tag:blogger.com,1999:blog-2672754150485551359.post6336527887627733229..comments2009-04-16T18:06:18.102-04:00Security Shoggothhttp://www.blogger.com/profile/15411793726236555303securityshoggoth@gmail.comBlogger6125tag:blogger.com,1999:blog-2672754150485551359.post-53409979100643469162009-04-16T18:06:00.000-04:002009-04-16T18:06:00.000-04:00It is just hex represenation of ascii characters...<br /><br />See http://home2.paulschou.net/tools/xlate/ for several conversion options...Scott Whitehttp://www.blogger.com/profile/04004932007384176459noreply@blogger.comtag:blogger.com,1999:blog-2672754150485551359.post-57229767887519435832009-04-16T17:34:00.000-04:002009-04-16T17:34:00.000-04:00I found your post while attempting to decipher my own attacks and was wondering if you could help me by pointing me towards a converter that can help me decipher the input, for example: 0x27,0x7c,0x5f,0x7c ?<br /><br />Any help would be appreciated.<br /><br />thanks,<br />jsonJsonhttp://www.blogger.com/profile/03121259542568255522noreply@blogger.comtag:blogger.com,1999:blog-2672754150485551359.post-36652645018927120032009-03-16T10:27:00.000-04:002009-03-16T10:27:00.000-04:00Scott,<BR/><BR/> I'm also convinced its from a botnet, if nothing else from the sheer number of hits I got. I didn't post it but we got hit with another. I attempted to block the hosts via IPTables, but as soon as I'd block 10, 10 more would hit us. Definitely a botnet.<BR/><BR/> It was definitely not successful on our site, but as you can see from various Google searches it did work on others.Security Shoggothhttp://www.blogger.com/profile/15411793726236555303noreply@blogger.comtag:blogger.com,1999:blog-2672754150485551359.post-66414943412554246402009-03-13T13:37:00.000-04:002009-03-13T13:37:00.000-04:00Lately there has been some discussion at SecureState around these attacks...one approach was using game theory, and less technical analysis...with that being said, I&#39;m fairly confident that we can point this to bot nets, and here is why:<BR/><BR/>Assume &quot;::xeQ-1-ted::&quot; to be a variation of a handle or screen name...<BR/><BR/>With that, do some google searches: <BR/><BR/>http://www.google.com/search?hl=en&amp;safe=off&amp;q=%22xeQted%22&amp;btnG=Search<BR/><BR/>and <BR/><BR/>http://www.google.com/search?hl=en&amp;safe=off&amp;rlz=1G1GGLQ_ENUS318&amp;q=%22xeQter%22+-xecuter&amp;btnG=Search<BR/><BR/>and reveal lots of info like:<BR/><BR/>http://74.125.95.132/search?q=cache:xWUW4Dg3e6oJ:putih.web.id/forum/viewtopic.php%3Fid%3D483+%22xeQted%22&amp;cd=3&amp;hl=en&amp;ct=clnk&amp;gl=us<BR/><BR/>http://74.125.95.132/search?q=cache:k3m_IWEtEEAJ:spl0itz.net/board/viewtopic.php%3Ff%3D20%26t%3D341+%22xeQted%22&amp;cd=4&amp;hl=en&amp;ct=clnk&amp;gl=us<BR/><BR/>http://osdir.com/ml/org.user-groups.linux.twincling/2007-11/msg00051.html<BR/><BR/>http://www.mail-archive.com/botnets@whitestar.linuxbox.org/msg00800.html<BR/><BR/>etc.<BR/><BR/>As far as the attacks being successful or not is a different story, but I think the source may be a little more understood.<BR/><BR/>Thoughts?Scott Whitehttp://www.blogger.com/profile/04004932007384176459noreply@blogger.comtag:blogger.com,1999:blog-2672754150485551359.post-74987215402821160252009-03-10T22:04:00.000-04:002009-03-10T22:04:00.000-04:00Wow...great point! In the Google searches I found that is exactly what it looks like.Security Shoggothhttp://www.blogger.com/profile/15411793726236555303noreply@blogger.comtag:blogger.com,1999:blog-2672754150485551359.post-43766573045914609092009-03-10T13:23:00.000-04:002009-03-10T13:23:00.000-04:00With that sql, an atacker can easily identify which query has been successfully executed (after executing many incrementing the number of parameters), by simply look at the result page and searching for those strange names. They are indeed strange because they need to be easily noticed on that result page.Jorge Oliveirahttp://www.blogger.com/profile/13649508673276179519noreply@blogger.com