skip to Main Content

I am logging my website visitor’s IP addresses along with some other information ($content) with php, so that I could count the number of visitors.

I am using the following code:

<?php
public static function logContent(array $content = null){
        try {

            $myFile = fopen("visitors.txt", "a");

            $txt = "IP: ";

            if (isset($_SERVER['HTTP_CLIENT_IP']))
                $ipAddress = $_SERVER['HTTP_CLIENT_IP'];
            else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
                $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            else if (isset($_SERVER['HTTP_X_FORWARDED']))
                $ipAddress = $_SERVER['HTTP_X_FORWARDED'];
            else if (isset($_SERVER['HTTP_FORWARDED_FOR']))
                $ipAddress = $_SERVER['HTTP_FORWARDED_FOR'];
            else if (isset($_SERVER['HTTP_FORWARDED']))
                $ipAddress = $_SERVER['HTTP_FORWARDED'];
            else if (isset($_SERVER['REMOTE_ADDR']))
                $ipAddress = $_SERVER['REMOTE_ADDR'];
            else
                $ipAddress = 'UNKNOWN';

            $txt .= $ipAddress;
            $txt .= " Time: " . date("Y-m-d h:i:s", time());
            $txt .= "n";

            if (!empty($content) && is_array($content)) {
                foreach ($content as $k => $v) {
                    $txt .= "$k : ";
                    $txt .= $v;
                    $txt .= "n";
                }
                $txt .= "n";
            }

            fwrite($myFile, $txt);
            fclose($myFile);
        } catch (Exception $e) {

        }
    }
?>

This code works fine. Normally, I have entries such as below:

IP: 36.80.227.XX Time: 2020-06-19 08:23:52

IP: 191.252.61.XX Time: 2020-06-19 11:25:02

IP: 191.252.61.XX Time: 2020-06-19 11:25:02

But, I recently got the following entry in my log.

IP:
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:56:"die(md5(DIRECTORY_SEPARATOR));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}����
Time: 2020-06-19 11:27:37

Is this some kind of malicious injection attack similar to MySQL injection used against Java?

Do I need to look out for anything fishy and patch up my Apache server to improve security?

2

Answers


  1. As far I know, HTTP_X_FORWARDED_FOR headers are sendt by the client/proxy (wiki), you don’t make any controls on the content of $_SERVER[‘HTTP_X_FORWARDED_FOR’].

    So yes someone has tried the SQL injection but in this case, it is not sensitive (just output into text file).
    You have to check the content of $ipAddress before output into file (with a regular expression for example or with this).

    Edit: You can reproduce this behaviour with:

      curl -H 'X-Forwarded-For: 1.1.1.1' https://www.example.com/mypage
      curl -H 'X-Forwarded-For: <SOME RANDOM INPUT>' https://www.example.com/mypage
    

    Hope this help

    Login or Signup to reply.
  2. This smells like a possible injection attack. You may want to refer to this for some closer look. Although this talks about a joomla setup and pertains to year 2015, the signature is worth talking a look at.

    I would possibility recommend going through the logs for any suspicious activity.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search