{"id":594,"date":"2007-05-01T10:41:14","date_gmt":"2007-05-01T08:41:14","guid":{"rendered":"http:\/\/planetozh.com\/blog\/2007\/05\/some-fun-with-script-kiddies\/"},"modified":"2007-05-22T16:19:43","modified_gmt":"2007-05-22T14:19:43","slug":"some-fun-with-script-kiddies","status":"publish","type":"post","link":"https:\/\/planetozh.com\/blog\/2007\/05\/some-fun-with-script-kiddies\/","title":{"rendered":"Some Fun with Script Kiddies"},"content":{"rendered":"

One of the things you have to pay attention to when you move your website to another host is correct redirection to pages, and ensuring you're not giving 404 errors to legitimate requests. This morning I was checking my error logs and noticed a lot of pathetic attempts from script kiddies<\/a> looking for an easy security hole to exploit :<\/p>\n

\n\n\t\t
\n\n\t\t
\n\t\t\t\t\t\t< View plain text<\/span> ><\/a>\n\t\t\t\t\t<\/div>\n\n\t\t
code<\/div>\n\n\t\t\n\t\t
\n\n\t<\/div>\n\t\n\t
\n\t\t
  1. [client 212.67.208.152] File does not exist: \/home\/ozh\/planetozh.com\/\/admin\/plugins\/NP_UserSharing.php<\/div><\/li>\n
  2. (...)<\/div><\/li>\n
  3. [client 216.193.194.224] File does not exist: \/home\/ozh\/planetozh.com\/admin\/doeditconfig.php<\/div><\/li>\n
  4. (...)<\/div><\/li>\n
  5. [client 203.187.132.50] File does not exist: \/home\/ozh\/planetozh.com\/_vti_bin\/owssvr.dll<\/div><\/li>\n
  6. [client 203.187.132.50] File does not exist: \/home\/ozh\/planetozh.com\/MSOffice\/cltreq.asp<\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n

    The most popular attempt seems to be the doeditconfig.php<\/em> one, with roughly a request every 5 minutes.
    \nI honestly don't give a sh*t about those things, but why not try to have some fun with them in return ?<\/p>\n

    First, I looked for the biggest file I could find on the internet. A 4.4 Gb<\/a> Debian DVD image seemed to be big enough.<\/p>\n

    Then, time for a little mod_rewrite prank, in the .htaccess<\/em> file sitting in my root I added the following lines :<\/p>\n

    \n\n\t\t
    \n\n\t\t
    \n\t\t\t\t\t\t< View plain text<\/span> ><\/a>\n\t\t\t\t\t<\/div>\n\n\t\t
    code<\/div>\n\n\t\t\n\t\t
    \n\n\t<\/div>\n\t\n\t
    \n\t\t
    1. RewriteEngine  on<\/div><\/li>\n
    2. RewriteBase \/<\/div><\/li>\n
    3. RewriteRule ^admin\/doeditconfig.php$ \/exit\/bigfile [L]<\/div><\/li>\n
    4. RewriteRule ^MSOffice\/cltreq.asp$ \/exit\/bigfile [L]<\/div><\/li>\n
    5. RewriteRule ^\/_vti_bin\/owssvr.dll$ \/exit\/bigfile [L]<\/div><\/li>\n
    6. RewriteRule ^\/admin\/plugins\/NP_UserSharing.php$ \/exit\/bigfile [L]<\/div><\/li>\n
    7. RewriteRule ^\/phorum\/plugin\/replace\/plugin.php$ \/exit\/bigfile [L]<\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n

      File \/exit\/bigfile<\/em> is just a log-then-redirect-to-big-DVD-iso PHP script.<\/p>\n

      I'm not sure how effective this will be : maybe script kiddie tools don't follow redirections, or look for particular header responses. But hopefully I will waste a few megabytes of some morons' bandwidth :)<\/p>\n","protected":false},"excerpt":{"rendered":"

      One of the things you have to pay attention to when you move your website to another host is correct redirection to pages, and ensuring you're not giving 404 errors to legitimate requests. This morning I was checking my error logs and noticed a lot of pathetic attempts from script kiddies looking for an easy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[15,56,2,206,196,194,195,61],"class_list":["post-594","post","type-post","status-publish","format-standard","hentry","tag-ahah","tag-apache","tag-code","tag-doeditconfig","tag-hax0rz","tag-htaccess","tag-mod_rewrite","tag-sux0rz"],"_links":{"self":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/posts\/594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/comments?post=594"}],"version-history":[{"count":0,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/posts\/594\/revisions"}],"wp:attachment":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/media?parent=594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/categories?post=594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/tags?post=594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}