PHP Exploit URL foxes Apache

There are a lot of smart people out there who know way too much about computers and software and stuff, like this guy: ‘Perishable Press‘. So, can someone clever please tell me why this simple url hangs up a bunch of seemingly dissimilar web servers:


My banana was once part of a bunch very similar to this one

My banana was once part of a bunch very similar to this one

Here’s the deal – when someone asks for a webpage on Scamdex that doesn’t exist, it shoots me a quick email to tell me about it. That way I can see if anything is broken and if anyone is trying to hack my site. My normal response to obviousl hack-attempts  is to block the IP address or use .htaccess rewrite rules to send them to an oh-so-friendly  ‘go away page‘ :).

In this case, the URL carries a payload that is itself a  link to a file on a remote site, which it hopes I will allow to run on my server. The code (which is reproduced in it’s entirety here) will, if allowed to run, return the word ‘FeelCoMz’ to the ‘sKriptKiDee’, aka ‘Wanker’  on the sending end.

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

So… it didn’t work, I trapped it and it raised a red flag, but then why, when I try the URL does it make a browser stand blinking like a deer in the proverbial headlights for 120 seconds before falling flat on it’s back?

Analyzing the url gets me to this reduction of required parts:

* any .php file path.
* any query string, that contains a ‘http://’ in
* must have a file extension such as txt, gif, png etc.
* must have the trailing ‘?’

will cause the same problem on an awful lot of famous name servers. For example, including mine: scamdex.com, uniplex.com, google.com, microsoft.com, amazon.com etc etc.

For example, in the following link, everything except ‘www.amazon.com’ is made up


but it still exhibits the same behaviour – WTF is going on?

and why, oh why can’t I detect it in my .htaccess file?

First person to:
1. Tell me why it’s happening.
2. Tell me how to detect it and stop it happening.
3. Tell me why Google hates me.

gets a really major serious prize like my personal desktop banana, or this lovely (chipped) coffee mug with the name of a football club I don’t support on it – or even my second best earphones.

Good luck!


Still no replies and it’s still happening…. where have all the gurus gone?

… From CPanel to …. what??

I am an old Unix dude, I have installed more different versions of Unix than most people – Everything from Sco Xenix/286 thru to Centos5.2 and I don’t usually have much problems – but as time wears on, my brainDisk is starting to squeal and it’s not as fast at random access as it used to be so I was really happy when I rented a server with Cpanel/WHM installed on it.
For those who don’t know, Cpanel is the web-based interface to everything you will never learn on a Unix server – plus, the WHM super system allows you to carve off a chunk and sell it or give it away to your pals, reasonably confident that they won’t/can’t screw it up.
Add in virtual web/mail/log server management and lots of useful pre-installed tools and you have a system where you rarely have to get your hands dirty under the #hood.

Well, I love Cpanel now and I have grown to rely on it (curses!) so when it comes to creating my own server, so I can save money on a dedicated one I find I need it to get things done (and my old stuff transferred.

The problem with CP is that it costs $$money. between $30 and $48/month. and. I. just. don’t. want. to. pay. that. any. more….. so….

Piracy is out – mainly because you need to register the license with CP and also because that’s bad!:'(

Perhaps I could install it, setup my system the way I want and then after a month or so, hand it back??

well, no apparently – most people (Including themselves) seem to be of the opinion that to uninstall CP, you should really re-install Linux…. kind of defeats my object here!

so…. alternatives, anyone?

There are a few – some other commercial (pay $$ for) such as DirectAdmin and some Public Domain ones (Web-CP, WebMin/VirtualMin). So I started evaluating these free Cpanel Alternatives ….

1. WebMin/VirtualMin

Looks like it will do the job – only one of the alts that I’ve heard of and actually used before. Installs easily enough and looks nice – has a fine range of functionality but what lets it down is it’s non-simplicity. Cpanel’s approach is to show you a bunch of things that you may want to do and asks sensible questions (with usually relevant tooltips close by) so help you accomplish your requirements.  WebMin takes the ‘I’ll help you to write the configuration files correctly’ approach – you really have to know what you’re doing and in a lot of cases, the input fields are just blank with no clue as to what to put there.

WebMin Configuring Backup Example Screenshot

WebMin Configuring Backup Example Screenshot

This probably highlights the major difference between CPanel/WHM and the rest of the Server Admin systems out there – CP/WHM does some pretty radical things to your server when you install it and this is why it’s so hard to uninstall. The other systems kind of leave things as they are and just act as configuration helpers. As an example, see the two screenshots of the ‘backup’ functions.

Cpanel Domain Owner Backup Page

Cpanel Domain Owner Backup Page

2. Web-CP

Much, much, harder to install and harder to find the installation instructions too. but seems pretty good so far.

I had problems with the PHP startup scripts being written with DOS line endings which confused the life out of me for a while until I found it.  Still not able to start the system up but suspect it’s something to do with the line that reads:

$args = trim(next($HTTP_SERVER_VARS[“argv”]));

# Shouldn’t that just be ARGV for shell scripts?)

… I’ll continue and let you know how I get on.

