Attacker



  • Hi I see that in logs

    Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
    Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
    Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
    Mar 2 22:34:47 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
    Mar 2 22:34:48 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')
    Mar 2 22:34:48 lighttpd[29708]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA' (attacker '172.24.128.22', file '/usr/local/captiveportal/index.php')

    This means that someone is attacking the portal?



  • I see the same logs on pfSense 2.0.2 but I have no idea about what they are related to.



  • hum..

    looks like your "variable name"```
    JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA

    
    can be split in lines after the dots "."
    
    

    JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.
    MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.
    MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.
    I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.
    MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.
    JyUkJCQxI1cxI1d9YA

    
    excluding the dots the line is 76 chars long (RFC 1521 states it have to be the length of base64 output stream).
    delete dots and pad it with "="
    
    

    JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl
    MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl
    MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx
    I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk
    MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm
    JyUkJCQxI1cxI1d9YA==

    
    base64 decode and see what 'file' magic looks like:
    

    echo -n "JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiElMSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1clMSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cxI1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQkMSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEmJyUkJCQxI1cxI1d9YA==" | base64 -d | file -
    /dev/stdin: Sendmail frozen configuration  - version ' 1'U !1#W1#W#&%%"&# $,&",$"$"#

    
    So it's not an attacker but maybe some users with the mail client hitting the Captive Portal.

Log in to reply