SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Hybrid View

  1. #1
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    'HTTP_HOST' not being evaluated correctly ?

    I use php scripts when there are errors (like 400,404,403,etc), to email me and advise of what is being attempted.

    I noticed on a 400 error, the 'from' and 'to' didn't contain my domain name, but another domain name. This is some of the code I use ..

    PHP Code:
    $http_host $_SERVER["HTTP_HOST"];
    $http_host str_replace("www."""$http_host);
    $from "From: webmaster@" $http_host "\r\n";
    $to "From: webmaster@" $http_host "\r\n"
    The var $http_host had the other domain name there. Fortunately, the email bounced back, so I became aware of the problem. Here is the web access logs entry

    94.102.51.246 - - [23/Feb/2013:16:17:49 +1100] "GET http://24x7-allrequestsallowed.com/?...RWJWS_FA%40FQN HTTP/1.1" 400 2815 "-" "Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0"
    It seems $_SERVER["HTTP_HOST"] was evaluated to '24x7-allrequestsallowed.com'

    I'm mystified how this was parsed as a URL, but more uneasy that $_SERVER["HTTP_HOST"] wasn't set to the 'proper' domain name.

    J

  2. #2
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,104
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    This may be obvious but put,
    PHP Code:
    <? echo'<pre>'print_r($_SERVER); echo '</pre>'?>
    into the file and point your browser to it and see what you get.
    What I lack in acuracy I make up for in misteaks

  3. #3
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lorenw View Post
    This may be obvious but put,
    PHP Code:
    <? echo'<pre>'print_r($_SERVER); echo '</pre>'?>
    into the file and point your browser to it and see what you get.
    It returned an array, and the domain name was correct, that is, my domain. I'm still mystified how the domain name was changed. They would have had to do something like

    where 'example.com' is my domain. Notice no trailing slash after the domain name.

    I'm seeing a lot of this, hacing attempts I assume; no less than 741 by the same IP in one day.

  4. #4
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I've not had a problem so far.

    Are you using the
    PHP Code:
    mail() 
    ? I'm using
    PHP Code:
    error_log() 
    http://www.php.net/manual/en/function.error-log.php
    Denny Schlesinger
    web services

  5. #5
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by captainccs View Post
    HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I've not had a problem so far.
    Yes on Apache those two are pretty much the same thing, but in NGiNX they're not. In NGiNX you'd better use HTTP_HOST (SERVER_NAME always reports the first alias if you have defined multiple aliases for a virtual host).
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  6. #6
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Yes on Apache those two are pretty much the same thing, but in NGiNX they're not. In NGiNX you'd better use HTTP_HOST (SERVER_NAME always reports the first alias if you have defined multiple aliases for a virtual host).
    Thanks for your reply. I don't understand what NGiNX is though.

  7. #7
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by captainccs View Post
    HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I've not had a problem so far.
    Yes, I have used HTTP_HOST for years. Now I have to hard code in the domain name, just to be sure.

    Quote Originally Posted by captainccs View Post
    Are you using the
    PHP Code:
    mail() 
    ? I'm using
    PHP Code:
    error_log() 
    http://www.php.net/manual/en/function.error-log.php
    I'm using the mail() command, and as I got 741 emails in one day, I no doubt have to do somethiing else. Thanks for the info on error_log().

  8. #8
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    jehoshua , you might want to use something like this in htaccess

    Code:
    # defeat robot exploits
    RewriteCond %{QUERY_STRING} http:// [OR]
    RewriteCond %{REQUEST_URI} http:// [OR]
    RewriteCond %{QUERY_STRING} http%3A%2F%2F
    RewriteRule ^(.*)$ - [F]
    
    # defeat robot exploits
    RewriteCond %{QUERY_STRING} DECLARE%20@S%20CHAR [OR] 
    RewriteCond %{QUERY_STRING} SET%20@S=CAST
    RewriteRule ^(.*)$ - [F]
    Denny Schlesinger
    web services

  9. #9
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by captainccs View Post
    jehoshua , you might want to use something like this in htaccess
    Thanks for the .htaccess code. I can basically understand the first 'set', that if someone sends a {QUERY_STRING} or a {REQUEST_URI} containing "http://", then it will fail with an error. What error code will be generated ?

    The second 'set' is not that easy to work out. Looks like some 'spaces' there though ??

    I do already have some code in my .htaccess as follows ..

    Code:
    Options +FollowSymLinks
    RewriteEngine on
    # 127.0.0.0   - example only, usually contains my IP
    RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.0$
    RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F] 
    
    Deny from 37.1.207.22
    
    ErrorDocument 400 /400error.php
    ErrorDocument 403 /403error.php
    ErrorDocument 404 /404error.php
    ErrorDocument 406 /406error.php
    ErrorDocument 414 /414error.php
    ErrorDocument 500 /500error.php
    ErrorDocument 501 /501error.php
    that allows me to use 3 scripts (usually has my real IP), anyone else gets a 403 I think. Also, if any apache errors, a small script file is run.

    Where would be best to place the new code ?

  10. #10
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The second 'set' is not that easy to work out. Looks like some 'spaces' there though ??
    It's some form of MySQL injection, the htaccess code shows just the start of it. What you find in your access log is like this:
    Code:
    xx.xx.xx.xx - - [21/Aug/2008:00:23:22 -0400] "GET /2/20080730?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(  .....a whole lot of code.....  CHAR(4000));EXEC(@S); HTTP/1.1" 404 276 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
    Check out this thread for a discussion: DECLARE @S CHAR(4000)

    Denying access IP by IP does not work with these attacks because generally they will come from a whole lot of infected computers. The advantage of catching it in htaccess is that it catches all of them without having to track down each IP address sending malware.

    Where would be best to place the new code ?
    Doesn't matter, as far as I know.
    Denny Schlesinger
    web services

  11. #11
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by jehoshua View Post
    Thanks for your reply. I don't understand what NGiNX is though.
    NGiNX is a Web server, just like Apache is. My comment was more a general one for anyone reading in who was confused about the difference between SERVER_NAME and HTTP_HOST. It was not aimed at your problem directly. Sorry that wasn't clear.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •