I have a site that's embedded inside an iframe.
On occasion I'm seeing a phantom get request generated for each get or post.
The nginx logs show this occurring, notice there is a get request sent immediately after the post:
XX.XXX.XXX.XX - - [06/Oct/2012:20:55:47 +0000] "POST /website_widget/users HTTP/1.1" 200 1996 "http://subdomain.mysite.com/website_wi
dget/users/sign_up" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
XX.XXX.XXX.XX - - [06/Oct/2012:20:55:47 +0000] "GET /website_widget/users HTTP/1.1" 404 781 "http://subdomain.mysite.com/website_widg
et/users" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
XX.XXX.XXX.XX - - [06/Oct/2012:20:55:53 +0000] "POST /website_widget/users HTTP/1.1" 200 1993 "http://subdomain.mysite.com/website_wi
dget/users" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
XX.XXX.XXX.XX - - [06/Oct/2012:20:55:53 +0000] "GET /website_widget/users HTTP/1.1" 404 781 "http://subdomain.mysite.com/website_widg
et/users" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
This also happens with standard get requests too. From my rails logs I can see:
Started GET "/website_widget/users/sign_in" for XX.XX.XXX.XX at 2012-10-06 20:45:35 +0000
[b7e895726057452d0af6a2ac5cd1668d] Processing by WebsiteWidget::MyController#new as HTML
Started GET "/website_widget/users/sign_in" for XX.XX.XXX.XX at 2012-10-06 20:45:37 +0000
[b20e57fcc205ee6cf958589ab1660c9f] Processing by WebsiteWidget::MyController#new as */*
Notice in the */* for the second log entry, which suggests the mime type is not set to html or not set at all.
Had anyone come across this kind of thing before? Or got any idea how I can debug it further. I'm proving quite difficult to recreate.
So it looks like this was caused by a firefox plugin. Probably a site ranking plugin of some description.
Related
I've got some trouble lasts days with one of my WordPress installation that got infected with spam "malware".
I've backed up then removed the WordPress installation from server that got infected based on time of hack (index.php/wp-blog-header.php last modified (17:45)) and those server logs :
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:44:24 +0100] "POST /wp-login.php HTTP/2.0" 302 0 "https://www.-.com/wp-login.php?redirect_to=https%3A%2F%2Fwww.-.com%2Fwp-admin%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:44:27 +0100] "GET /wp-admin/edit.php HTTP/2.0" 200 34958 "https://www.-.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:44:29 +0100] "GET /wp-admin/edit.php HTTP/2.0" 200 34959 "https://www.-.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:44:36 +0100] "GET /wp-admin/plugin-install.php HTTP/2.0" 200 28446 "https://www.-.com/wp-admin/edit.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:44:46 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/2.0" 200 20152 "https://www.-.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:45:02 +0100] "GET /wp-admin/plugins.php HTTP/2.0" 200 27990 "https://www.-.com/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
www.-.com:443 176.124.214.245 - - [17/Jan/2023:17:45:14 +0100] "GET /wp-admin/plugins.php?action=activate&plugin=blocks-kit%2fblocks-kit.php&plugin_status=all&paged=1&s&_wpnonce=5ba12068a9 HTTP/2.0" 302 0 "https://www.-.com/wp-admin/plugins.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0"
I've replaced the domain
Multiple attemps with different IP has been made during the day, 17:45 was the one I think got through
If I understand correctly:
hacker got successfully logged in (wp-login.php)
installed a plugin (/wp-admin/plugin-install.php?action=upload-plugin)
activated the plugin (/wp-admin/plugins.php?action=activate&plugin=blocks-kit%2fblocks-kit.php&plugin_status=all&paged=1&s&_wpnonce=5ba12068a9)
Wordpress executed the blockskit.php?
Server got infected
I didn't found any "malware" on the blocks-kit plugin. Maybe I didn't knew what to search.
Other informations:
Password to access admin was like "#Qh%RidZd#MwFUXT" - I don't think it was brute forced.
Plugins:
Mailchimp (4.8.7) no vulnerabilities for this version.
Booked (2.3.5)- same
Better Search replace (1.3.4) - Admin + SQLi
trx_updater (1.9.6) - nothing
js_composer (6.7.0) - nothing
advanced-custom-fields (5.11.4) - Unauthenticated File Upload
trx_addons (?) - No issues found in the plugin
revslider (6.5.11) - nothing
essential-grid - nothing
duplicate-page (4.4.8) - nothing
contact-form-7 (5.5.4) - nothing
blocks-kit.php
// Exit if accessed directly.
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
define('BK_PLUGIN_DIR', plugin_dir_path(__FILE__));
define('BK_PLUGIN_URL', plugins_url('/', __FILE__));
define('BK_DOMAIN','blocks-kit');
/**
* Block Initializer.
*/
require_once plugin_dir_path( __FILE__ ) . 'src/init.php';
Based on all information, seems to me that the hacker got through thanks to an outdated plugin.
I'm not here for a solution, but more to help me understand a little more in depth.
I would have loved if someone more experienced help me understand those servers logs/situation.
