SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    'HTTP_HOST' not being evaluated correctly ?

    I use php scripts when there are errors (like 400,404,403,etc), to email me and advise of what is being attempted.

    I noticed on a 400 error, the 'from' and 'to' didn't contain my domain name, but another domain name. This is some of the code I use ..

    PHP Code:
    $http_host $_SERVER["HTTP_HOST"];
    $http_host str_replace("www."""$http_host);
    $from "From: webmaster@" $http_host "\r\n";
    $to "From: webmaster@" $http_host "\r\n"
    The var $http_host had the other domain name there. Fortunately, the email bounced back, so I became aware of the problem. Here is the web access logs entry

    94.102.51.246 - - [23/Feb/2013:16:17:49 +1100] "GET http://24x7-allrequestsallowed.com/?...RWJWS_FA%40FQN HTTP/1.1" 400 2815 "-" "Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0"
    It seems $_SERVER["HTTP_HOST"] was evaluated to '24x7-allrequestsallowed.com'

    I'm mystified how this was parsed as a URL, but more uneasy that $_SERVER["HTTP_HOST"] wasn't set to the 'proper' domain name.

    J

  2. #2
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,104
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    This may be obvious but put,
    PHP Code:
    <? echo'<pre>'print_r($_SERVER); echo '</pre>'?>
    into the file and point your browser to it and see what you get.
    What I lack in acuracy I make up for in misteaks

  3. #3
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I've not had a problem so far.

    Are you using the
    PHP Code:
    mail() 
    ? I'm using
    PHP Code:
    error_log() 
    http://www.php.net/manual/en/function.error-log.php
    Denny Schlesinger
    web services

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by captainccs View Post
    HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I've not had a problem so far.
    Yes on Apache those two are pretty much the same thing, but in NGiNX they're not. In NGiNX you'd better use HTTP_HOST (SERVER_NAME always reports the first alias if you have defined multiple aliases for a virtual host).
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  5. #5
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lorenw View Post
    This may be obvious but put,
    PHP Code:
    <? echo'<pre>'print_r($_SERVER); echo '</pre>'?>
    into the file and point your browser to it and see what you get.
    It returned an array, and the domain name was correct, that is, my domain. I'm still mystified how the domain name was changed. They would have had to do something like

    where 'example.com' is my domain. Notice no trailing slash after the domain name.

    I'm seeing a lot of this, hacing attempts I assume; no less than 741 by the same IP in one day.

  6. #6
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by captainccs View Post
    HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I've not had a problem so far.
    Yes, I have used HTTP_HOST for years. Now I have to hard code in the domain name, just to be sure.

    Quote Originally Posted by captainccs View Post
    Are you using the
    PHP Code:
    mail() 
    ? I'm using
    PHP Code:
    error_log() 
    http://www.php.net/manual/en/function.error-log.php
    I'm using the mail() command, and as I got 741 emails in one day, I no doubt have to do somethiing else. Thanks for the info on error_log().

  7. #7
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Yes on Apache those two are pretty much the same thing, but in NGiNX they're not. In NGiNX you'd better use HTTP_HOST (SERVER_NAME always reports the first alias if you have defined multiple aliases for a virtual host).
    Thanks for your reply. I don't understand what NGiNX is though.

  8. #8
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    jehoshua , you might want to use something like this in htaccess

    Code:
    # defeat robot exploits
    RewriteCond %{QUERY_STRING} http:// [OR]
    RewriteCond %{REQUEST_URI} http:// [OR]
    RewriteCond %{QUERY_STRING} http%3A%2F%2F
    RewriteRule ^(.*)$ - [F]
    
    # defeat robot exploits
    RewriteCond %{QUERY_STRING} DECLARE%20@S%20CHAR [OR] 
    RewriteCond %{QUERY_STRING} SET%20@S=CAST
    RewriteRule ^(.*)$ - [F]
    Denny Schlesinger
    web services

  9. #9
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by captainccs View Post
    jehoshua , you might want to use something like this in htaccess
    Thanks for the .htaccess code. I can basically understand the first 'set', that if someone sends a {QUERY_STRING} or a {REQUEST_URI} containing "http://", then it will fail with an error. What error code will be generated ?

    The second 'set' is not that easy to work out. Looks like some 'spaces' there though ??

    I do already have some code in my .htaccess as follows ..

    Code:
    Options +FollowSymLinks
    RewriteEngine on
    # 127.0.0.0   - example only, usually contains my IP
    RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.0$
    RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F] 
    
    Deny from 37.1.207.22
    
    ErrorDocument 400 /400error.php
    ErrorDocument 403 /403error.php
    ErrorDocument 404 /404error.php
    ErrorDocument 406 /406error.php
    ErrorDocument 414 /414error.php
    ErrorDocument 500 /500error.php
    ErrorDocument 501 /501error.php
    that allows me to use 3 scripts (usually has my real IP), anyone else gets a 403 I think. Also, if any apache errors, a small script file is run.

