Web server logs containing RS=^ ?
A SANS ISC reader sent us the following Apache log snippet earlier today
108.178.x.x - [11/Mar/2014:04:21:14 +0100] "GET /index.shtml/RK=0/RS=o_wLEbyzxJDMeXhdrhZU9KN7uD4- HTTP/1.0" 302 206
196.196.x.x - [11/Mar/2014:07:43:19 +0100] "GET /index.shtml/RS=^ADAY1N1JxWPFnnOEW3FpVC1g.n4rec- HTTP/1.0" 302 206
88.80.x.x - [11/Mar/2014:15:02:01 +0100] "GET /index.shtml/RS=^ADAw5eOsxy0br6iGm1BZPRs2wtnyAE- HTTP/1.1" 302 206
index.shtml exists on the reader's server, but the RS= / RK= stuff is bogus. The RS= looks like it could be a regular expression for a pattern match of sorts, since it is starting with an anchor "^", but that's guessing. We don't really know. Googling for the pattern shows that this sort of thing has been around for a while, but I didn't find any definite explanation about which software or toolkit these requests are attempting to exploit, if any. If you have information on what this is, please share in the comments below, or via our contact form.
Comments
see: http://www.cgisecurity.com/papers/header-based-exploitation.txt
Anonymous
Mar 13th 2014
9 years ago
Anonymous
Mar 13th 2014
9 years ago
'GET //RK=0/RS=rgzp9...'
Searching for the other resources that were accessed by the same IP, around the same time, I saw requests for
GET /wp-login.php?action=register
POST /xmlrpc.php
Not all IPs doing a GET for RK=/RS= were accessing the Wordpress resources but I did noticed that they seemed to share the same browser ID ""Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
Anonymous
Mar 13th 2014
9 years ago
If you google for URI's like that your will find thousands of websites that have URI's formatted like that. Just didn't have the time to dig through them to figure out which content management system they were using.
Google on:
allinurl: RS "RK=0"
Anonymous
Mar 13th 2014
9 years ago