Neo
September 25, 2019, 12:37am
1
Well, I thought I would share this code, which I normally do not share.
The logs show this site is currently experiencing some "new hack" maybe attempting a buffer overflow or something similar.
So, not really having any patience for this kind of criminal or childish behavior (have a touch of the flu), I quickly wrote this PHP code today:
<?php
echo stuff();
error_log("_SERVER: " . json_encode($_SERVER) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_COOKIE: " . json_encode($_COOKIE) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_GET: " . json_encode($_GET) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_POST: " . json_encode($_POST) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_SESSION: " . json_encode($_SESSION) . "\n\n", 3, '/var/log/hacktrap/hacktrap_redirect.log');
error_log("----------------------------------------------------" . "\n\n", 3, '/var/log/hacktrap/hacktrap_redirect.log');
header("Refresh:5; url=https://www.fbi.gov/investigate/cyber", true, 303);
die;
function stuff()
{
$html = '<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>FBI Redirect</title>
</head>
<body>
<div style="text-align:center;margin:20px;">
<div style="font-weight:bold;">
Your attempt at criminal activity has been logged.
</div>
<br>
<br>
<div style="font-weight:bold;">
You are being directed to the US FBI where your IP address and details will also be logged.
</div>
</div>
</body>
</html>';
return $html;
}
3 Likes
gull04
September 25, 2019, 2:50am
2
Nice one Neo,
Just seems to be missing the bit about taking a Cheese Grater to their knuckles;D
Regards
Gull04
1 Like
Neo
September 25, 2019, 3:04am
3
The log file truncated the malicious code (which was an HTTP GET parameter), so hopefully this little code will log the entire exploit.
I'll post back if the "socially dysfunctional entity" shows up again.
Neo
September 25, 2019, 10:43pm
4
Logfile entry:
_SERVER:
_COOKIE: []
_GET: {"template":"tag_(){};@unlink(_FILE_);assert($_POST[T00ls]);{\/\/..\/rss"}
_POST: []
_SESSION: null
Neo
September 25, 2019, 10:53pm
5
OK.. the above logging provides the clue of what the hacker / scanning tool is attempting:
GitHub - ab1gale/phpcms-2008-CVE-2018-19127
Recently we found a vulnerability in /type.php of phpcms 2008 source code. When attackers send crafted requests like "/type.php?template=tag_(){};@unlink (FILE);assert($_POST[1]);{//../rss", evil content (in this case "@unlink (FILE);assert($_POST[1]);") will be written into cache file (in this case "/cache_template/rss.tpl.php") on phpcms 2008 website.
This does not effect our site since we do not run phpcms
; but it is still interesting to see the non-stop hacking attempts; so in this case it's not "a big deal".. just par for the course on the web.
It's never ending.... keeping a busy web site up and running smoothly.
It's an interesting example of how discredited programming methods get renamed to make them acceptable again.
Self-modifying code? Obviously bad and never allowed, at all, ever.
Self-installable plugins? Too useful to get rid of.
Goto? The despised root of all programming evil. Never do this!
Try/catch? Too useful to get rid of.
But renaming them, instead of teaching them as what they are, downplays their risks.
2 Likes
Hi Corona688...
Eek, and I found a fun way of doing it under dash
recently and MadeInGermany bettered it shaving off 20% of the whole file's running time.
It seems odd to me that there is goto
in ANSI C, and, Assembl[y][er] code uses JMPs and BRAs
in absolute, relative with and witout offsets etc... and yet it is frowned upon.
/Me shrugs...
wisecracker:
It seems odd to me that there is goto
in ANSI C, and, Assembl[y][er] code uses JMPs and BRAs
in absolute, relative with and without offsets etc... and yet it is frowned upon.
It's the legacy of an old war. Many generations of programmers learned BASIC or worse and never recovered. Ask them to use C, and they'd write one giant main(), 50,000 lines long, without structure -- just labels, gotos, and as many local variables as the compiler permits. They might use loops, or those might be written with goto's too.
If you don't program that way, ignore them, they're not talking to you.