«
»

Caught by a CrackerTracker

By bgeron

Our friends group has this forum. It’s really useful for chatting about topics that concern the whole group and multicasting (birthday) invitations. It is rented at some host that probably decided to get rid of all phpbb insecurities at once, and installed a filter. It now features a really impressive button showing a key and ‘ctracker’ on it. After that, there is (at story-time) ‘blocked 33 attacks’.

So I really wanted to know what counted as an attack. Apparently, POSTing a simple SQL injection query didn’t trigger it. Or anything I’d try to send it. So, I went to cback.de, who made the tool. According to the GPLv1′d source (well, it didn’t even mention a version number), it triggers when you put things like ‘UPDATE FROM’, ‘.htaccess’, ‘chr(‘, or ‘php_’ in the query string (the url part after a question mark). Which makes me think, is this real security, checking only the query string?

I mean, 80% of the places in phpbb where you can submit info to PHP use POST.. If I went for security, I’d seek for leaks there.. I’d bet adding this CrackerTracker added no security to the forum; it did make the host look stupid. I mean, just me posting a ‘don’t click here’ link to search.php?php_is_nice shocked users, who got accused of something completely innocent (besides spoiling logs).

They would get a simple page labelled ’security alert’ in red, telling them that they tried to attack the forum, and that they had been logged. And, they increased the ‘hit counter’ on the way.. :-)

Unexpectedly, others (non-friends) also followed the link. En masse. In less than 2 days, the counter increased by over 1100. Sorry, host, didn’t mean to help you brag about your safety..

Notes:

  • The link is not to our forum.
  • It may be that WordPress visited the link itself a couple of times, to check if it really existed. So, I already substracted 20 clicks from 1,1E2, resulting in 1,1E2. For the convenience of otherwise confused readers, I wrote down 1100, which is the same value but with a different uncertainty. (They still nail me at school if I write down 1080 in a test!)

This entry was posted on September 8, 2006 at 5:19 pm and is filed under computing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply