Trying to open this uri in the browser: htxp://www.ibibo.com/?php%2520echo%2520$base_url%3b%3f%253E
a page response from this scan: http://killmalware.com/ibibo.com/
opening up in Chrome browser I get: “Disallowed Key Characters.”.
What is this message revealing?
Do I get it because of a cookie session problem, or because of a wrong method used or protection code?
The query was: http://ibibo.com/?php echo $base_url;?> (PHP shell exploit) part of PHP:Shell-DW[Trj] Script injection attempt.
So started to process it with urlquery dot net scanner: http://urlquery.net/report.php?id=1405262451279
which scanner worked the uri response properly, so it is valid (and so an attacker tried it before) ;D
The domain belongs to the top 16 spammers :o
APEWS flags here:
Oooops 124.153.70.171 is currently listed in APEWS 
Entry matching your Query: E-639908
124.153.64.0/18
CASE: C-131
Unallocated CIDR, no traffic until allocated,
or allocated to bad reputation provider
or allocated but dynamic / generically named IPs,
or bogons, see www.cidr-report.org,
or orphaned IP / CIDR in routing table
History:
Entry created 2013-08-04
This code prevents malcoders to enter exploit key characters
/**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
// if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) <---- DEL
if ( ! preg_match("/^[#a-z0-9:_\/-]+$/i", $str)) // <----INS
{
exit('Disallowed Key Characters.');
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE)
{
$str = $this->uni->clean_string($str);
}
return $str;
}
N.B. Thanks and credits for the above function _clean_input_keys() code go to Wesley Murch
as he published this on StackOverflow)
polonus
Im getting this in Sandboxed Chrome, Firefox and IE. With no changed settings.
Wireshark analysis: http://wikisend.com/download/933112/ibibo.pcapng
One HTTP 404 Error and one TCP Retransmission.
Hi Steven Winderlich,
Even in websniffer I get that message, but a tool like Intellitamper will allow to map all of the domain when I would launch that uri in it.
So from that uri in the Killmalware results we could conclude this could have been part of an earlier attack to work a PHP shell code injection.
Read: http://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/ link article author = Andrew Brandt.
Dom XSS Scanner could not have been worked there, because it also comes up with the "Disallowed Key Characters"message.
Assume they used wget.
Asafaweb Scan finally works, see: https://asafaweb.com/Scan?Url=www.ibibo.com%2F%3Fphp%252520echo%252520%24base_url%253b%253f%25253E
Although no asp site we detect excessive header info Server: Ibibo-WS & X-Powered-By: PHP/5.3.3
and site is vulnerable to Clickjacking, a warning for that also.
Site has a iFrame check issue:
Suspicious
htxp://www.ibibo.com/pages/hotelsearch’
And again we get An Error Was Encountered The URI you submitted has disallowed characters.
But going to htxp://www.ibibo.com/pages/hotelsearch creates no problems, → http://urlquery.net/report.php?id=1405269174833
so ’ at the end is creating that alert, it is diallowed.
Here we see part of a similar php request being performed: http://urlquery.net/report.php?id=1398430504560
which has led to no compromise apparently.
polonus
P.S. All external link should also be checked:
htxp://www.redbus.in → ‘buses’
htxp://www.redbus.in → ‘buses’
htxps://itunes.apple.com/in/app/goibibo-flight-bus-hotel-boo → ‘’
htxp://www.redbus.in/mobile.aspx → ‘’
htxps://itunes.apple.com/app/id733712604?mt=8&&referrer=clic → ‘’
htxp://www.windowsphone.com/en-in/store/app/redbus-in/b38038 → ‘’
htxp://www.redbus.in/ → ‘’
htxp://www.tradus.com → ’ ’
htxp://www.tradus.com/ → ‘’
htxp://www.gaadi.com → ’ ’
htxp://www.gaadi.com/ → ‘’
htxp://www.ibiboads.com → ‘’
httx://www.ibiboads.com/ → ‘’
htxp://techcircle.vccircle.com/2014/06/11/ibibogroup-appoint → ’ ibibogroup appoints prakash s’
D