You are being directed to the US FBI where your IP address and details will also be logged.


 
Thread Tools Search this Thread
Special Forums Cybersecurity You are being directed to the US FBI where your IP address and details will also be logged.
# 1  
Old 09-25-2019
You are being directed to the US FBI where your IP address and details will also be logged.

Well, I thought I would share this code, which I normally do not share.

The logs show this site is currently experiencing some "new hack" maybe attempting a buffer overflow or something similar.

So, not really having any patience for this kind of criminal or childish behavior (have a touch of the flu), I quickly wrote this PHP code today:

Code:
<?php
echo stuff();
error_log("_SERVER: " . json_encode($_SERVER) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_COOKIE: " . json_encode($_COOKIE) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_GET: " . json_encode($_GET) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_POST: " . json_encode($_POST) . "\n\n", 3, '/var/log/apache2/hacktrap/hacktrap_redirect.log');
error_log("_SESSION: " . json_encode($_SESSION) . "\n\n", 3, '/var/log/hacktrap/hacktrap_redirect.log');
error_log("----------------------------------------------------" . "\n\n", 3, '/var/log/hacktrap/hacktrap_redirect.log');
header("Refresh:5; url=https://www.fbi.gov/investigate/cyber", true, 303);
die;

function stuff()
{
    $html = '<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>FBI Redirect</title>
</head>
<body>
<div style="text-align:center;margin:20px;">
<div style="font-weight:bold;">
Your attempt at criminal activity has been logged.
</div>
<br>
<br>
<div style="font-weight:bold;">
You are being directed to the US FBI where your IP address and details will also be logged.
</div>
</div>

</body>
</html>';
    return $html;
}

These 3 Users Gave Thanks to Neo For This Post:
# 2  
Old 09-25-2019
Nice one Neo,

Just seems to be missing the bit about taking a Cheese Grater to their knuckles;D

Regards

Gull04
This User Gave Thanks to gull04 For This Post:
# 3  
Old 09-25-2019
The log file truncated the malicious code (which was an HTTP GET parameter), so hopefully this little code will log the entire exploit.

I'll post back if the "socially dysfunctional entity" shows up again.
# 4  
Old 09-25-2019
Logfile entry:

Code:
_SERVER: 

_COOKIE: []

_GET: {"template":"tag_(){};@unlink(_FILE_);assert($_POST[T00ls]);{\/\/..\/rss"}

_POST: []

_SESSION: null

# 5  
Old 09-25-2019
OK.. the above logging provides the clue of what the hacker / scanning tool is attempting:

GitHub - ab1gale/phpcms-2008-CVE-2018-19127

Quote:
Recently we found a vulnerability in /type.php of phpcms 2008 source code. When attackers send crafted requests like "/type.php?template=tag_(){};@unlink(FILE);assert($_POST[1]);{//../rss", evil content (in this case "@unlink(FILE);assert($_POST[1]);") will be written into cache file (in this case "/cache_template/rss.tpl.php") on phpcms 2008 website.
This does not effect our site since we do not run phpcms; but it is still interesting to see the non-stop hacking attempts; so in this case it's not "a big deal".. just par for the course on the web.

It's never ending.... keeping a busy web site up and running smoothly.
# 6  
Old 09-26-2019
It's an interesting example of how discredited programming methods get renamed to make them acceptable again.
  • Self-modifying code? Obviously bad and never allowed, at all, ever.
  • Self-installable plugins? Too useful to get rid of.
  • Goto? The despised root of all programming evil. Never do this!
  • Try/catch? Too useful to get rid of.

But renaming them, instead of teaching them as what they are, downplays their risks.
These 2 Users Gave Thanks to Corona688 For This Post:
# 7  
Old 09-26-2019
Hi Corona688...

Quote:
Goto?
Eek, and I found a fun way of doing it under dash recently and MadeInGermany bettered it shaving off 20% of the whole file's running time.
It seems odd to me that there is goto in ANSI C, and, Assembl[y][er] code uses JMPs and BRAs in absolute, relative with and witout offsets etc... and yet it is frowned upon.

/Me shrugs...
Login or Register to Ask a Question

Previous Thread | Next Thread

6 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Fetching address and user details from log file

Hi All, I have a requirement to get the address values from a large log file along with the user details. line1,line2,city,stateCode,postalCode,countryCode. The below code as advised in the earlier post is giving the user data zgrep -B1 "Failed to calculate Tax" log.2018-05-23.gz | grep... (8 Replies)
Discussion started by: nextStep
8 Replies

2. Shell Programming and Scripting

Double quotes is not present to the directed file

I have the below to direct the values to a xml file, echo "<xml version="1.0">" >> /root/xml/sample.xml but when the check the sample.xml file, the output looks like the below one(without double quotes) <xml version=1.0> but i want the output like <xml version="1.0"> Any help on... (8 Replies)
Discussion started by: vel4ever
8 Replies

3. UNIX for Dummies Questions & Answers

at -l doesnt give details of the scheduled job. How to get the details?

I have scheduled couple of shell scripts to run using 'at' command. The o/p of at -l is: $ at -l 1320904800.a Thu Nov 10 01:00:00 2011 1320894000.a Wed Nov 9 22:00:00 2011 1320876000.a Wed Nov 9 17:00:00 2011 $ uname -a SunOS dc2prcrptetl2 5.9 Generic_122300-54 sun4u sparc... (2 Replies)
Discussion started by: superparticle
2 Replies

4. IP Networking

Local Lan, no-ip directed DNS forward, surf within lan

Hi, We have a website running on a local centos 5.4 surfer, static IP. The domain.com uses no-ip.com to take care of the DNS, it forwards all to my server. My router receives the port 80 call, routes it to my server and the world can see domain.com perfectly fine. However, we cannot see... (3 Replies)
Discussion started by: lawstudent
3 Replies

5. Ubuntu

tar not reading if output directed to /dev/null

I stumbled across a somewhat strange behavior of tar and find no explanation for it: i was testing a DVD for read errors and thought to simply tar the content and direct the output to /dev/null: tar -cvf - /my/mountpoint/*ts > /dev/null This way i expected the system to read the complete... (4 Replies)
Discussion started by: bakunin
4 Replies

6. UNIX for Dummies Questions & Answers

know who logged and logged out with their timings

being ordinary user (not having any administrative rights) can avail myself a facility to know who logged and logged out with their timings get popped onto my terminal as if it get echo 'ed... (3 Replies)
Discussion started by: vkandati
3 Replies
Login or Register to Ask a Question