What exploit are these user agents trying to use?What web servers are affected by this user agent exploit?What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs

Languages that we cannot (dis)prove to be Context-Free

"You are your self first supporter", a more proper way to say it

How do I create uniquely male characters?

can i play a electric guitar through a bass amp?

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

Do I have a twin with permutated remainders?

In Japanese, what’s the difference between “Tonari ni” (となりに) and “Tsugi” (つぎ)? When would you use one over the other?

Minkowski space

How to write a macro that is braces sensitive?

Why are 150k or 200k jobs considered good when there are 300k+ births a month?

Voyeurism but not really

Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?

What is the offset in a seaplane's hull?

Replacing matching entries in one column of a file by another column from a different file

How much RAM could one put in a typical 80386 setup?

Smoothness of finite-dimensional functional calculus

Watching something be written to a file live with tail

Is it legal for company to use my work email to pretend I still work there?

Modeling an IPv4 Address

How can bays and straits be determined in a procedurally generated map?

Why, historically, did Gödel think CH was false?

How old can references or sources in a thesis be?

TGV timetables / schedules?

Fencing style for blades that can attack from a distance



What exploit are these user agents trying to use?


What web servers are affected by this user agent exploit?What is SPL exploit?What kind of security injection are these traces of, SQL, javascript, or otherwise?Is it illegal to use Fake User-agents?Server attack attempts, what are they trying to achieve?Can I exploit Windows kernel from user-mode application?HTTP attack taking down PHP-FPMSegmentation fault trying to exploit printf vulnerabilityWhat web servers are affected by this user agent exploit?Which exploit and which payload use?Help on what to do with these suspicious logs






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








48















I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (Nginx with PHP). The 1 in front of it is just how many times the user agent was seen in the Nginx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9}print(238947899389478923-34567343546345);improve this question



















  • 2





    Does the user agent start with ()? If yes, its probably the ShellShock exploit

    – Ferrybig
    Apr 3 at 8:46






  • 1





    @Ferrybig The shellshock exploit has a very particular syntax: ():;; is what triggers it.

    – Nzall
    Apr 3 at 11:22






  • 1





    A related question is security.stackexchange.com/questions/184115 .

    – JdeBP
    2 days ago











  • Anecdotally, I appreciate that the numbers used are "pretty big." I used to get false-positive results from a vulnerability scanner that would add two 3-digit numbers in its math-problem tests. It would then "match" the sum in a substring of the Content-Length header.

    – Michael
    2 days ago











  • In Plesk there used to be a vulnerability that allowed to execute php code that was within logs. This doesn't seem like it, but the vector of attack looks similar

    – eithed
    yesterday













shareprint(238947899389478923-34567343546345);improve this question
















I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (Nginx with PHP). The 1 in front of it is just how many times the user agent was seen in the Nginx log. These are also shortened user agents and not long ones like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36. I no longer have access to the logs as I presume this occurred sometime in January or February (my oldest logs are in March and I created the site in January).



1 Mozilla/5.9print(238947899389478923-34567343546345);{
1 Mozilla/5.9$print(238947899389478923-34567343546345)
1 Mozilla/5.9x22$print(238947899389478923-34567343546345)x22
1 Mozilla/5.9x22];print(238947899389478923-34567343546345);//
1 Mozilla/5.9x22


What exploit was attempted and how can I test to ensure these exploits are not usable?







exploit webserver web nginx






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago









forest

39.4k18127139




39.4k18127139










asked Apr 2 at 18:44









SenorContentoSenorContento

358138




358138







  • 2





    Does the user agent start with ()? If yes, its probably the ShellShock exploit

    – Ferrybig
    Apr 3 at 8:46






  • 1





    @Ferrybig The shellshock exploit has a very particular syntax: ():;; is what triggers it.

    – Nzall
    Apr 3 at 11:22






  • 1





    A related question is security.stackexchange.com/questions/184115 .

    – JdeBP
    2 days ago











  • Anecdotally, I appreciate that the numbers used are "pretty big." I used to get false-positive results from a vulnerability scanner that would add two 3-digit numbers in its math-problem tests. It would then "match" the sum in a substring of the Content-Length header.

    – Michael
    2 days ago











  • In Plesk there used to be a vulnerability that allowed to execute php code that was within logs. This doesn't seem like it, but the vector of attack looks similar

    – eithed
    yesterday












  • 2





    Does the user agent start with ()? If yes, its probably the ShellShock exploit

    – Ferrybig
    Apr 3 at 8:46






  • 1





    @Ferrybig The shellshock exploit has a very particular syntax: ():;; is what triggers it.

