Date : Tue, 20 Oct 2009 17:48:12 +0100
From : robert@... (Rob)
Subject: Web site trickery (ot)
Maybe, if your server supports it:
create file called index.php containing:
<?php
header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
?>
On 20/10/2009, Rick Murray <rick@...> wrote:
> Andy Ford wrote:
>
>> I can't see the site you were referring to,
>
> Pay attention to his identifier, work from there.
>
>
> > but I agree its always best to hide the directory listing where possible.
>
> Stops bored twits like me! :-)
>
>
>> extremely basic but effective enough to keep most people out. :)
>
> Here is a slightly more evil one in keeping with the rest of the site...
>
>
> <html><body><font size=+3><b>Not found - 404</b></font><p>
> URL requested (/index.html) not found</body></html>
>
>
> The lack of title is intentional, the original is very minimal (so much,
> in fact, that it doesn't even bother with <html><body>, but I draw the
> line at writing HTML that broken...).
>
> Also implies a redirect is in force, but the index isn't available.
>
>
> Of course, you could be a **** and alter this to be:
>
>
> <html><body><font size=+3><b>Not found - 404</b></font><p>
> URL requested (/main_handler.cgi?welcome) not found</body></html>
>
>
> And leave it to anybody so inclined to try to hack something that
> doesn't exist! Could even drop in fake error messages from FrontPage
> extensions!
>
>
> Wonder why I suggest that? My 404 handler logs who, what, where, when.
> Explain:
>
> /binaries/EA92AA7A0FC22BB7EF7A06E51FDE15A6_00000.temp000b.htm
> [Weird filename!? Lame buffer overflow exploit?]
>
> /sitemap.xml
>
> /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164&STRMVER=4&CAPREQ=0
> /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164&STRMVER=4&CAPREQ=0
> [I installed FrontPage98 demo on my old computer. It added lots
> of vti_bin garbage to my website. I uninstalled it...]
>
> /admin/login.php?user=admin&pass=secret
> [You're s****ing me? "secret"? Really? People are THAT stupid?]
>
> /ip-images/images.txt
>
> /assembler/(null)
> [A trapped null? Interesting exploit. Didn't work, mind you...]
>
> /wp-login.php
> [WordPress?]
>
> And all within seconds of each other:
>
> 08:30:19 2009/10/19
> //lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:20 2009/10/19
> //newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:20 2009/10/19
> //news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:21 2009/10/19
> //phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:21 2009/10/19
> //phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:21 2009/10/19
> //admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:22 2009/10/19
> //phplist/lsts/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:22 2009/10/19
> //phplists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
> 08:30:22 2009/10/19
> //list/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
> [] ()
>
>
> In the full log, the "[]" contains the referrer, if known. This is to
> track bad links. The "()" holds both the IP address of the connection
> and a looked-up name, if available.
>
> I have deleted the IP address here as the same hack was performed at
> half six, half five, and four pm the day before. Exact same sequence of
> events, different machines (and geologically different IPs). Zombies,
> perhaps?
>
>
> Whatever - anybody with an online presence will be a vector for hack
> attempts, most of which will be automated and relatively clueless. You
> might as well derive a small giggle out of woefully misleading
> responses. And why not, if you aren't supposed to be looking... :-)
>
>
> Don't, however, bother adding false server information. There is no
> point. Also your false error message won't trick clued people for long.
>
> Here, try this:
>
> telnet www.heyrick.co.uk 80
>
> When the telnet window appears, type in:
> GET /blah HTTP/1.0 (then press Enter once)
> Host: www.heyrick.co.uk (then press Enter TWICE)
>
> You may need to type blind, depends upon your telnet client.
>
> What you will see is the body of my error report document. Now if you
> scroll up [*], you will see a blank line above the HTML and a few lines
> more. This is the header. For a valid fault it will report an error code
> (in this case, the infamous 404) along with reporting the server type,
> date, etc.
> A dodgy error will fool the clueless, but not anybody with half a brain.
> Luckily I think most of the internet damage is done by people running on
> much less than half a brain...
>
>
> * - if you're running the Windows command line telnet, you can fake this
> quite well. Do it after opening the command prompt but before running
> telnet. Click the "C:\" logo besides the title "Command prompt". Select
> "Properties". Choose the "Layout" tab, then set the Screen BUFFER Size
> height to something large. I use 240 lines, enough to cache ten
> screenfuls. For other clients, it depends on the client. I think RISC OS
> clients tend to have some sort of "Save log file" option, which might
> seem more awkward, but the resulting text file is simpler to use than
> trying to hoik stuff off-screen (ever cut'n'pasted from a DOS-like
> command window? ick!)
>
>
> Best wishes,
>
> Rick.
>
> --
> Rick Murray, eeePC901 & ADSL WiFI'd into it, all ETLAs!
> BBC B: DNFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
> E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...
>
>
>
> _______________________________________________
> bbc-micro mailing list
> bbc-micro@...
> http://lists.cloud9.co.uk/mailman/listinfo/bbc-micro
>