Weblog software XSS attack?

Thu, 04 May 2006 13:39:51 -0700

Something I've started seeing in my Apache logs occasionally in the last month and a helf are entries like these from a small number of IP addresses (N approximately 4 addresses). 

Sample entries:

82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html 
HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html 
HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:00:27:28 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html 
HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:00:27:28 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html 
HTTP/1.1" 200 8780 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:19:36:02 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html\" 
onmousedown=\"return clk(this.href,'res','66','') HTTP/1.1" 404 248 "-" "Googlebot/2.1 
(+http://www.google.com/bot.html)"
82.36.86.181 - - [21/Apr/2006:19:36:03 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html\" 
onmousedown=\"return clk(this.href,'res','66','') HTTP/1.1"404 248 "-" "Googlebot/2.1 
(+http://www.google.com/bot.html)"
82.36.86.181 - - [03/May/2006:14:45:08 -0700] "GET /katrina.html\" onmousedown=\"return 
clk(this.href,'','','res','339','') HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 5.5; 
Windows NT 5.0; .NET CLR 1.0.3705)"
82.36.86.181 - - [03/May/2006:14:45:08 -0700] "GET /katrina.html\" onmousedown=\"return 
clk(this.href,'','','res','339','') HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 5.5; 
Windows NT 5.0; .NET CLR 1.0.3705)"
It it seems a little unlikely that Googlebot *AND* a Mozilla browser would both come from 82.36.86.181 ;), so my guess is that someone is trying to setup a XSS attack on a log analyzer package (particularly since the above log entries represents _ALL_ the logged traffic from that IP address). It looks like something 'crawled' a few pages and then turned around and attempted to inject an XSS attack sometime later.
Ideas on what it is supposed to actually do given that 'clk' is not a Javascript built in AFAIK? Does anyone know of a specific log analyzer that uses a 'clk' function that is attackable by this? 

--
Benjamin Franz

If you can't handle reality, it *will* handle you.

Reply via email to