    – Nzall
    Apr 3 at 11:22






  • 1





    A related question is security.stackexchange.com/questions/184115 .

    – JdeBP
    2 days ago











  • Anecdotally, I appreciate that the numbers used are "pretty big." I used to get false-positive results from a vulnerability scanner that would add two 3-digit numbers in its math-problem tests. It would then "match" the sum in a substring of the Content-Length header.

    – Michael
    2 days ago











  • In Plesk there used to be a vulnerability that allowed to execute php code that was within logs. This doesn't seem like it, but the vector of attack looks similar

    – eithed
    yesterday







2




2





Does the user agent start with ()? If yes, its probably the ShellShock exploit

– Ferrybig
Apr 3 at 8:46





Does the user agent start with ()? If yes, its probably the ShellShock exploit

– Ferrybig
Apr 3 at 8:46




1




1





@Ferrybig The shellshock exploit has a very particular syntax: ():;; is what triggers it.

– Nzall
Apr 3 at 11:22





@Ferrybig The shellshock exploit has a very particular syntax: ():;; is what triggers it.

– Nzall
Apr 3 at 11:22




1




1





A related question is security.stackexchange.com/questions/184115 .

– JdeBP
2 days ago





A related question is security.stackexchange.com/questions/184115 .

– JdeBP
2 days ago













Anecdotally, I appreciate that the numbers used are "pretty big." I used to get false-positive results from a vulnerability scanner that would add two 3-digit numbers in its math-problem tests. It would then "match" the sum in a substring of the Content-Length header.

– Michael
2 days ago





Anecdotally, I appreciate that the numbers used are "pretty big." I used to get false-positive results from a vulnerability scanner that would add two 3-digit numbers in its math-problem tests. It would then "match" the sum in a substring of the Content-Length header.

– Michael
2 days ago













In Plesk there used to be a vulnerability that allowed to execute php code that was within logs. This doesn't seem like it, but the vector of attack looks similar

– eithed
yesterday





In Plesk there used to be a vulnerability that allowed to execute php code that was within logs. This doesn't seem like it, but the vector of attack looks similar

– eithed
yesterday










5 Answers
5






active

oldest

votes


















59














It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






share|improve this answer


















  • 5





    Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

    – Mic
    2 days ago






  • 1





    That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

    – Ruslan
    yesterday



















22














It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






share|improve this answer






























    21














    The use of actual function names (e.g. print) suggests they're looking for websites that are using eval in some way (note that this could be PHP's eval(string $code), JavaScript's eval(string), and other scripting languages' equivalents).



    I note that the executable code appears immediately after the first version parameter after Mozilla/. This means the authors of this attack believe that enough websites in the wild are actually using eval as a (horrible) way of parsing a two-component (major.minor) version number.



    So I imagine vulnerable websites were doing something like this (pseudo-code):



    var userAgent = request.headers["User-Agent"];

    var indexOfVersion = userAgent.indexof( '/' );
    var indexOfVersionEnd = userAgent.indexof( indexOfVersion , ' ' );

    var versionText = userAgent.substring( indexOfVersion + 1, indexOfVersionEnd );
    var versionNumber = eval( versionText ); // <------- this is the vulnerability!





    share|improve this answer
































      2














      it looks like they are trying to inject PHP code into log files. The idea being that if the sysadmin is using a PHP app to parse the logs, some might view the logfile as trusted (after all, the user does not normally get to directly alter the logfile) and therefore forego any sanitisation processes.



      If you are looking at your log files through a desktop or CLI text editor, you will never be vulnerable to this attack. If you use a PHP app, make sure it treats the logs as untrusted and sanitise it just like you would a normal user input field.






      share|improve this answer






























        1














        This is simple; they're trying PHP command injection. The process is to substitute a header (in this case the user agent field) with a mathematical expression, then to determine whether the code is being executed view the return value. If the code is executed, the return value will be the result of the expression, rather than the original expression. You'll notice the slightly spammy usage of open and close brackets, semicolons and other characters often used to fool interpreted languages into intepreting data as executable code. Nothing to worry about, automated vulnerability scans like this are par for the course nowadays.






        share|improve this answer








        New contributor




        Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.




















          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          5 Answers
          5






          active

          oldest

          votes








          5 Answers
          5






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          59














          It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



          In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



          My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






          share|improve this answer


















          • 5





            Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

            – Mic
            2 days ago






          • 1





            That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

            – Ruslan
            yesterday
















          59














          It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



          In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



          My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






          share|improve this answer


















          • 5





            Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

            – Mic
            2 days ago






          • 1





            That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

            – Ruslan
            yesterday














          59












          59








          59







          It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



          In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



          My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.






          share|improve this answer













          It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.



