hack attempts try on PHP server
by schlabs from LinuxQuestions.org on (#5CCST)
Hello everyone.
I have a server mounted on a Opensuse Linux with apache and PHP.
I see on the logs attack attempts. To avoid the hacks i filter the forms input, simply reject all form with some characters For example \'";{}[]<> ( backslash, single quote, double quote and more)
When the filter detect a bad char i perform 2 actions:
1)Return empty string to the calling php code (preventing mysql injection and xss attacks)
2.1)replace bad chars for # char
2.2)Write a log into error log with the fixed string ( using # )
2.3)Fail2ban trap the IP and ban to the attacker.
All seem to be OK but i see some strange in the logs:
error_log
Code:func_form.php-form_check() bad characters in form msg_1115118450=\xd0\x9f\xd1\x80\xd0\xb8\xd0\xb2\xd0\xb5\xd1As you can see the backslash still here and is not replaced.
But if i fill the form myself the backslash has been filtered.
error_log
Code:func_form.php-form_check() bad characters in form msg_625287675735=#xd0#x9f#xd1#x80#xd0#xb8#xd0#xb2#xd0#xb5#xd1Even passing on get or post modes.
The question how the attacker is escaping the backslash trap?
Here the filter code
Code:function form_check($resp , $var_in, $bad_char){
$atk_txt="$resp";
$atk_cnt=0;
$len =strlen($bad_char);
for($a=0;$a<$len;$a++){
//if(strcmp($_SERVER['REMOTE_ADDR'],$ip_local)==0){ printf("testing %s : ",substr($bad_char,$a,1));};
if( strpos($resp,substr($bad_char,$a,1) )!== false ) {
$atk_cnt++;
$atk_txt=str_replace(substr($bad_char,$a,1), '#', $atk_txt); //replace with # for the log
}
$resp=str_replace(substr($bad_char,$a,1), '', $resp); //Remove bad characters
}
if($atk_cnt>0){
if(! defined('ATTACK')){
define('ATTACK' ,"ERROR: bad characters in form");
}
error_log("ATTACK_CHAR example.com func_form.php-form_check() bad characters in form $var_in=$atk_txt<br>\n");
return "";
}
return $resp;
}
I have a server mounted on a Opensuse Linux with apache and PHP.
I see on the logs attack attempts. To avoid the hacks i filter the forms input, simply reject all form with some characters For example \'";{}[]<> ( backslash, single quote, double quote and more)
When the filter detect a bad char i perform 2 actions:
1)Return empty string to the calling php code (preventing mysql injection and xss attacks)
2.1)replace bad chars for # char
2.2)Write a log into error log with the fixed string ( using # )
2.3)Fail2ban trap the IP and ban to the attacker.
All seem to be OK but i see some strange in the logs:
error_log
Code:func_form.php-form_check() bad characters in form msg_1115118450=\xd0\x9f\xd1\x80\xd0\xb8\xd0\xb2\xd0\xb5\xd1As you can see the backslash still here and is not replaced.
But if i fill the form myself the backslash has been filtered.
error_log
Code:func_form.php-form_check() bad characters in form msg_625287675735=#xd0#x9f#xd1#x80#xd0#xb8#xd0#xb2#xd0#xb5#xd1Even passing on get or post modes.
The question how the attacker is escaping the backslash trap?
Here the filter code
Code:function form_check($resp , $var_in, $bad_char){
$atk_txt="$resp";
$atk_cnt=0;
$len =strlen($bad_char);
for($a=0;$a<$len;$a++){
//if(strcmp($_SERVER['REMOTE_ADDR'],$ip_local)==0){ printf("testing %s : ",substr($bad_char,$a,1));};
if( strpos($resp,substr($bad_char,$a,1) )!== false ) {
$atk_cnt++;
$atk_txt=str_replace(substr($bad_char,$a,1), '#', $atk_txt); //replace with # for the log
}
$resp=str_replace(substr($bad_char,$a,1), '', $resp); //Remove bad characters
}
if($atk_cnt>0){
if(! defined('ATTACK')){
define('ATTACK' ,"ERROR: bad characters in form");
}
error_log("ATTACK_CHAR example.com func_form.php-form_check() bad characters in form $var_in=$atk_txt<br>\n");
return "";
}
return $resp;
}