make it mysite.com?page=1&page=2

So if the user clicked several page links the url soon ended up like mysite.com?page=1&page=2&page=3&page=2 etc. I didnt notice for a while as it worked fine because the last variable in the url was used.

Might be worth checking if you have a simliar issue.

neerav

Thanks for the replies.

justsomeone, you lost me at sinbin. :o

tunage, I don't use the variable "status" anywhere on my whole site. I know what you're talking about, because I've done it before too! 😃

I'll leave this thread unresolved in case someone has some new information in the future.

justsomeone

😃 Sometimes I just use my own jargon, forgetting that not everyone can see inside my head, only the FBI and the angry people from Saturn who want me to kill everyone.

What I meant was that you could include a quick bit of code at the start of every page. This code would test to see if the user had fed in a variable called "status", and if it they did it would add their IP to a firewall rule for a set time so that no-one from that IP could access the site any further until the time expired.

Anytime you try to mess with firewall rules, though, you have to be very, very careful. You could screw it up and lock yourself (and everyone else) out.