(This is an authentic email we received at Haxx the other day. Names, emails and URLs are replaced in this excerpt to save the innocent)
Date: Thu, 29 Nov 2012 14:59:25
Subject: hakinghello, can you tell me how to hack into web site:
[FIRST URL]
so it is showing:[OTHER URL]
when you click on a link in google results?for example if you click on a google result:
[URL to a google.rs search for something on the FIRST URL site]the point is i would like to protect my web site form that kind of attack so please let me know how to do that
how did i found you? there is your address at [FIRST URL]/coockies.txt so i think you did it, but was polite enough to leave address.. please help me.
Of course I was curious enough to check the “coockies.txt” file, and the beginning of that file looked like this:
# Netscape HTTP Cookie File # http://curlm.haxx.se/rfc/cookie_spec.html # This file was generated by libcurl! Edit at your own risk. [FIRST URL] FALSE / FALSE 0 PHPSESSID dfn1a5ll0hs8odpfh3p2qtlcj3
This tells us a few trivial things, all of which might not be obvious to the untrained eye:
- The file was generated by libcurl that was 7.16.0 or later, but no later than 7.18.3 as we only used the URL in that file between those releases.
- The spelling of that cookie file is so hilarious we can guess it wasn’t a native English speaker who named it. The subject of the email is similarly bad so perhaps it was a fellow countryman of Serbia? (the TLD of the google URL was .rs after all)
- The person doing this didn’t even try to clean up the remaining junk file(s) afterwards
- The guy sending me the email is completely in the blue of what has happened or even who he’s contacting or my relation to this all.
- The world can be a harsh and cruel place and it isn’t easy to know your way around all of it…