Eggs is eggs? – No, not really!

This is a Chicken, but is it a Free-Range one?

Came across this fascinating scam – selling battery-farmed eggs as ‘Free Range’.

British consumers are eggstremely conscious about where their food comes from. (Way more so than Americans who like not to think of such yukky subjects).

So – Big thumbs down to GMOs (Genetically Modified foods), and a rather hard stare (ala Paddington Bear) to those who farm animals with disregard to their comfort and safety. So imagine the horror when it is revealed that the purchasers of ‘animal-friendly’ eggs, supposedly from Free-Range chickens turns out to be just the usualThis is a Chicken, but is it a Free-Range one? mass-produced crud from the despised battery farming methods (cramped cages, de-beaking, chemical feeds, miserable life cycle).

Anyway, here’s the story from the Newcastle, UK based Northern Farming Journal

Egg sales scam is much bigger than feared

A scam involving eggs laid by battery hens in Europe being sold as free-range or organic in UK supermarkets is 10 times bigger than previously feared.

Consumers may have been duped into paying higher prices for more than 500 million mislabelled eggs over five years.

Investigators from Defra are continuing their investigation into the scale of egg fraud in Britain, although they stressed that they do not believe mislabelled eggs are still being traded. However, free range egg producers in the North-East said it was important that the fraudsters were caught and brought to justice.

Christine Jackson of Sunny Hill Eggs, near Berwick, said: “It is very important for the goodwill of our consumers that we have integrity in the production of Sunny Hill Eggs, follow all the welfare codes we adhere to and also have integrity in the marketing and retailing of our product.

“So you can be sure that at Sunny Hill Eggs all of our eggs are produced and marketed according to strict Lion Code and Freedom Food Practice and at Sunnyhill all of our hens are happy hens.

Contract Killer Scam

Experts at SophosLabsâ„¢, Sophos’s spam analysis centers, have warned of a spam email that pretends to come from a professional hitman, hired to kill the recipient, but are really interested in stealing money.The emails claim that the recipient has been stalked by a hired assassin for 10 days, but that the hitman is prepared to drop the contract if he is paid a total of $80,000. Upon receiving an initial advance payment of $20,000 the hitman claims that he will produce taped evidence of the contract to kill the reader of the email.

Part of the email, which start with a cheery greeting of “Good day” and can have a subject line of “Read this to be safe and a new life in this new year”, reads:

Do not contact the police or F.B.I. or try to send a copy of this to them, because if you do i will know, and might be pushed to do what i have being paid to do, beside, this is the first time I turned out to be a betrayer in my job.

According to Sophos experts, once a victim has been drawn into the scam, requests can be made from the fraudster for private information which may lead to requests for money, stolen identities, and financial theft.

Read Story on Sophos Site 

Irish Bank hit by ‘undetectable’ phishing scam

FRAUDSTERS are targeting Ireland’s biggest bank, AIB,  in a virtually undetectable internet scam. The bank admits it does not know and cannot find out how many of its customers are affected by the fraud.

If you have an account at AIB, click here for Important InformationAIB Bank

Cheats have found a way of overcoming security measures on AIB’s genuine website to fool customers into divulging their account details and passwords.

They are infecting customers’ computers with a “parasite” virus which activates the moment they visit AIB’s secure internet banking site and go to the “log-in” page.

t the log-in stage they are presented with a “ghost” AIB page asking them for their registration number, full security code, mobile phone number and credit card details.

However, customers cannot immediately tell the page is bogus as the website address in their browser is exactly the same as AIB’s security-assured website.

Great Scam Video

This is great! It’s a series on British Television that shows how to avoid getting scammed, conned, cheated, robbed by those out to take what’s yours.


Merry Christmas to Barclays Customers … from the Scammer

Barclays bank branchConmen have targeted Barclays customers over Christmas by trying to persuade them to hand over their account details.The emails carry the Barclays logo and ask customers to fill in confidential information. They even have a link to the bank’s online help page, complete with customer services numbers, and allow the user to return to Barclays’ home page.

Once armed with a customer’s surname, account number, five-digit password and memorable word, the conmen could access accounts.

Barclays warned yesterday that it would never ask any of its 14million account holders for personal details by email and warned anyone who receives the email not to fill in the details.  (Duh!)

Online banking fraud ‘up 8,000%’

The UK has seen an 8,000% increase in fake internet banking scams in the past two years, the government’s financial watchdog has warned. The Financial Services Authority (FSA) told peers it was “very concerned” about the growth in “phishing”.

Phishing involves using fake websites to lure people into revealing their bank account numbers.

The amount stolen is still relatively small but it is set to go up by 90% for the second year running, peers heard.

Between January and June 2005, the number of recorded phishing incidents was 312, the Lords science and technology committee was told.

The figure for the same period this year was 5,059, according to banking trade body Apacs figures.

The amount of cash stolen in the first half of 2006 was £23.2m, the committee was told, and was likely to be £22.5m in the second half of the year.

Read More [BBC]