Fun with Hackers
Posted by Charlie Thu, 31 Jan 2008 22:45:00 GMT
One look at the log files of any computer online will quickly show the Internet is a nasty place. People are constantly try to break in - they'll scan your machine to find any holes in your firewall, try to use your email system to send spam to other people, attempt to login thousands of times a day using randomly generated passwords, etc.
Web applications face their own set of problems. A common one is for hackers to try and embed their own JavaScript onto your page. How can that happen? Well anytime you allow users to upload data, by filling out a form for example, instead of entering real data they'll have bots enter carefully crafted data that when redisplayed on a page runs their own code. Thus the first, and most important, security maxim for any web site is to validate absolutely every piece of submitted data. I wrote about how we do it last year.
Over the last few weeks, we've been probed by a bot that likes to add a URL into various form fields. If you follow the URL, it return some text that looks like this:
<?php echo md5("just_a_test");?>
I have to admit I don't get this hack - since it seem impaulsible that a system would go to a random URL, read in its content, and then execute the content on its site. Or maybe this just marks sites that have been hacked?
Update - Seems like there are systems stupid enough to go grab some random content on the Internet. Take a look at the 2nd comment on the discussion about this bot from The DailyWTF (very appropriately named in this case).
This attack relies on the script taking in a local file name in the parameter. That is its own security risk, but in PHP if that parameter is passed to a fopen() call and contains a url instead of a local file name will be downloaded before being opened.
I can't think of many places where you would want local files and URLs to be treated the same, since you can't write back changes. Having to explicitly say wget_open(url) would be much better.
This attack has 2 stages:
First part is to crawl a site, changing random parameters to be a url to a file containing '<?php echo md5("just_a_test");?>'. If it is a PHP site with a file in the url, that page will be downloaded and executed, and appear in the page.
Once it is determined that the site is vulnerable, that parameter is changed to the attack script, which takes over the PHP server and starts crawling.