[wikka-community] Baby hacker on the loose
Marjolein Katsma
javawoman
Wed Nov 21 11:27:30 GMT 2007
Hi All,
Last night, I was looking at our access stats and happily concuded that
traffic was gradually picking up again after our outage; Dario went looking
at the referrers and spotted a weird referrer string in the global
referrers for wikkawiki.org, with no less than 2313 hits! It looked like a
hacker attempt, except you can't really hack by means of a referrer string
(certainly not when, as was the case here, the referrer is an external
URL). Example:
http://www.edhelper.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
That had the 2313 hits; there were a few more with the same type of query
but for different domains, including one referencing webcrawler, a major
meta-search engine.
So I plugged the query string into Yahoo! and it came up with 826
references... turns out it's an old, old hack, found in the classic hackers
guides - see
http://www.windowsecurity.com/whitepapers/The_Unofficial_Web_Hack_FAQ__Section_02.html?printversion
for example - except it won't work as a referrer string. It clutters up the
referrers stats with useless entries though; but it isn't really referrer
spam either.
What to do? The first idea was to blacklist the referrer. Oops - bad idea:
blacklisting bans the *domain*: we don't want to ban a major (meta) search
engine do we? The other domains were equally harmless. Next idea: just ban
by referrer in the .htaccess file. So, off I went and edited our .htaccess
file so any access with "cgi-bin/phf" in the referrer string would be
denied access. But when did this start?
So, I loaded the access log and did a search for the query string. It turns
out the first access was yesterday (the 20th of November - and in the US at
least, Thanksgiving holiday has just started...). What was worse, was that
the hackish query string was not just in the referrer, but in the actual
request as well. Of course, it doesn't work on our server - and it won't on
most: it's such a classic from around the turn of the century that hardly
any system will actually still have the 'phf' script sitting on their
servers. But our baby hacker made things easy for us: he was pounding our
server from the same IP address (69.34.126.203 - it seems the kiddies in
NYC have too much time on their hands!), and with the same User Agent
string: 'WWW-Mechanize/1.30'. So I added a few more lines to the .htaccess
file ensuring that anything even smelling like this will get denied.
1. After the SetEnvIfNoCase (in our standard .htaccess file) I added:
SetEnvIfNocase Referer "/cgi-bin/phf\?" BadReferrer
SetEnvIfNoCase Request_URI "/cgi-bin/phf" BadBot
BrowserMatch "WWW-Mechanize/1.30" BadBot
2. After order deny,allow I added lines to ban both the IP address and the
"BadBot" and "BadReferrer"
So, the start of a (standard) .htaccess file (disregarding the old
SetEnvIfNoCase which is hardly relevant anymore and I've commented out)
would now look like this
SetEnvIfNocase Referer "/cgi-bin/phf\?" BadReferrer
SetEnvIfNoCase Request_URI "/cgi-bin/phf" BadBot
BrowserMatch "WWW-Mechanize/1.30" BadBot
order Deny,Allow
deny from env=BadReferrer
deny from env=BadBot
deny from 69.34.126.203
See http://httpd.apache.org/docs/1.3/mod/mod_access.html#order (Module
mod_access) for an explanation of how this is processed; in short, the
default is Allow (second directive) but any deny directives are processed
first. See http://httpd.apache.org/docs/1.3/mod/mod_setenvif.html (Module
mod_setenvif) for more on the SetEnvIfNoCase and BrowserMatch directives.
Needless to say, make sure you don't have the 'phf' script in your cgi-bin:
if you do, it's a major security hole. Even if it's from the hackish middle
ages, it's worth a quick check.
Unfortunately, I'm now left to conclude that a good chunk of our
"improving" traffic was thanks to this baby hacker. We'll keep watching and
hoping for better results...
Happy Thanksgiving!
Cheers,
Marjolein
--
JavaWoman
Web Standards Compliance Officer, Wikka Development Crew
http://wikkawiki.org/JavaWoman
Skype: callto://goneagain
More information about the community
mailing list