In: , , , , , , ,
On: 2007 / 05 / 01 Viewed: 78899 times
Shorter URL for this post: http://ozh.in/ed

One of the things you have to pay attention to when you move your website to another host is correct redirection to pages, and ensuring you're not giving 404 errors to legitimate requests. This morning I was checking my error logs and noticed a lot of pathetic attempts from script kiddies looking for an easy security hole to exploit :

  1. [client 212.67.208.152] File does not exist: /home/ozh/planetozh.com//admin/plugins/NP_UserSharing.php
  2. (...)
  3. [client 216.193.194.224] File does not exist: /home/ozh/planetozh.com/admin/doeditconfig.php
  4. (...)
  5. [client 203.187.132.50] File does not exist: /home/ozh/planetozh.com/_vti_bin/owssvr.dll
  6. [client 203.187.132.50] File does not exist: /home/ozh/planetozh.com/MSOffice/cltreq.asp

The most popular attempt seems to be the doeditconfig.php one, with roughly a request every 5 minutes.
I honestly don't give a sh*t about those things, but why not try to have some fun with them in return ?

First, I looked for the biggest file I could find on the internet. A 4.4 Gb Debian DVD image seemed to be big enough.

Then, time for a little mod_rewrite prank, in the .htaccess file sitting in my root I added the following lines :

  1. RewriteEngine  on
  2. RewriteBase /
  3. RewriteRule ^admin/doeditconfig.php$ /exit/bigfile [L]
  4. RewriteRule ^MSOffice/cltreq.asp$ /exit/bigfile [L]
  5. RewriteRule ^/_vti_bin/owssvr.dll$ /exit/bigfile [L]
  6. RewriteRule ^/admin/plugins/NP_UserSharing.php$ /exit/bigfile [L]
  7. RewriteRule ^/phorum/plugin/replace/plugin.php$ /exit/bigfile [L]

File /exit/bigfile is just a log-then-redirect-to-big-DVD-iso PHP script.

I'm not sure how effective this will be : maybe script kiddie tools don't follow redirections, or look for particular header responses. But hopefully I will waste a few megabytes of some morons' bandwidth :)

Shorter URL

Want to share or tweet this post? Please use this short URL: http://ozh.in/ed

Metastuff

This entry "Some Fun with Script Kiddies" was posted on 01/05/2007 at 10:41 am and is tagged with , , , , , , ,
Watch this discussion : Comments RSS 2.0.

8 Blablas

  1. BB2k says:

    a best way to avoid bandwidth consumption would be to redirect these request directly to an external URL (i.e. Redirect permanent MSOffice/cltreq.asp http://debian.mirror.ac.za/debian-cd/4.0_r0/i386/iso-dvd/debian-40r0-i386-DVD-1.iso)

  2. Ozh says:

    i don't care about bandwidth, and i want to log my pranks :)

  3. Amit says:

    ha ha ha, crazy idea but kewl. I tried this sometime back on some kiddies trying to break in, but I redirected them straightaway via .htaccess, didn't log their details! ;)

  4. Nice… script kiddies suuuuuck. Im not sure…. i would think most would follow redirects. Even bots follow redirects.

    I believe it might crash there browser or window to say the least.

    Very funny Kudos
    hehehe

  5. Henryk Gerlach says:

    I don't see how wasting bandwidth of others makes you better than those script kiddies attacking you.

    Maybe you should update your post and apologize to the nice debian people, who provide http access to such huge files for the convenience of everyone.

    This is just an bad idea.

  6. Ozh says:

    Henryk » hmmm, you could actually make a valid point. Not sure how much a few redirects would really disturb a serious web server, though.

  7. Keith Petersen says:

    I redirect script kiddies to http://www.fbi.gov/

    You can imagin the look on their faces when that comes up. They probably turn off their computers, thinking they have given away their information to the FBI.

  8. EvenBetter says:

    A debian image is actually something useful. If you're going to waste your bandwidth anyway, just use /dev/zero to make a file full of zeroes, and make it as big as you want. Then serve that :P

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Gravatars: Curious about the little images next to each commenter's name ? Go to Gravatar and sign for a free account
Spam: Various spam plugins may be activated. I'll put pins in a Voodoo doll if you spam me.

Read more ?

 LOLCAT »