          In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.



          My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Apr 2 at 20:12









          user52472user52472

          2,872816




          2,872816







          • 5





            Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

            – Mic
            2 days ago






          • 1





            That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

            – Ruslan
            yesterday













          • 5





            Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

            – Mic
            2 days ago






          • 1





            That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

            – Ruslan
            yesterday








          5




          5





          Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

          – Mic
          2 days ago





          Note that when re-testing a payload in this way, you don't check that you weren't vulnerable at the time it occurred (when maybe some updates were not yet made): just that you are not vulnerable anymore. Your server could still have been compromised - though I don't say it necessary is the case here.

          – Mic
          2 days ago




          1




          1





          That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

          – Ruslan
          yesterday






          That there are these particular (apparently unsuccessful) attempts in the log doesn't mean there hasn't been a successful one, which didn't get logged. Notice how some of these potential commands do have $..., others don't, yet others have x22 which is quotation mark " etc. ­— the server may have been immune to some combinations of quoting/evaluating while vulnerable to others.

          – Ruslan
          yesterday














          22














          It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






          share|improve this answer



























            22














            It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






            share|improve this answer

























              22












              22








              22







              It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.






              share|improve this answer













              It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Apr 2 at 19:29









              DarkMatterDarkMatter

              2,3081121




              2,3081121





















                  21














                  The use of actual function names (e.g. print) suggests they're looking for websites that are using eval in some way (note that this could be PHP's eval(string $code), JavaScript's eval(string), and other scripting languages' equivalents).



                  I note that the executable code appears immediately after the first version parameter after Mozilla/. This means the authors of this attack believe that enough websites in the wild are actually using eval as a (horrible) way of parsing a two-component (major.minor) version number.



                  So I imagine vulnerable websites were doing something like this (pseudo-code):



                  var userAgent = request.headers["User-Agent"];

                  var indexOfVersion = userAgent.indexof( '/' );
                  var indexOfVersionEnd = userAgent.indexof( indexOfVersion , ' ' );

                  var versionText = userAgent.substring( indexOfVersion + 1, indexOfVersionEnd );
                  var versionNumber = eval( versionText ); // <------- this is the vulnerability!





                  share|improve this answer





























                    21














                    The use of actual function names (e.g. print) suggests they're looking for websites that are using eval in some way (note that this could be PHP's eval(string $code), JavaScript's eval(string), and other scripting languages' equivalents).



                    I note that the executable code appears immediately after the first version parameter after Mozilla/. This means the authors of this attack believe that enough websites in the wild are actually using eval as a (horrible) way of parsing a two-component (major.minor) version number.



                    So I imagine vulnerable websites were doing something like this (pseudo-code):



                    var userAgent = request.headers["User-Agent"];

                    var indexOfVersion = userAgent.indexof( '/' );
                    var indexOfVersionEnd = userAgent.indexof( indexOfVersion , ' ' );

                    var versionText = userAgent.substring( indexOfVersion + 1, indexOfVersionEnd );
                    var versionNumber = eval( versionText ); // <------- this is the vulnerability!





                    share|improve this answer



























                      21












                      21








                      21







                      The use of actual function names (e.g. print) suggests they're looking for websites that are using eval in some way (note that this could be PHP's eval(string $code), JavaScript's eval(string), and other scripting languages' equivalents).



                      I note that the executable code appears immediately after the first version parameter after Mozilla/. This means the authors of this attack believe that enough websites in the wild are actually using eval as a (horrible) way of parsing a two-component (major.minor) version number.



                      So I imagine vulnerable websites were doing something like this (pseudo-code):



                      var userAgent = request.headers["User-Agent"];

                      var indexOfVersion = userAgent.indexof( '/' );
                      var indexOfVersionEnd = userAgent.indexof( indexOfVersion , ' ' );

                      var versionText = userAgent.substring( indexOfVersion + 1, indexOfVersionEnd );
                      var versionNumber = eval( versionText ); // <------- this is the vulnerability!





                      share|improve this answer















                      The use of actual function names (e.g. print) suggests they're looking for websites that are using eval in some way (note that this could be PHP's eval(string $code), JavaScript's eval(string), and other scripting languages' equivalents).



                      I note that the executable code appears immediately after the first version parameter after Mozilla/. This means the authors of this attack believe that enough websites in the wild are actually using eval as a (horrible) way of parsing a two-component (major.minor) version number.



