7

I've just started receiving several emails per second and I think it's likely someone is trying to exploit my contact form. I've taken steps to protect my site, I'm just curious what it is they're trying to do.

Some examples:

..À¯
sample%40email.tst and sleep(7.738) 
acunetix_wvs_invalid_filename
\";cat /etc/passwd;\"
../../../../../../../../../../windows/win.ini\0.tst
/../..//../..//../..//../..//../..//etc/passwd\0.tst
\";print(md5(acunetix_wvs_security_test));$a=\"

The only one I can really guess at is cat /etc/passwd, after that they don't make much sense. Does anyone have any info or further suggestions?

AviD
  • 73,317
  • 24
  • 140
  • 221
Scott Helme
  • 3,228
  • 3
  • 23
  • 33

1 Answers1

7

It looks like an automated fuzzing test/attack that is looking for a number of different vulnerabilities.

Based on what you have provided they are trying to access the file system or execute directory traversal attacks, but I suspect as time goes by they will try basically every type of attack there is.

Tools like Burp Suite will provide ways to automate these types of attacks by allowing you to specify which HTTP parameters you want to target as well as providing an attack payload that looks for a number of different vulnerabilities (SQL Injection, XSS, path traversal etc.)

You can probably block the IP for now, but I would make sure that you site is secure because they will probably be back. Also, you are probably receiving emails because they are testing your "contact us" form or something like that. I would check your logs, because they are likely hitting many other pages as well.

Abe Miessler
  • 8,195
  • 11
  • 49
  • 73
  • Thanks for the response. My site is sat behind CloudFlare so I've identified and blocked the offending IP address. This seems to have stopped the attack, for now. – Scott Helme Nov 26 '13 at 20:29