    Where would be best to place the new code ?

  10. #10
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by jehoshua View Post
    Thanks for your reply. I don't understand what NGiNX is though.
    NGiNX is a Web server, just like Apache is. My comment was more a general one for anyone reading in who was confused about the difference between SERVER_NAME and HTTP_HOST. It was not aimed at your problem directly. Sorry that wasn't clear.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  11. #11
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The second 'set' is not that easy to work out. Looks like some 'spaces' there though ??
    It's some form of MySQL injection, the htaccess code shows just the start of it. What you find in your access log is like this:
    Code:
    xx.xx.xx.xx - - [21/Aug/2008:00:23:22 -0400] "GET /2/20080730?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(  .....a whole lot of code.....  CHAR(4000));EXEC(@S); HTTP/1.1" 404 276 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
    Check out this thread for a discussion: DECLARE @S CHAR(4000)

    Denying access IP by IP does not work with these attacks because generally they will come from a whole lot of infected computers. The advantage of catching it in htaccess is that it catches all of them without having to track down each IP address sending malware.

    Where would be best to place the new code ?
    Doesn't matter, as far as I know.
    Denny Schlesinger
    web services

  12. #12
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks ScallioXTX and captainccs.

    Kept getting 400 errors, and convinced that HTTP_HOST was being changed, I added the array $_SERVER to the emails I get. Here is the array after a 400 error

    array (
    'CONTENT_LENGTH' => '16',
    'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
    'DOCUMENT_ROOT' => '/home/********/public_html',
    'GATEWAY_INTERFACE' => 'CGI/1.1',
    'HTTP_ACCEPT' => '*/*',
    'HTTP_COOKIE' => 'strCookie=cookie6892',
    'HTTP_HOST' => 'myinfo.any-request-allowed.com',
    'HTTP_PROXY_CONNECTION' => 'Keep-Alive',
    'PATH' => '/bin:/usr/bin',
    'QUERY_STRING' => '',
    'REDIRECT_QUERY_STRING' => 'strGet=get6892',
    'REDIRECT_REQUEST_METHOD' => 'POST',
    'REDIRECT_STATUS' => '400',
    'REDIRECT_UNIQUE_ID' => 'US-8jswPhjQAABcofbIAAAAM',
    'REDIRECT_URL' => '/',
    'REMOTE_ADDR' => '31.184.244.100',
    'REMOTE_PORT' => '56498',
    'REQUEST_METHOD' => 'GET',
    'REQUEST_URI' => 'http://myinfo.any-request-allowed.com/?strGet=get6892',
    'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
    'SCRIPT_NAME' => '/400error.php',
    'SERVER_ADDR' => '204.15.***.***',
    'SERVER_ADMIN' => '********@********.***',
    'SERVER_NAME' => 'myinfo.any-request-allowed.com',
    'SERVER_PORT' => '80',
    'SERVER_PROTOCOL' => 'HTTP/1.1',
    'SERVER_SIGNATURE' => '',
    'SERVER_SOFTWARE' => 'Apache',
    'UNIQUE_ID' => 'US-8jswPhjQAABcofbIAAAAM',
    'PHP_SELF' => '/400error.php',
    'REQUEST_TIME' => 1362099342,
    'argv' =>
    array (
    ),
    'argc' => 0,
    )
    Notice the value of HTTP_HOST, which is not the name of the domain where the script resides, or more the point, where the abuse occurred.

    J

  13. #13
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Code:
    'HTTP_HOST' =>          'myinfo.any-request-allowed.com',
    'SERVER_NAME' =>        'myinfo.any-request-allowed.com',
    'REQUEST_URI' => 'http://myinfo.any-request-allowed.com/?strGet=get6892',
    I don't see the difference. If a visitor gets an Error 400 then he was denied access so how could he have changed anything on the server?

    The request, it seems, is trying to get a hold of a cookie...
    Code:
    'HTTP_COOKIE' => 'strCookie=cookie6892',
    Denny Schlesinger
    web services

  14. #14
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    595
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by captainccs View Post
    I don't see the difference. If a visitor gets an Error 400 then he was denied access so how could he have changed anything on the server?
    Yes, that's what I don't understand. They were denied access, yet (somehow ?) the contants of HTTP_HOST was modified ??

    Quote Originally Posted by captainccs View Post
    The request, it seems, is trying to get a hold of a cookie...
    Code:
    'HTTP_COOKIE' => 'strCookie=cookie6892',
    Okay thanks. The query string parsed differs most times by the same IP.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •