[Apache AccessLog] %2f..%2f..%2f..%2fetc%2fhttpd%2flogs%2ferror.log



Recently reviewed the Apache Accesslog for one of the sites I'm handling.

Got a bunch of entries in my access log that looks like these
54.208.35.151 - - [27/Nov/2013:13:27:58 +0800] "GET /wp-content/plugins/theia-post-slider/js/balupton-history.js/history.js?ver=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhttpd%2flogs%2ferror.log HTTP/1.1" 404 - "http://[this-is-intentionally-masked].com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ScanToSecure)"
or
54.208.35.151 - - [27/Nov/2013:13:30:11 +0800] "GET /wp-content/plugins/sociable/css/sociable.css?ver=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2flog%2fapache%2ferror.log HTTP/1.1" 200 5687 "http://[this-is-intentionally-masked].com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ScanToSecure)"
Notice that the second example is actually a HTTP 200 OK status request. Meaning the request is valid, and pointing to a existing resource on server.

Did a check and found out that nothing more that CSS content output. *phew*


IP CHECKING


A check on the IP (54.208.35.151) reveals that these request came from spam bot server

A note to all


Do not use unknown/non-reputable themes/plugins with .php files that generate static .js or .css files. I've seen quite a few with additional function to write to other files, and even read from other files! Its really not necessary to have this additional parameter.

Adding file path in URL parameters is exactly how will lead to exploit mentioned above. I.e.
jquery.js.php?ver=[path-to-some-sensitive-file]

Bonus


Doing SQL queries in static resource files? Big no.
Reading SQL queries from URL parameters? Big big no.

You'll expose yourself to things like this.
54.208.35.151 - - [27/Nov/2013:13:30:21 +0800] "GET /wp-content/plugins/theia-post-slider/css/buttons-orange.css?ver='%2b%20(select%20convert(int%2cCHAR(95)%2bCHAR(33)%2bCHAR(64)%2bCHAR(50)%2bCHAR(100)%2bCHAR(105)%2bCHAR(108)%2bCHAR(101)%2bCHAR(109)%2bCHAR(109)%2bCHAR(97))%20FROM%20syscolumns)%20%2b' HTTP/1.1" 200 5652 "http://[this-is-intentionally-masked].com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ScanToSecure)"


Hope this helps.

Comments

Popular posts from this blog

[Azure Websites PHP] Cross Domain request results in blank response page after Preflight HTTP OPTIONS

[Magento] Create Contact Form with Dynamic Recipient