You are being directed to the US FBI where your IP address and details will also be logged.

Applications Cybersecurity
1

Well, I thought I would share this code, which I normally do not share.

The logs show this site is currently experiencing some "new hack" maybe attempting a buffer overflow or something similar.

So, not really having any patience for this kind of criminal or childish behavior (have a touch of the flu), I quickly wrote this PHP code today:

<?php
echo stuff();
error_log("_SERVER: " . json_encode($_SERVER) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_COOKIE: " . json_encode($_COOKIE) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_GET: " . json_encode($_GET) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_POST: " . json_encode($_POST) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_SESSION: " . json_encode($_SESSION) . "\n\n", 3, '/var/log/hacktrap/hacktrap_redirect.log');
error_log("----------------------------------------------------" . "\n\n", 3, '/var/log/hacktrap/hacktrap_redirect.log');
header("Refresh:5; url=https://www.fbi.gov/investigate/cyber", true, 303);
die;

function stuff()
{
    $html = '<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>FBI Redirect</title>
</head>
<body>
<div style="text-align:center;margin:20px;">
<div style="font-weight:bold;">
Your attempt at criminal activity has been logged.
</div>
<br>
<br>
<div style="font-weight:bold;">
You are being directed to the US FBI where your IP address and details will also be logged.
</div>
</div>

</body>
</html>';
    return $html;
}
3 Likes
2

Nice one Neo,

Just seems to be missing the bit about taking a Cheese Grater to their knuckles;D

Regards

Gull04

1 Like
3

The log file truncated the malicious code (which was an HTTP GET parameter), so hopefully this little code will log the entire exploit.

I'll post back if the "socially dysfunctional entity" shows up again.

4

Logfile entry:

_SERVER: 

_COOKIE: []

_GET: {"template":"tag_(){};@unlink(_FILE_);assert($_POST[T00ls]);{\/\/..\/rss"}

_POST: []

_SESSION: null
5

OK.. the above logging provides the clue of what the hacker / scanning tool is attempting:

GitHub - ab1gale/phpcms-2008-CVE-2018-19127

This does not effect our site since we do not run phpcms ; but it is still interesting to see the non-stop hacking attempts; so in this case it's not "a big deal".. just par for the course on the web.

It's never ending.... keeping a busy web site up and running smoothly.

6

It's an interesting example of how discredited programming methods get renamed to make them acceptable again.

  • Self-modifying code? Obviously bad and never allowed, at all, ever.
  • Self-installable plugins? Too useful to get rid of.
  • Goto? The despised root of all programming evil. Never do this!
  • Try/catch? Too useful to get rid of.

But renaming them, instead of teaching them as what they are, downplays their risks.

2 Likes
7

Hi Corona688...

Eek, and I found a fun way of doing it under dash recently and MadeInGermany bettered it shaving off 20% of the whole file's running time.
It seems odd to me that there is goto in ANSI C, and, Assembl[y][er] code uses JMPs and BRAs in absolute, relative with and witout offsets etc... and yet it is frowned upon.

/Me shrugs...

8

It's the legacy of an old war. Many generations of programmers learned BASIC or worse and never recovered. Ask them to use C, and they'd write one giant main(), 50,000 lines long, without structure -- just labels, gotos, and as many local variables as the compiler permits. They might use loops, or those might be written with goto's too.

If you don't program that way, ignore them, they're not talking to you.