Attacker
-
Hi I see that in logs
Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
Mar 2 22:34:48 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
Mar 2 22:34:48 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')This means that someone is attacking the portal?
-
I see the same logs on pfSense 2.0.2 but I have no idea about what they are related to.
-
hum..
looks like your "variable name"```
JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YAcan be split in lines after the dots "."JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.
MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.
MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.
I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.
MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.
JyUkJCQxI1cxI1d9YAexcluding the dots the line is 76 chars long (RFC 1521 states it have to be the length of base64 output stream). delete dots and pad it with "="JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl
MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl
MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx
I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk
MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm
JyUkJCQxI1cxI1d9YA==base64 decode and see what 'file' magic looks like:echo -n "JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiElMSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1clMSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cxI1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQkMSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEmJyUkJCQxI1cxI1d9YA==" | base64 -d | file -
/dev/stdin: Sendmail frozen configurationĀ - version ' 1'U !1#W1#W#&%%"&# $,&",$"$"#So it's not an attacker but maybe some users with the mail client hitting the Captive Portal.