'HTTP_HOST' not being evaluated correctly?

I use php scripts when there are errors (like 400,404,403,etc), to email me and advise of what is being attempted.

I noticed on a 400 error, the ‘from’ and ‘to’ didn’t contain my domain name, but another domain name. This is some of the code I use …


$http_host = $_SERVER["HTTP_HOST"];
$http_host = str_replace("www.", "", $http_host);
$from = "From: webmaster@" . $http_host . "\\r\
";
$to = "From: webmaster@" . $http_host . "\\r\
";

The var $http_host had the other domain name there. Fortunately, the email bounced back, so I became aware of the problem. Here is the web access logs entry

94.102.51.246 - - [23/Feb/2013:16:17:49 +1100] “GET http://24x7-allrequestsallowed.com/?PHPSESSID=7jy745aa00143SRWJWS_FA%40FQN HTTP/1.1” 400 2815 “-” “Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0”

It seems $_SERVER[“HTTP_HOST”] was evaluated to ‘24x7-allrequestsallowed.com

I’m mystified how this was parsed as a URL, but more uneasy that $_SERVER[“HTTP_HOST”] wasn’t set to the ‘proper’ domain name.

J

This may be obvious but put,


<? echo'<pre>'; print_r($_SERVER); echo '</pre>'; ?>

into the file and point your browser to it and see what you get.

HTTP_HOST should work. I happen to use SERVER_NAME for the exact same purpose and I’ve not had a problem so far.

Are you using the

mail()

? I’m using

error_log()

http://www.php.net/manual/en/function.error-log.php

Yes on Apache those two are pretty much the same thing, but in NGiNX they’re not. In NGiNX you’d better use HTTP_HOST (SERVER_NAME always reports the first alias if you have defined multiple aliases for a virtual host).

It returned an array, and the domain name was correct, that is, my domain. I’m still mystified how the domain name was changed. They would have had to do something like

http://example.comhttp://24x7-allrequestsallowed.com/?PHPSESSID=7jy745aa00143SRWJWS_FA%40FQN

where ‘example.com’ is my domain. Notice no trailing slash after the domain name.

I’m seeing a lot of this, hacing attempts I assume; no less than 741 by the same IP in one day.

Yes, I have used HTTP_HOST for years. Now I have to hard code in the domain name, just to be sure.

I’m using the mail() command, and as I got 741 emails in one day, I no doubt have to do somethiing else. Thanks for the info on error_log().

Thanks for your reply. I don’t understand what NGiNX is though.

jehoshua , you might want to use something like this in htaccess

# defeat robot exploits
RewriteCond %{QUERY_STRING} http:// [OR]
RewriteCond %{REQUEST_URI} http:// [OR]
RewriteCond %{QUERY_STRING} http%3A%2F%2F
RewriteRule ^(.*)$ - [F]

# defeat robot exploits
RewriteCond %{QUERY_STRING} DECLARE%20@S%20CHAR [OR]
RewriteCond %{QUERY_STRING} SET%20@S=CAST
RewriteRule ^(.*)$ - [F]

Thanks for the .htaccess code. I can basically understand the first ‘set’, that if someone sends a {QUERY_STRING} or a {REQUEST_URI} containing “http://”, then it will fail with an error. What error code will be generated ?

The second ‘set’ is not that easy to work out. Looks like some ‘spaces’ there though ??

I do already have some code in my .htaccess as follows …


Options +FollowSymLinks
RewriteEngine on
# 127.0.0.0   - example only, usually contains my IP
RewriteCond %{REMOTE_ADDR} !^127\\.0\\.0\\.0$
RewriteRule ^(wp-login|wp-register|upgrade)\\.php?$ - [F] 

Deny from 37.1.207.22

ErrorDocument 400 /400error.php
ErrorDocument 403 /403error.php
ErrorDocument 404 /404error.php
ErrorDocument 406 /406error.php
ErrorDocument 414 /414error.php
ErrorDocument 500 /500error.php
ErrorDocument 501 /501error.php

that allows me to use 3 scripts (usually has my real IP), anyone else gets a 403 I think. Also, if any apache errors, a small script file is run.

Where would be best to place the new code ?

