Malicious Link

    Like most people, when I receive an email with a link, I do a quick check to see if the url is legit.  I'll carefully read it, then I will mouse over it to make sure that the text and the url match.  I've seen that trick a few times and I've also seen a trick where there was what appeared to be an attached Word document but instead it was an image for a URL.  That was definitely clever.  I haven't seen that one too many times but I can see a user repeatedly clicking on it -- wondering why Word wasn't opening.

    But let's say we get a link to an image.  I probably get at least one of these per day where a friend sends me to some meme or something of interest.  http:// blah blah blah / funnymeme.gif

    We read it carefully and we mouse over it -- it looks legit.  The problem is that we're trusting the server side.  Here's where this can go wrong:





    Before I get into this .htaccess file, first let me say that if you want to recreate this -- you'll need to make sure rewrite is enabled on your web server:

    sudo a2enmod rewrite

    Ok, so what are we looking at?  On the web server, when it receives a request for any file named .png, .jpg, or .gif, it will redirect that request to:  malicious.php

    In malicious.php, we have the following:




    I'm grabbing the IP address and the User Agent from our visitor, I'm printing that information on the screen, I'm writing that information into our log file, and I'm creating a popup alert that states:  "Clicking links is bad!"

    We look in the log:





    When visiting the site:






    I think this pretty much speaks for itself, I have nothing further to add.


    © 2020 sevenlayers.com