Subject: Web site trickery (ot)

<< Previous Message	Main Index	Next Message >>
<< Previous Message in Thread	This Month	Next Message in Thread >>
Date   : Tue, 20 Oct 2009 18:37:19 +0200
From   : rick@... (Rick Murray)
Subject: Web site trickery (ot)

Andy Ford wrote:

> I can't see the site you were referring to,

Pay attention to his identifier, work from there.


 > but I agree its always best to hide the directory listing where possible.

Stops bored twits like me! :-)


> extremely basic but effective enough to keep most people out. :)

Here is a slightly more evil one in keeping with the rest of the site...




The lack of title is intentional, the original is very minimal (so much, 
in fact, that it doesn't even bother with <html><body>, but I draw the 
line at writing HTML that broken...).

Also implies a redirect is in force, but the index isn't available.


Of course, you could be a **** and alter this to be:




And leave it to anybody so inclined to try to hack something that 
doesn't exist! Could even drop in fake error messages from FrontPage 
extensions!


Wonder why I suggest that? My 404 handler logs who, what, where, when. 
Explain:

   /binaries/EA92AA7A0FC22BB7EF7A06E51FDE15A6_00000.temp000b.htm
   [Weird filename!? Lame buffer overflow exploit?]

   /sitemap.xml

   /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164&STRMVER=4&CAPREQ=0
   /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164&STRMVER=4&CAPREQ=0
   [I installed FrontPage98 demo on my old computer. It added lots
    of vti_bin garbage to my website. I uninstalled it...]

   /admin/login.php?user=admin&pass=secret
   [You're s****ing me? "secret"? Really? People are THAT stupid?]

   /ip-images/images.txt

   /assembler/(null)
   [A trapped null? Interesting exploit. Didn't work, mind you...]

   /wp-login.php
   [WordPress?]

And all within seconds of each other:

08:30:19 2009/10/19 
//lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:20 2009/10/19 
//newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:20 2009/10/19 
//news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:21 2009/10/19 
//phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:21 2009/10/19 
//phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:21 2009/10/19 
//admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:22 2009/10/19 
//phplist/lsts/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:22 2009/10/19 
//phplists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()
08:30:22 2009/10/19 
//list/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

[] ()


In the full log, the "[]" contains the referrer, if known. This is to 
track bad links. The "()" holds both the IP address of the connection 
and a looked-up name, if available.

I have deleted the IP address here as the same hack was performed at 
half six, half five, and four pm the day before. Exact same sequence of 
events, different machines (and geologically different IPs). Zombies, 
perhaps?


Whatever - anybody with an online presence will be a vector for hack 
attempts, most of which will be automated and relatively clueless. You 
might as well derive a small giggle out of woefully misleading 
responses. And why not, if you aren't supposed to be looking... :-)


Don't, however, bother adding false server information. There is no 
point. Also your false error message won't trick clued people for long.

Here, try this:

   telnet www.heyrick.co.uk 80

When the telnet window appears, type in:
   GET /blah HTTP/1.0             (then press Enter once)
   Host: www.heyrick.co.uk        (then press Enter TWICE)

You may need to type blind, depends upon your telnet client.

What you will see is the body of my error report document. Now if you 
scroll up [*], you will see a blank line above the HTML and a few lines 
more. This is the header. For a valid fault it will report an error code 
(in this case, the infamous 404) along with reporting the server type, 
date, etc.
A dodgy error will fool the clueless, but not anybody with half a brain. 
Luckily I think most of the internet damage is done by people running on 
much less than half a brain...


* - if you're running the Windows command line telnet, you can fake this 
quite well. Do it after opening the command prompt but before running 
telnet. Click the "C:\" logo besides the title "Command prompt". Select 
"Properties". Choose the "Layout" tab, then set the Screen BUFFER Size 
height to something large. I use 240 lines, enough to cache ten 
screenfuls. For other clients, it depends on the client. I think RISC OS 
clients tend to have some sort of "Save log file" option, which might 
seem more awkward, but the resulting text file is simpler to use than 
trying to hoik stuff off-screen (ever cut'n'pasted from a DOS-like 
command window? ick!)


Best wishes,

Rick.

-- 
Rick Murray, eeePC901 & ADSL WiFI'd into it, all ETLAs!
BBC B: DNFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...
<< Previous Message	Main Index	Next Message >>
<< Previous Message in Thread	This Month	Next Message in Thread >>