I made a new website with Wordpress which is http://drfarzin.net I randomly was googling my site that i saw another domain is presenting my site http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8=! plus it has an advertisement at the end of it.
here is the steps i did to prevent this spam but it didn't succeed:
saw my log file while requesting to http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8=
which was {5.78.123.116, 162.158.89.204 - -
[08/Apr/2016:04:32:46 -0400] "GET / HTTP/1.1" 200 39199 "http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8=" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
- - -
[08/Apr/2016:04:32:46 -0400] "GET / HTTP/1.0" 200 25733 "-" "-"
5.78.123.116, 162.158.89.204 - -
[08/Apr/2016:04:32:47 -0400] "GET /wp-admin/admin.php?page=stats&noheader&proxy&chart=admin-bar-hours-scale-2x HTTP/1.1" 200 613 "http://drfarzin.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
}
pinging http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8= then block its ip in cloudflare and wordfence (wordpress plugin)
**the odd part that i dont undrestand is while you brows in to http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8= , its url will not be changed **
It's loaded from iframe...
You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top and self, if they're not identical, you are in a frame.
Additionally, some modern browsers respect the X-FRAME-OPTIONS header, that can have two values:
DENY – prevents the page from being rendered if it is contained in a frame
SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.
Users include Google's Picasa, that cannot be embedded in a frame.
Browsers that support the header, with the minimum version:
IE8 and IE9
Opera 10.50
Safari 4
Chrome 4.1.249.1042
Firefox 3.6.9 (older versions with NoScript)
EXAMPLE:
if(top!=self){
top.location.replace(document.location);
alert("For security reasons, framing is not allowed; click OK to remove the frames.")
}
ASP.NET MVC4 web application (shopping cart) is running with mono, apache and mod_mono in Debian.
Sometimes it stops responging or is slow.
Apache acces log file contains parts which may be can used to reproduce the issue:
1.4.24.123 - - [25/Nov/2014:19:50:06 +0200] "GET /store/StoreImage/Thumb?product=350-00315&size=198 HTTP/1.1" 200 5231 "http://www.example.com/store/Store/Details?product=350-00315" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
1.4.24.123 - - [25/Nov/2014:19:50:06 +0200] "GET /store/Image/Icon HTTP/1.1" 200 2721 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
1.4.24.123 - - [25/Nov/2014:19:50:06 +0200] "GET /store/Image/Icon HTTP/1.1" 200 2721 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
etc.
How to send those requests to web site for testing the site from windows ? Is there some free tool or converter which reads apache log file and sends those requests ?
Or how to create MVC4 controller which accepts uploaded this file, parsest it and isses web requests from it to site ? Or is there some web page which can do it ?
Or some testing spidder which invokes all urls from all pages in site rapidly ?
I'm running two servers.
One is a gateway running nginx for dispatching requests for different domains to different servers.
The other one is the the server for my WordPress installation.
I'm using Varnish in front of Apache to do caching stuffs (only caching, no load balancing). I've turned off KeepAlive and set Timeout to 20 seconds for Apache.
Now I'm uploading an image of size 160KB and it fails, while my server configuration allows a maximum size of 20MB. After I submit the upload form in WordPress, I can see from the status line of my browser that the file is uploaded several times (mostly 2 or 3). When I use the asynch uploading plugin of WordPress, I can also see the progress bar growing from 0% to 100% and over and over again, until it fails.
When it fails, it stucks at the path /wp-admin/media-upload.php?inline=&upload-page-form= and Chrome says "Error 101 (net::ERR_CONNECTION_RESET): The connection was reset." I've tried Firefox, exactly the same.
I cannot see anything relevant in the error logs of Varnish and Apache. However, I do see mutiple lines of the following log in the access log of nginx:
220.255.1.18 - - [01/Jan/2013:12:16:36 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
220.255.1.29 - - [01/Jan/2013:12:16:41 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
220.255.1.23 - - [01/Jan/2013:12:16:51 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
220.255.1.26 - - [01/Jan/2013:12:17:03 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
So what's the problem? How can I fix it?
I'm using the CSS3 ability to apply multiple background images to an element. Currently, I have this code in my stylesheet:
body{background:url("images/emblem.png") top center no-repeat, url("images/background.png");background-color:#EAE6D9}
The code works in all browsers that support it. And those that it doesn't defaults down to the background-color.
However, watching the access log files for the site, I'm noticing 404 errors pop up for, what looks to be, a malformed request based on this CSS initiative. The funny thing is, they are coming from someone using Firefox 5. I'm using Firefox 5 and I cannot get an error to show up in the log for my IP.
Here's the error line from the log:
10.21.7.246 - - [28/Jun/2011:12:02:01 -0500] "GET /templates/images/emblem.png%22),%20url(%22http://ulabs.illinoisstate.edu/templates/images/background.png HTTP/1.1" 404 1005 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
I have a feeling the problem is coming from the fact that the " and the space is being URL encoded, but I'm definitely not doing that. And it doesn't happen all the time. Looking at requests from my IP address, the request is properly split up.
10.1.8.129 - - [28/Jun/2011:12:29:33 -0500] "GET /templates/images/background.png HTTP/1.1" 304 - "http://ulabs.illinoisstate.edu/templates/style.1308848695.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
10.1.8.129 - - [28/Jun/2011:12:29:33 -0500] "GET /templates/images/emblem.png HTTP/1.1" 304 - "http://ulabs.illinoisstate.edu/templates/style.1308848695.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
Has anyone experienced this behavior before? Or have any ideas on what I might try to resolve the issue?
We've discovered it's YSlow causing the error to be generated. When running YSlow, the error would appear in the log immediately for that IP address. Since this really isn't really a problem, luckily there's nothing we need to fix on our end.