51 months ago
Another day, another person thinking that they broke into our site because of our 404 page "FileNotFoundShell". I threw it together a while back for fun and to break the tedium of some other dev work I was doing at the time.
However, sometimes I wonder if it's been more trouble than anything. When I pushed it live, we probably got a dozen or so emails over the next month of people letting us know we had a serious security vulnerability on the site - that they suddenly had shell access. Never mind that it's just a simulated shell with nothing that actually hooks up to a real shell. I'm not a security expert, but I've dabbled in it enough over the years, participated in CTF-like challenges, etc. But I know better than to try and expose a real shell, even with keyword filtering and whatnot. There's always loopholes you won't anticipate. So that's why our "shell" doesn't really do a whole lot.
There are some silly things that happen when you try to sudo. Or typically popular, rm -rf /. I'm working on making those commands do something a bit more realistic, but that means actually running those commands on a system and watching the real carnage. I used to run Linux as my desktop OS starting back in 1996. I used Slackware, and there were no package managers at all - if you wanted something you had to manage the dependencies yourself and download and compile everything. Once when upgrading from libc5 to glibc I knocked out my dhcp client and had to walk over to the computer lab with 3.5" floppies to download the source for dhclient (or whatever the equivalent was then) so I could compile it again for glibc. Floppies. Those days sucked. (Says me who never dealt with punchcards.) Anyhow, I remember one day I had a total brainfart and accidentally deleted ld.so. That was a bad day.
Anyhow, back to the command shell in our 404 page. Right now it doesn't do a whole lot. I hope to flesh it out more over time and make it look more like a real shell. Eventually I think I might use it as a recruiting tool and actually embed some sort of skill-interview type things in it.
We do log what people type into the shell, because I'm always curious to see what people try to do with it. Ironically, some people like to use it as a venting mechanism (profanity filtered):
[Sun Nov 08 11:53:43 2015] [error] DEBUG CMDBOX(sdfsdfffffffffffffffffffffffffffffff) [Sun Nov 08 15:51:27 2015] [error] DEBUG CMDBOX(well s***) [Sun Nov 08 16:28:42 2015] [error] DEBUG CMDBOX(tell me about your problems) [Sun Nov 08 18:03:30 2015] [error] DEBUG CMDBOX(s*** my d***)
This one made me chuckle. They definitely got the xkcd reference:
[Sun Nov 08 04:18:26 2015] [error] DEBUG CMDBOX(sudo buy me a pc)
Or this one:
[Sun Nov 08 03:04:50 2015] [error] DEBUG CMDBOX(hacked sql injection)
LOL not quite. Your SQL injection attempt resulted in a bogus URL that sent you to our 404 shell. Cheers!