Welcome to WebmasterWorld Guest from 54.234.63.187

Forum Moderators: phranque

Message Too Old, No Replies

How is HTTP HOST being modified ?

Annoying attempts aimed at website

     

jehoshua

8:30 am on Mar 10, 2013 (gmt 0)

10+ Year Member



Quite a few 400 errors lately. Somehow by using a url of something like www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg on our website, they are able to modify HTTP_HOST ?

Have a small php script that runs whenever a 400 error is encountered, and the array $_SERVER is sent in an email. Here is the array contents ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


How is HTTP_HOST being modified ?

Jehoshua

[edited by: phranque at 11:09 am (utc) on Mar 11, 2013]
[edit reason] exemplified domain [/edit]

phranque

2:31 pm on Mar 10, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



what were you expecting for HTTP_HOST?
(please use example.com for your domain)

g1smd

2:58 pm on Mar 10, 2013 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Handling of requests like http://www.example.com/http://www.example.com/something can be problematical. It is best to block them.

RewriteCond %{QUERY_STRING} http [NC]
RewriteRule .? - [F]

will block any request with http in the query string part of the request.

RewriteRule http - [NC,F]

will block any request with http in the path part of the request.

The above two rulesets might simplify to one ruleset
RewriteCond %{THE_REQUEST} http [NC]
RewriteRule .? - [F]


Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.

lucy24

11:31 pm on Mar 10, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



RewriteCond %{REQUEST_URI} !piwik
RewriteCond %{QUERY_STRING} http [NC]


;)

Probably GA as well. Someone will know. Leave off the [NC] here, because you only want to filter out the correct forms of the name.

jehoshua

4:55 am on Mar 11, 2013 (gmt 0)

10+ Year Member



what were you expecting for HTTP_HOST?
(please use example.com for your domain)


Okay, thanks, I will use example.com for my domain this time,,

The request would have been www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

and the array $_SERVER was ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


Notice that HTTP_HOST' => 'www.not-my-domain.com , it should be my domain ? I wouldn't have thought that anyone could modify HTTP_HOST value.

Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.


I searched here and there; seems this is a Windows .EXE; I run a *nix desktop. I searched for 'Link checker' under Muon package manager; quite a few there.

Thanks to and for those rewrite rules. Here is my 'htaccess now ..

Options +FollowSymLinks
RewriteEngine on
# 124.***.***.*** force a 403 for any attempts to use WordPress files (other than my IP)
RewriteCond %{REMOTE_ADDR} !^124\.***\.***\.***$
RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F]

Deny from 37.1.207.22

ErrorDocument 400 /400error.php
ErrorDocument 403 /403error.php
ErrorDocument 404 /404error.php
ErrorDocument 406 /406error.php
ErrorDocument 414 /414error.php
ErrorDocument 500 /500error.php
ErrorDocument 501 /501error.php


where should I put the new rules please ?

[edited by: phranque at 11:07 am (utc) on Mar 11, 2013]
[edit reason] use example.com please [/edit]

phranque

8:52 am on Mar 11, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



'HTTP_HOST' => 'www.example.com',

Notice that HTTP_HOST' => 'www.example.com , it should be my domain ?

are you saying the example.com you are seeing for HTTP_HOST isn't your domain?

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.

HTTP/1.1: Header Field Definitions:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

jehoshua

9:15 am on Mar 11, 2013 (gmt 0)

10+ Year Member



are you saying the example.com you are seeing for HTTP_HOST isn't your domain?


The correct value (i.e the value from the array) for HTTP_HOST is (for example) www.not-my-domain.com

I keep posting all the array values, in attempting to describe the problem, but someone keeps changing www.not-my-domain.com to example.com

So, the problem cannot be resolved, or even understood correctly when the array values are changed. Very frustrating.

As an overview, the only array entry that should contain my domain name (shown as example.com) is 'SERVER_ADMIN' => '**********@example.com',

All the other array entries that contain a domain name should be of the value not-my-domain.com

not-my-domain.com is not my domain

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.


But the hostname would have been example.com (my domain name), and the uri would have been www.example.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

[edited by: phranque at 10:40 am (utc) on Mar 11, 2013]
[edit reason] exemplified "not-my-domain" domain [/edit]

phranque

10:57 am on Mar 11, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



<mod>
since i misunderstood the problem description when exemplifying jehoshua's previous posts, i am reposting a "properly exemplified" version of the $_SERVER array dump below:
array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


i have also made this edit to jehoshua's original and subsequent posts to clarify the problem statement but a couple of other posts may be a bit confusing post-edit.
sorry for the mess!
</mod>


jehoshua:
it looks like your attacker has specified your server's IP address in the DNS configuration for not-my-domain.com and your server is probably configured to accept any hostname requested.
you should add some directives to your server config or .htaccess file to specify the hostname for your virtual server or forbid access to any requests for any domain other than yours.

[edited by: phranque at 11:14 am (utc) on Mar 11, 2013]

g1smd

11:00 am on Mar 11, 2013 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



You have to use example dot something in this forum. Any other hostname is converted to a link and the code is unreadable.

Use example.com for your domain and example.net for not your domain and all will be clear.

jehoshua

8:13 am on Mar 18, 2013 (gmt 0)

10+ Year Member



Thanks for your replies.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month