homepage Welcome to WebmasterWorld Guest from 54.224.202.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
How is HTTP HOST being modified ?
Annoying attempts aimed at website
jehoshua




msg:4553026
 8:30 am on Mar 10, 2013 (gmt 0)

Quite a few 400 errors lately. Somehow by using a url of something like www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg on our website, they are able to modify HTTP_HOST ?

Have a small php script that runs whenever a 400 error is encountered, and the array $_SERVER is sent in an email. Here is the array contents ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


How is HTTP_HOST being modified ?

Jehoshua

[edited by: phranque at 11:09 am (utc) on Mar 11, 2013]
[edit reason] exemplified domain [/edit]

 

phranque




msg:4553074
 2:31 pm on Mar 10, 2013 (gmt 0)

what were you expecting for HTTP_HOST?
(please use example.com for your domain)

g1smd




msg:4553080
 2:58 pm on Mar 10, 2013 (gmt 0)

Handling of requests like http://www.example.com/http://www.example.com/something can be problematical. It is best to block them.

RewriteCond %{QUERY_STRING} http [NC]
RewriteRule .? - [F]

will block any request with http in the query string part of the request.

RewriteRule http - [NC,F]
will block any request with http in the path part of the request.

The above two rulesets might simplify to one ruleset
RewriteCond %{THE_REQUEST} http [NC]
RewriteRule .? - [F]


Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.

lucy24




msg:4553217
 11:31 pm on Mar 10, 2013 (gmt 0)

RewriteCond %{REQUEST_URI} !piwik
RewriteCond %{QUERY_STRING} http [NC]


;)

Probably GA as well. Someone will know. Leave off the [NC] here, because you only want to filter out the correct forms of the name.

jehoshua




msg:4553283
 4:55 am on Mar 11, 2013 (gmt 0)

what were you expecting for HTTP_HOST?
(please use example.com for your domain)


Okay, thanks, I will use example.com for my domain this time,,

The request would have been www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

and the array $_SERVER was ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


Notice that HTTP_HOST' => 'www.not-my-domain.com , it should be my domain ? I wouldn't have thought that anyone could modify HTTP_HOST value.

Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.


I searched here and there; seems this is a Windows .EXE; I run a *nix desktop. I searched for 'Link checker' under Muon package manager; quite a few there.

Thanks to and for those rewrite rules. Here is my 'htaccess now ..

Options +FollowSymLinks
RewriteEngine on
# 124.***.***.*** force a 403 for any attempts to use WordPress files (other than my IP)
RewriteCond %{REMOTE_ADDR} !^124\.***\.***\.***$
RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F]

Deny from 37.1.207.22

ErrorDocument 400 /400error.php
ErrorDocument 403 /403error.php
ErrorDocument 404 /404error.php
ErrorDocument 406 /406error.php
ErrorDocument 414 /414error.php
ErrorDocument 500 /500error.php
ErrorDocument 501 /501error.php


where should I put the new rules please ?

[edited by: phranque at 11:07 am (utc) on Mar 11, 2013]
[edit reason] use example.com please [/edit]

phranque




msg:4553334
 8:52 am on Mar 11, 2013 (gmt 0)

'HTTP_HOST' => 'www.example.com',

Notice that HTTP_HOST' => 'www.example.com , it should be my domain ?

are you saying the example.com you are seeing for HTTP_HOST isn't your domain?

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.

HTTP/1.1: Header Field Definitions:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

jehoshua




msg:4553346
 9:15 am on Mar 11, 2013 (gmt 0)

are you saying the example.com you are seeing for HTTP_HOST isn't your domain?


The correct value (i.e the value from the array) for HTTP_HOST is (for example) www.not-my-domain.com

I keep posting all the array values, in attempting to describe the problem, but someone keeps changing www.not-my-domain.com to example.com

So, the problem cannot be resolved, or even understood correctly when the array values are changed. Very frustrating.

As an overview, the only array entry that should contain my domain name (shown as example.com) is 'SERVER_ADMIN' => '**********@example.com',

All the other array entries that contain a domain name should be of the value not-my-domain.com

not-my-domain.com is not my domain

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.


But the hostname would have been example.com (my domain name), and the uri would have been www.example.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

[edited by: phranque at 10:40 am (utc) on Mar 11, 2013]
[edit reason] exemplified "not-my-domain" domain [/edit]

phranque




msg:4553375
 10:57 am on Mar 11, 2013 (gmt 0)

<mod>
since i misunderstood the problem description when exemplifying jehoshua's previous posts, i am reposting a "properly exemplified" version of the $_SERVER array dump below:
array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


i have also made this edit to jehoshua's original and subsequent posts to clarify the problem statement but a couple of other posts may be a bit confusing post-edit.
sorry for the mess!
</mod>


jehoshua:
it looks like your attacker has specified your server's IP address in the DNS configuration for not-my-domain.com and your server is probably configured to accept any hostname requested.
you should add some directives to your server config or .htaccess file to specify the hostname for your virtual server or forbid access to any requests for any domain other than yours.

[edited by: phranque at 11:14 am (utc) on Mar 11, 2013]

g1smd




msg:4553376
 11:00 am on Mar 11, 2013 (gmt 0)

You have to use example dot something in this forum. Any other hostname is converted to a link and the code is unreadable.

Use example.com for your domain and example.net for not your domain and all will be clear.

jehoshua




msg:4555999
 8:13 am on Mar 18, 2013 (gmt 0)

Thanks for your replies.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved