Troll Programming Error or Bad command?


#1

For about the last 10 days, every couple of days I’ve been seeing trolls try the following http command on selected websites:

/’ + gaJsHost + 'google-analytics.com/’+ gaJsHost + 'google-analytics.com/ga.js HTTP/1.1

or a variant:

/’ + gaJsHost + 'google-analytics.com/https:/www.google.com/calendar/embed?showCalendars=0&showTz=0&mode=AGENDA&height=400&wkst=1&bgcolor=%23fa9c07&s

So, can anyone make head or tails of this? If this a troll programming error or an attempt at a legitimate command?

-Bill


#2

…there’s not enough information to be certain another script kiddie is attacking your site, but they probably are since unparsed JavaScript shouldn’t appear in request headers.

Check your HTML pages for unknown code - did the server log entries have browser user agent and referrer strings? Apparently injecting obfuscated JavaScript masquerading as Google Analytics code has been used before to direct visitors to sites that attempt to infect their machines with trojans/spyware. And again, like the PHP backdoor shells, the malicious and obfsucated JavaScript code was probably injected through a stolen FTP password (since that is what the trojan/spyware steals) or an vulnerable web site application.


#3

On second thought, might be a programming error, as the old Google Analytics code relied on escaping both URLs and HTML at the same time, so you probably should check for any old code you have and use the newer version that relies just on JavaScript.


#4

Atropos7,

Hey, many THANKS for the info, so this is a wordpress site with pretty urls, so all HTTP commands come back as successful (status = 200), unless they are denied in mod security or .htaccess. I also have a perl script in a directory called ‘blackhole’ with a robots.txt file that say’s ignore directories called ‘blackhole’, and a hidden link to blackhole in the wp footer. So my troll did the following:

89.123.31.75 - - [02/Mar/2012:19:49:14 -0800] “GET / HTTP/1.1” 301 568 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:15 -0800] “GET / HTTP/1.1” 200 19556 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:18 -0800] “GET /” + gaJsHost + “google-analytics.com/ga.js HTTP/1.1” 200 526 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:19 -0800] “GET / HTTP/1.1” 200 19979 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:21 -0800] “GET /blackhole HTTP/1.1” 301 586 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:21 -0800] “GET /blackhole HTTP/1.1” 301 587 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:22 -0800] “GET /blackhole/ HTTP/1.1” 200 1196 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:23 -0800] “GET /calendar HTTP/1.1” 403 434 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:24 -0800] “GET /contact HTTP/1.1” 403 433 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:24 -0800] “GET /donate HTTP/1.1” 403 432 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:25 -0800] “GET /escrip HTTP/1.1” 403 432 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:25 -0800] “GET /subscribe HTTP/1.1” 403 435 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:26 -0800] “GET /tickets HTTP/1.1” 403 433 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:26 -0800] “GET /about/boosters HTTP/1.1” 403 440 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:26 -0800] “GET /” + gaJsHost + “google-analytics.com/” + gaJsHost + “google-analytics.com/ga.js HTTP/1.1” 403 432 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:27 -0800] “GET /https://www.google.com/calendar/embed?showCalendars=0&showTz=0&mode=AGENDA&height=400&wkst=1&bgcolor=%23fa9c07&src=mysite%40gmail.com&color=%235229A3&ctz=America%2FLos_Angeles HTTP/1.1” 403 463 “-” "Java/1.6.0_04"
89.123.31.75 - - [02/Mar/2012:19:49:27 -0800] “GET /” + gaJsHost + "google-analytics.com/https://www.google.com/calendar/embed?showCalendars=0&showTz=0&mode=AGENDA&height=400&wkst=1&bgcolor=%23fa9c07&src=mysite%40gmail.com&color=%235229A3&ctz=America%2FLos

So the 200 for the first gaJSHost command is because of pretty urls, and once he fell into the blackhole I banned his ip in .htaccess, hence the 403 errors. (I edited out the name of the site and replaced it with my site). Is there any risk of compromise?

What am I checking for in google analytics? The site uses a wp plugin.

-Bill


#5

I can only say that the tool he is using to crawl your site wasn’t able to parse the old Google Analytics code correctly. But given that and the user-agent string and lack of following robots.txt, I would ban him too. IP address appears to be Eastern European as well.

I just recently added GA to my site, the source is:

<script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-XXXXXXXX-X']); _gaq.push(['_setDomainName', 'example.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script>

The old code relied on the trick of using JavaScript to “document.write” the SCRIPT element as HTML source, which had to be escaped. The code above uses DOM methods to programmatically add a SCRIPT element.


#6

Thanks! that’s great!

-Bill


#7

Yeah, that bloke’s using a bot.

I’d do a quick scan on your source for doc.writes anyway and, if found, update the method.