Home/ Questions/Q 8226213
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T15:41:13+00:00

When checking audit logs for a proxy server, I see huge amounts of login

  • 0

When checking audit logs for a proxy server, I see huge amounts of login POSTs that include information regarding usernames or passwords that look like they’re Base64 encoded. It’s clearly from some kind of malware activity, since traffic shows any successful logins result in forum spam, but that’s not the focus of the question.

Take a look at these real examples (minus usernames, to protect the innocent):

2012-07-07 15:04:49,741 POST Data (bitstudyclub.org):
username=ANONYMIZED&password=kc1ahpXXE&remember=yes&submit=Login&action=do_login&url=

2012-07-07 15:06:52,081 POST Data (www.vampirediaries.org):
username=ANONYMIZED&password=KDbcZ75fg&remember=yes&submit=Login&action=do_login&url=

2012-07-07 15:08:37,983 POST Data (www.missionmountain.com):
XID=52ee69654fddd13d2a0323c95eaca5c7b736bdd8&ACT=9&FROM=forum&mbase=http:
%2F%2Fwww.missionmountain.com%2Findex.php%2Fforums%2Fmember2%2F&boa
rd_id=1&RET=http:%2F%2Fwww.missionmountain.com%2Findex.php%2Fforums%2F&site_id=1&
username=ANONYMIZED&auto_login=1&password= yn2b4ne9VC &sub
mit=Login

2012-07-07 15:19:47,476 POST Data (www.diecutdesigner.com):
username=ANONYMIZED&password=8zcs13hzYH&remember=yes&submit=Login&action=do_login&url=

2012-07-07 15:20:36,729 POST Data (classjuice.com):
username=ANONYMIZED&password=8zcs13hzYH&remember=yes&submit=Login&action=do_login&url=

2012-07-07 15:20:43,866 POST Data (wodrpg.com):
username=ANONYMIZED&password=8zcs13hzYH&remember=yes&submit=Login&action=do_login&url=

After seeing this kind of thing over and over again, my question becomes how do I figure out the encoding of the Base64-looking “password” strings? If these strings were actual (MD5/SHA1-looking) hashes, it seems like one could try and recover the plaintext by checking rainbow tables, but I don’t see anyway to get from the point of “I have a random non-hex string” to “Here’s how I know (x) is the hash from which that random string was derived.”

How does one identify “password” strings from POST entries (like the above) as a given encoding, and then convert them back to actual password hashes?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    They probably are not hashes. They are random strings.

    If they were Base64 encoded, they would have a different length (it would be divisible by 4).

    So probably these are attempts to login into accounts the spammers created earlier (or believe they created earlier)?

    HTTP forms usually submit passwords in plaintext, which is why you should use https.

    • 0