Welcome to WebmasterWorld Guest from 54.234.244.30

Forum Moderators: phranque

Message Too Old, No Replies

How is HTTP HOST being modified ?

Annoying attempts aimed at website

     
8:30 am on Mar 10, 2013 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 73
votes: 0


Quite a few 400 errors lately. Somehow by using a url of something like www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg on our website, they are able to modify HTTP_HOST ?

Have a small php script that runs whenever a 400 error is encountered, and the array $_SERVER is sent in an email. Here is the array contents ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


How is HTTP_HOST being modified ?

Jehoshua

[edited by: phranque at 11:09 am (utc) on Mar 11, 2013]
[edit reason] exemplified domain [/edit]

2:31 pm on Mar 10, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10544
votes: 8


what were you expecting for HTTP_HOST?
(please use example.com for your domain)
2:58 pm on Mar 10, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


Handling of requests like http://www.example.com/http://www.example.com/something can be problematical. It is best to block them.

RewriteCond %{QUERY_STRING} http [NC]
RewriteRule .? - [F]

will block any request with http in the query string part of the request.

RewriteRule http - [NC,F]

will block any request with http in the path part of the request.

The above two rulesets might simplify to one ruleset
RewriteCond %{THE_REQUEST} http [NC]
RewriteRule .? - [F]


Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.
11:31 pm on Mar 10, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12716
votes: 244


RewriteCond %{REQUEST_URI} !piwik
RewriteCond %{QUERY_STRING} http [NC]


;)

Probably GA as well. Someone will know. Leave off the [NC] here, because you only want to filter out the correct forms of the name.
4:55 am on Mar 11, 2013 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 73
votes: 0


what were you expecting for HTTP_HOST?
(please use example.com for your domain)


Okay, thanks, I will use example.com for my domain this time,,

The request would have been www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

and the array $_SERVER was ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


Notice that HTTP_HOST' => 'www.not-my-domain.com , it should be my domain ? I wouldn't have thought that anyone could modify HTTP_HOST value.

Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.


I searched here and there; seems this is a Windows .EXE; I run a *nix desktop. I searched for 'Link checker' under Muon package manager; quite a few there.

Thanks to and for those rewrite rules. Here is my 'htaccess now ..

Options +FollowSymLinks
RewriteEngine on
# 124.***.***.*** force a 403 for any attempts to use WordPress files (other than my IP)
RewriteCond %{REMOTE_ADDR} !^124\.***\.***\.***$
RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F]

Deny from 37.1.207.22

ErrorDocument 400 /400error.php
ErrorDocument 403 /403error.php
ErrorDocument 404 /404error.php
ErrorDocument 406 /406error.php
ErrorDocument 414 /414error.php
ErrorDocument 500 /500error.php
ErrorDocument 501 /501error.php


where should I put the new rules please ?

[edited by: phranque at 11:07 am (utc) on Mar 11, 2013]
[edit reason] use example.com please [/edit]

8:52 am on Mar 11, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10544
votes: 8


'HTTP_HOST' => 'www.example.com',

Notice that HTTP_HOST' => 'www.example.com , it should be my domain ?

are you saying the example.com you are seeing for HTTP_HOST isn't your domain?

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.

HTTP/1.1: Header Field Definitions:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23
9:15 am on Mar 11, 2013 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 73
votes: 0


are you saying the example.com you are seeing for HTTP_HOST isn't your domain?


The correct value (i.e the value from the array) for HTTP_HOST is (for example) www.not-my-domain.com

I keep posting all the array values, in attempting to describe the problem, but someone keeps changing www.not-my-domain.com to example.com

So, the problem cannot be resolved, or even understood correctly when the array values are changed. Very frustrating.

As an overview, the only array entry that should contain my domain name (shown as example.com) is 'SERVER_ADMIN' => '**********@example.com',

All the other array entries that contain a domain name should be of the value not-my-domain.com

not-my-domain.com is not my domain

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.


But the hostname would have been example.com (my domain name), and the uri would have been www.example.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

[edited by: phranque at 10:40 am (utc) on Mar 11, 2013]
[edit reason] exemplified "not-my-domain" domain [/edit]

10:57 am on Mar 11, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10544
votes: 8


<mod>
since i misunderstood the problem description when exemplifying jehoshua's previous posts, i am reposting a "properly exemplified" version of the $_SERVER array dump below:
array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)


i have also made this edit to jehoshua's original and subsequent posts to clarify the problem statement but a couple of other posts may be a bit confusing post-edit.
sorry for the mess!
</mod>


jehoshua:
it looks like your attacker has specified your server's IP address in the DNS configuration for not-my-domain.com and your server is probably configured to accept any hostname requested.
you should add some directives to your server config or .htaccess file to specify the hostname for your virtual server or forbid access to any requests for any domain other than yours.

[edited by: phranque at 11:14 am (utc) on Mar 11, 2013]

11:00 am on Mar 11, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


You have to use example dot something in this forum. Any other hostname is converted to a link and the code is unreadable.

Use example.com for your domain and example.net for not your domain and all will be clear.
8:13 am on Mar 18, 2013 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 73
votes: 0


Thanks for your replies.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members