By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,216 Members | 1,032 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,216 IT Pros & Developers. It's quick & easy.

hacked referrer

P: n/a
Obviously I am witnessing some kind of hacking in an attempt to exploit
some security flaw in phpbb because I am seeing the activity being
logged in my 404 handler script. What puzzles me is that the referrer
value comes from a fictitious subdomain 'forum' and with this accounts'
DNS registration includes all subdomains so if the page really existed
forum.example.com/real.html would be automatically redirected to
www.example.com/real.html. Somehow they are hacking the referrer value.

Interesting other point is the same sequence of request|referrer pairs
get logged on each episode:

http://forum.example.com/forum/index.php
http://forum.example.com/phpbb/index.php
http://forum.example.com/phpbb2/index.php
http://forum.example.com/forums/index.php
http://forum.example.com/board/index.php

The UA and the originating IP same for series of 5 attempt URLs so it
might be some hacking script but is is different for each set of
attempts. Originating IP been from various places in North America but
all seem to be from hopone.net

I don't have phpbb, nor indexes on and the 404 script is trapping them
but just wondering how they are spoofing the referrer?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
Feb 14 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Rik
Jonathan N. Little wrote:
Somehow they are hacking the referrer value.

Interesting other point is the same sequence of request|referrer pairs
get logged on each episode:

http://forum.example.com/forum/index.php
http://forum.example.com/phpbb/index.php
http://forum.example.com/phpbb2/index.php
http://forum.example.com/forums/index.php
http://forum.example.com/board/index.php

The UA and the originating IP same for series of 5 attempt URLs so it
might be some hacking script but is is different for each set of
attempts. Originating IP been from various places in North America but
all seem to be from hopone.net

I don't have phpbb, nor indexes on and the 404 script is trapping them
but just wondering how they are spoofing the referrer?
The referer is just a header the browser may or may not send. Spoofing is
very, very easy. With some hacking in the browser I could make it send
'http://yoursitesucks.com' by default, regardless of the actual referer.
It even get's used for spamming:
<http://en.wikipedia.org/wiki/Referer_spam>

Simple example using PHP:
<?php
$link = fsockopen('http://example.com',80);
fwrite($link,"GET / HTTP/1.1\r\nReferer: http://forum.example.com");
?>

This is the main reason why anyone with basic knowledge will tell you
never to trust a referer header for any security whatsoever.
--
Rik Wasmus
Feb 14 '07 #2

P: n/a
Rik wrote:
<snip>
Simple example using PHP:
<?php
$link = fsockopen('http://example.com',80);
fwrite($link,"GET / HTTP/1.1\r\nReferer: http://forum.example.com");
?>

This is the main reason why anyone with basic knowledge will tell you
never to trust a referer header for any security whatsoever.
Thank for the info, yes I do not trust a referrer for any security,
can't ever use it reliably for mundane purposes as many personal
firewall block it. I was familiar with setting some of the header info
with the header() function but haven't had any experience with sockets .
--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
Feb 14 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.