An interesting attack on my web server: “POST /” with seemingly nonsense data

• August 8, 2015
• technology  
• hackers  
• security  
• wordpress  

Today a system in Serbia issued a “POST / HTTP/1.1” request to my web server. The data consisted of a seemingly nonsensical sequence of key/value pairs separated by ampersands. This first one was this:

n764b3b=ZWNobyAnMW9rMScuIlxuIjtleGl0Ow

All of the subsequent key/value pairs had the same value. Here are the keys:

n764b3b n828e00 n318a65 nbc8a20 n9e5e25
n22ec2b ndfbe75 n0e7f9c n9e5e25 n95e668
ne91e7a n4a90f1 n39d576 n13e558 nd6e706
n33beb2 nc06699 n78cd5a nb78204 nd335c3
nf03a5d n93bc3c n55d3bf n81977d nf26eee
n036581 n108fc5 nb89d65 nfb8c26 n46b398
n01b955 n92001e n1c1ae6 n93bc3c n760097
n23f412 nbc8a20 n59a097 n5388ff n8f249d
n9e5e25 n95e668 n93bc3c

A Google search suggests that WordPress might have used those keys as nonces. See this WordPress forum thread as an example. Other search results suggest the keys are PHP bytecode operators. Which suggests that this attack is trying to execute pre-compiled (i.e., bytecode) PHP. Sadly, a search for the value “ZWNobyAnMW9rMScuIlxuIjtleGl0Ow” didn’t yield any results.

I’m not sufficiently motivated to dig into this any further since I never allow POST requests to the root document of my web server and am thus immune to this attack. Nonetheless, I would love to hear from someone who can shed more light on what this attacker is trying to accomplish.