Category: "Security"

md5 just-a-test list

The following URLs may have the md5(’just_a_test_code’):

http://honamfishing.co.kr/phpmysqladmin/libraries/nov/uyowuwi/
http://kamini.biz/a/onodin/bb/aqileka/seleyuy/&pb=1
http://mojazubarka.sk/test/admin/sicaqe/jufoxir/
http://mslayouts.ws/icons/administrator/components/com_menus/etotag/qeba/
http://sans-packing.ru/img/jipeqap/ehudute/
http://stoneproperties.co.uk/album/includes/nohul/zojaz/
http://targi.pc-tuning.pl/images/news/aqa/cib/
http://www.antwerpsupporter.be/soccerstats/images/gumiseq/nila/
http://www.boomerbible.com/instapunk/MType/archives/ajuq/avu/
http://www.channelnewsperu.com/imagenes/publicaciones/fotos/emesuki/lewu/&c=1&tb=1&pb=1
http://www.elettrodataservice.it/foto_articoli/pivafof/mibi/
http://www.eloge-du-bien-commun.be/blog/bundled-libs/Net/ocoqen/goqe/&tb=1&pb=1
http://www.filter-international.com/webservice/aro/pefosi/&c=1&tb=1&pb=1
http://www.foicr.org/work/mulito/yiqosu/
http://www.heaven-house.kz/templates_c/omoj/edexuq/
http://www.interkonet.com/galeria/modules/albumselect/ucu/yixipuz/&paged=2
http://www.jyvaskylankirjastot.fi/yhteistyo/wd/muji/renula/xejado/&tb=1&pb=1
http://www.landi-sempach-emmen.ch/aktionen/image/zafecez/roxovef/&c=1&tb=1&pb=1
http://www.obrasmecanicasch.com/omch/img/anawuho/ohuhiru/&pb=1
http://www.oriolmanya.net/nautilus/phpBB2/language/lang_english/ifekeri/cekogah/
http://www.pattibus.it/phplib-7.2b/pages/godot/olule/
http://www.sibstro.ru/dom/domimg/pife/egemo/&paged=2
http://www.stomol.ru/catalog/rivoz/ifewaf/&tb=1&pb=1
http://www.tcmforum.com/layout/oxiqade/onese/
http://www.thoseguysfilms.com/forums/templates/subSilver/images/timuji/jaborat/&paged=2
http://www.unduetretoccaate.it/codice/fog/biko/
http://www.uxbridgerotary.org/survey/tmp/isefa/nowu/yocav/
http://www.vlopezalvarez.com/Personal/Fotos/Viajes/xaj/ocaceg/

To check if the file is on the server, click on the link. If something similar to:

<?php echo md5("just_a_test"); ?>

is displayed, the file is still there, and the entire server (all accounts) should be checked.

If you own any of these domain names or servers, you should address the issue.

If a 404 (page not found) error is received, the file has been removed.

This blog has additional posts related to the issue, you may use the search feature.

Information derived from server statistics, non-authorative.

Web n.0

I think the near future of the web will focus more heavily on the technology than the functionality of sites.

Two areas will be extremely important, performance - meaning AJAX, and security.

just_a_test - Server sources

The following URLs are distributing


<?php echo md5("just_a_test");?>

Some people use this code to explore web application vulnerabilities.

If you see these in your stats, you should check your server for anything out of the ordinary. It is possible these URLs are being used to scan your applications for vulnerabilities.

If you own one of these domains, you should check your server for anything out of the ordinary. You need to check the entire server, not just the posted link. It is possible your server is being used for unknown activities. Every PHP application should be checked.

http://honamfishing.co.kr/phpmysqladmin/libraries/nov/wulosu/
http://sans-packing.ru/img/jipeqap/ehudute/
http://www.channelnewsperu.com/imagenes/publicaciones/fotos/emesuki/ohuhud/
http://www.elettrodataservice.it/foto_articoli/pivafof/oqonon/
http://www.marsbook.co.kr/main/created/product/2/mumas/ohalupa/
http://www.municipioxii.it/sunnyway/igodoq/bukosud/
http://www.northfans.ch/forum/admin/settings/ocoyo/azad/
http://www.pattibus.it/phplib-7.2b/pages/godot/eridehi/&disp=single&more=1&c=1&tb=1&pb=1
http://www.stomol.ru/catalog/rivoz/vekudu/
http://www.thoseguysfilms.com/forums/templates/subSilver/images/timuji/ogu/
http://www.unduetretoccaate.it/codice/fog/iyi/
http://www.winbd.net/admin/jist_code/wowoz/opaxi/

If you are seeking professional assistance in securing your site and/or server, I recommend Breach Security.

The presence of a ‘just_a_test’ file on a server is not a reflection of the company that owns the site. It is not a known threat to PCs. That said, all PCs connected to the Internet should have adequate virus/worm/malware protection, updated as recommended.

Additional information this site (there are many excellent resources on the web as well):

http://web-notes.wirehopper.com/2008/03/01/cleaning-after-a-hack
http://web-notes.com/2008/03/27/md5-just_a_test

* Please note this list is not comprehensive, and the ‘just_a_test’ landscape is constantly changing. URLs listed may not be valid (meaning the file(s) was/were deleted). ‘just_a_test’ is only one of many creative web ventures.

mod_security

With the plethora of powerful open source applications available, the great premium on rapid development and deployment of sites, and the ever present threat of malicious server attacks, security is extremely important.

mod_security is an open source Apache firewall that places outstanding protection on the server, before site visitors ever get to the applications.

In addition to its power, it is easy to use. I installed it on XAMPP, configured it very lightly, and ran the two quick tests to ensure it was set up correctly. http://localhost/cmd.exe was blocked, as was an SQL injection attempt on the application.

mod_security operates with rules that allow you to customize it to run well with your server. There is a robust set of core rules. It has great logging capabilities.

To download it, you will need to register. It’s worth it, especially if you are running your own servers, with many applications, from many sources.

Common web page requirements

This is a list of implied requirements recommended for all web pages.

  • Page should render properly in all supported browsers. Identical is not required, but equivalent is.
  • Client side code (javascript) must execute properly in all supported browsers.
  • Site visitor must be alerted if they attempt to navigate away from the page without saving their changes, or if the session timed out and their changes have already been lost.
  • If AJAX is used, authentication and access control must be applied to all requests. Client must handle server responses to these conditions gracefully.
  • Client must validate the data fully before submitting it to the server. Client should alert user during entry if data is invalid. Think dojo.
  • Server must perform appropriate escaping on all incoming data to avoid SQL injection and commandline attacks. Server should validate data with the same criteria as the client to limit the possibility of modified form data.
  • User passwords should never be sent to the browser. Password recovery should be performed by generating a new password and emailing it to the account holder. User email addresses must be unique to support this.
  • Options which are unavailable should be displayed differently than those that are available, ideally they should not be displayed at all. Inputs which cannot be modified should be displayed in such a way that the user understands the information cannot be changed.
  • Layout should be managed primarily with CSS.
  • Colors should be specified in a separate CSS file to allow the color scheme to change quickly.
  • The majority of the layout should use divs, with tables used where appropriate.
  • Only those files required to display the page should be delivered with it. Pages with complex CSS requirements should be supported with dedicated CSS files which are only loaded with that page. The same is true for javascript. Those files should be cached at the client.
  • Care must be taken to ensure configuration data, particularly access information such as database name, username, and password cannot be displayed through a browser or visible to unauthorized users.