                      So I imagine vulnerable websites were doing something like this (pseudo-code):



                      var userAgent = request.headers["User-Agent"];

                      var indexOfVersion = userAgent.indexof( '/' );
                      var indexOfVersionEnd = userAgent.indexof( indexOfVersion , ' ' );

                      var versionText = userAgent.substring( indexOfVersion + 1, indexOfVersionEnd );
                      var versionNumber = eval( versionText ); // <------- this is the vulnerability!






                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited 2 days ago

























                      answered 2 days ago









                      The DThe D

                      1,1261920




                      1,1261920





















                          2














                          it looks like they are trying to inject PHP code into log files. The idea being that if the sysadmin is using a PHP app to parse the logs, some might view the logfile as trusted (after all, the user does not normally get to directly alter the logfile) and therefore forego any sanitisation processes.



                          If you are looking at your log files through a desktop or CLI text editor, you will never be vulnerable to this attack. If you use a PHP app, make sure it treats the logs as untrusted and sanitise it just like you would a normal user input field.






                          share|improve this answer



























                            2














                            it looks like they are trying to inject PHP code into log files. The idea being that if the sysadmin is using a PHP app to parse the logs, some might view the logfile as trusted (after all, the user does not normally get to directly alter the logfile) and therefore forego any sanitisation processes.



                            If you are looking at your log files through a desktop or CLI text editor, you will never be vulnerable to this attack. If you use a PHP app, make sure it treats the logs as untrusted and sanitise it just like you would a normal user input field.






                            share|improve this answer

























                              2












                              2








                              2







                              it looks like they are trying to inject PHP code into log files. The idea being that if the sysadmin is using a PHP app to parse the logs, some might view the logfile as trusted (after all, the user does not normally get to directly alter the logfile) and therefore forego any sanitisation processes.



                              If you are looking at your log files through a desktop or CLI text editor, you will never be vulnerable to this attack. If you use a PHP app, make sure it treats the logs as untrusted and sanitise it just like you would a normal user input field.






                              share|improve this answer













                              it looks like they are trying to inject PHP code into log files. The idea being that if the sysadmin is using a PHP app to parse the logs, some might view the logfile as trusted (after all, the user does not normally get to directly alter the logfile) and therefore forego any sanitisation processes.



                              If you are looking at your log files through a desktop or CLI text editor, you will never be vulnerable to this attack. If you use a PHP app, make sure it treats the logs as untrusted and sanitise it just like you would a normal user input field.







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered 2 days ago









                              520520

                              51524




                              51524





















                                  1














                                  This is simple; they're trying PHP command injection. The process is to substitute a header (in this case the user agent field) with a mathematical expression, then to determine whether the code is being executed view the return value. If the code is executed, the return value will be the result of the expression, rather than the original expression. You'll notice the slightly spammy usage of open and close brackets, semicolons and other characters often used to fool interpreted languages into intepreting data as executable code. Nothing to worry about, automated vulnerability scans like this are par for the course nowadays.






                                  share|improve this answer








                                  New contributor




                                  Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                  Check out our Code of Conduct.
























                                    1














                                    This is simple; they're trying PHP command injection. The process is to substitute a header (in this case the user agent field) with a mathematical expression, then to determine whether the code is being executed view the return value. If the code is executed, the return value will be the result of the expression, rather than the original expression. You'll notice the slightly spammy usage of open and close brackets, semicolons and other characters often used to fool interpreted languages into intepreting data as executable code. Nothing to worry about, automated vulnerability scans like this are par for the course nowadays.






                                    share|improve this answer








                                    New contributor




                                    Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.






















                                      1












                                      1








                                      1







                                      This is simple; they're trying PHP command injection. The process is to substitute a header (in this case the user agent field) with a mathematical expression, then to determine whether the code is being executed view the return value. If the code is executed, the return value will be the result of the expression, rather than the original expression. You'll notice the slightly spammy usage of open and close brackets, semicolons and other characters often used to fool interpreted languages into intepreting data as executable code. Nothing to worry about, automated vulnerability scans like this are par for the course nowadays.






                                      share|improve this answer








                                      New contributor




                                      Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.










                                      This is simple; they're trying PHP command injection. The process is to substitute a header (in this case the user agent field) with a mathematical expression, then to determine whether the code is being executed view the return value. If the code is executed, the return value will be the result of the expression, rather than the original expression. You'll notice the slightly spammy usage of open and close brackets, semicolons and other characters often used to fool interpreted languages into intepreting data as executable code. Nothing to worry about, automated vulnerability scans like this are par for the course nowadays.