NGiNX is a Web server, just like Apache is. My comment was more a general one for anyone reading in who was confused about the difference between SERVER_NAME and HTTP_HOST. It was not aimed at your problem directly. Sorry that wasn’t clear.

The second ‘set’ is not that easy to work out. Looks like some ‘spaces’ there though ??

It’s some form of MySQL injection, the htaccess code shows just the start of it. What you find in your access log is like this:

xx.xx.xx.xx - - [21/Aug/2008:00:23:22 -0400] "GET /2/20080730?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(  .....a whole lot of code.....  CHAR(4000));EXEC(@S); HTTP/1.1" 404 276 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

Check out this thread for a discussion: DECLARE @S CHAR(4000)

Denying access IP by IP does not work with these attacks because generally they will come from a whole lot of infected computers. The advantage of catching it in htaccess is that it catches all of them without having to track down each IP address sending malware.

Where would be best to place the new code ?

Doesn’t matter, as far as I know.

Thanks ScallioXTX and captainccs. :slight_smile:

Kept getting 400 errors, and convinced that HTTP_HOST was being changed, I added the array $_SERVER to the emails I get. Here is the array after a 400 error

array (
‘CONTENT_LENGTH’ => ‘16’,
‘CONTENT_TYPE’ => ‘application/x-www-form-urlencoded’,
‘DOCUMENT_ROOT’ => ‘/home//public_html’,
‘GATEWAY_INTERFACE’ => ‘CGI/1.1’,
‘HTTP_ACCEPT’ => ‘/’,
‘HTTP_COOKIE’ => ‘strCookie=cookie6892’,
‘HTTP_HOST’ => ‘myinfo.any-request-allowed.com’,
‘HTTP_PROXY_CONNECTION’ => ‘Keep-Alive’,
‘PATH’ => ‘/bin:/usr/bin’,
‘QUERY_STRING’ => ‘’,
‘REDIRECT_QUERY_STRING’ => ‘strGet=get6892’,
‘REDIRECT_REQUEST_METHOD’ => ‘POST’,
‘REDIRECT_STATUS’ => ‘400’,
‘REDIRECT_UNIQUE_ID’ => ‘US-8jswPhjQAABcofbIAAAAM’,
‘REDIRECT_URL’ => ‘/’,
‘REMOTE_ADDR’ => ‘31.184.244.100’,
‘REMOTE_PORT’ => ‘56498’,
‘REQUEST_METHOD’ => ‘GET’,
‘REQUEST_URI’ => ‘http://myinfo.any-request-allowed.com/?strGet=get6892’,
‘SCRIPT_FILENAME’ => '/home/
/public_html/400error.php’,
‘SCRIPT_NAME’ => ‘/400error.php’,
‘SERVER_ADDR’ => ‘204.15..’,
‘SERVER_ADMIN’ => ‘@.***’,
‘SERVER_NAME’ => ‘myinfo.any-request-allowed.com’,
‘SERVER_PORT’ => ‘80’,
‘SERVER_PROTOCOL’ => ‘HTTP/1.1’,
‘SERVER_SIGNATURE’ => ‘’,
‘SERVER_SOFTWARE’ => ‘Apache’,
‘UNIQUE_ID’ => ‘US-8jswPhjQAABcofbIAAAAM’,
‘PHP_SELF’ => ‘/400error.php’,
‘REQUEST_TIME’ => 1362099342,
‘argv’ =>
array (
),
‘argc’ => 0,
)

Notice the value of HTTP_HOST, which is not the name of the domain where the script resides, or more the point, where the abuse occurred.

J


'HTTP_HOST' =>          'myinfo.any-request-allowed.com',
'SERVER_NAME' =>        'myinfo.any-request-allowed.com',
'REQUEST_URI' => 'http://myinfo.any-request-allowed.com/?strGet=get6892',

I don’t see the difference. If a visitor gets an Error 400 then he was denied access so how could he have changed anything on the server?

The request, it seems, is trying to get a hold of a cookie…


'HTTP_COOKIE' => 'strCookie=cookie6892',

Yes, that’s what I don’t understand. They were denied access, yet (somehow ?) the contants of HTTP_HOST was modified ??

Okay thanks. The query string parsed differs most times by the same IP.