                                      share|improve this answer








                                      New contributor




                                      Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.









                                      share|improve this answer



                                      share|improve this answer






                                      New contributor




                                      Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.









                                      answered 2 days ago









                                      Steve GazzoSteve Gazzo

                                      111




                                      111




                                      New contributor




                                      Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.





                                      New contributor





                                      Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.






                                      Steve Gazzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.



























                                          draft saved

                                          draft discarded
















































                                          Thanks for contributing an answer to Information Security Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid


                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.

                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function ()
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206649%2fwhat-exploit-are-these-user-agents-trying-to-use%23new-answer', 'question_page');

                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          រឿង រ៉ូមេអូ និង ហ្ស៊ុយលីយេ សង្ខេបរឿង តួអង្គ បញ្ជីណែនាំ

                                          Crop image to path created in TikZ? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Crop an inserted image?TikZ pictures does not appear in posterImage behind and beyond crop marks?Tikz picture as large as possible on A4 PageTransparency vs image compression dilemmaHow to crop background from image automatically?Image does not cropTikzexternal capturing crop marks when externalizing pgfplots?How to include image path that contains a dollar signCrop image with left size given

                                          Romeo and Juliet ContentsCharactersSynopsisSourcesDate and textThemes and motifsCriticism and interpretationLegacyScene by sceneSee alsoNotes and referencesSourcesExternal linksNavigation menu"Consumer Price Index (estimate) 1800–"10.2307/28710160037-3222287101610.1093/res/II.5.31910.2307/45967845967810.2307/2869925286992510.1525/jams.1982.35.3.03a00050"Dada Masilo: South African dancer who breaks the rules"10.1093/res/os-XV.57.1610.2307/28680942868094"Sweet Sorrow: Mann-Korman's Romeo and Juliet Closes Sept. 5 at MN's Ordway"the original10.2307/45957745957710.1017/CCOL0521570476.009"Ram Leela box office collections hit massive Rs 100 crore, pulverises prediction"Archived"Broadway Revival of Romeo and Juliet, Starring Orlando Bloom and Condola Rashad, Will Close Dec. 8"Archived10.1075/jhp.7.1.04hon"Wherefore art thou, Romeo? To make us laugh at Navy Pier"the original10.1093/gmo/9781561592630.article.O006772"Ram-leela Review Roundup: Critics Hail Film as Best Adaptation of Romeo and Juliet"Archived10.2307/31946310047-77293194631"Romeo and Juliet get Twitter treatment""Juliet's Nurse by Lois Leveen""Romeo and Juliet: Orlando Bloom's Broadway Debut Released in Theaters for Valentine's Day"Archived"Romeo and Juliet Has No Balcony"10.1093/gmo/9781561592630.article.O00778110.2307/2867423286742310.1076/enst.82.2.115.959510.1080/00138380601042675"A plague o' both your houses: error in GCSE exam paper forces apology""Juliet of the Five O'Clock Shadow, and Other Wonders"10.2307/33912430027-4321339124310.2307/28487440038-7134284874410.2307/29123140149-661129123144728341M"Weekender Guide: Shakespeare on The Drive""balcony"UK public library membership"romeo"UK public library membership10.1017/CCOL9780521844291"Post-Zionist Critique on Israel and the Palestinians Part III: Popular Culture"10.2307/25379071533-86140377-919X2537907"Capulets and Montagues: UK exam board admit mixing names up in Romeo and Juliet paper"Istoria Novellamente Ritrovata di Due Nobili Amanti2027/mdp.390150822329610820-750X"GCSE exam error: Board accidentally rewrites Shakespeare"10.2307/29176390149-66112917639"Exam board apologises after error in English GCSE paper which confused characters in Shakespeare's Romeo and Juliet""From Mariotto and Ganozza to Romeo and Guilietta: Metamorphoses of a Renaissance Tale"10.2307/37323537323510.2307/2867455286745510.2307/28678912867891"10 Questions for Taylor Swift"10.2307/28680922868092"Haymarket Theatre""The Zeffirelli Way: Revealing Talk by Florentine Director""Michael Smuin: 1938-2007 / Prolific dance director had showy career"The Life and Art of Edwin BoothRomeo and JulietRomeo and JulietRomeo and JulietRomeo and JulietEasy Read Romeo and JulietRomeo and Julieteeecb12003684p(data)4099369-3n8211610759dbe00d-a9e2-41a3-b2c1-977dd692899302814385X313670221313670221