25 comments

[ 6.3 ms ] story [ 55.8 ms ] thread
This does not really scan ports, it just looks for a web server on a bunch of IP addresses. In doing so, it only checks port 80.
That's why they call it a portscanner, not a portsscanner ;)
> Presenting LULZIERhunter.php, taking what Jester wrote in 60 lines and turning it into 3 lines:

Epic failure, implicating LOC is a measurement for code quality. Hint: it's not.

3 lines is usually better than 60 lines. See Python.
Right, but that's generally in reference to more LoC > less LoC.

It's usually agreed that accomplishing the same thing in less lines of code is, of course, better. (As long as you've maintained readability, etc)

I wonder how many times a day Pastebin gets Fed requests for their access logs
What's with the weird for loop?

Why not just:

    for ($c = ip2long($argv[1]); $c <= ip2long($argv[2]); $c++)
            if (strpos(@file_get_contents('http://'.long2ip(ip2long($argv[1])+$c), false, stream_context_create(array('http’ => array('timeout’ => $argv[3])))), $argv[4]) !== false)
                    die('H4xed :D — '.long2ip($c));
I think you meant

           if (strpos(@file_get_contents('http://'.long2ip($c), false, stream_context_create(array('http’ => array('timeout’ => $argv[3])))), $argv[4]) !== false)
Well spotted.

I forgot to replace it on line 2, only did it on line 3.

Your code has a bug on line 2.

@file_get_contents('http://.long2ip(ip2long($argv[1])+$c)

Since $c is the IP address itself, adding the starting IP again will check a completely different IP.

Besides that, you have a point. I feel like the code would be so much cleaner if they just added a 4th line to declare ip2long($argv[1]) as a variable.

Doesn't this:

>> also, in our nginx configuration, we deny all HTTP connections to unknown vhosts.

mean that forming the URL as 'http://.long2ip(ip2long($argv[1])+$c) will not work?

Yes, but I believe their intent was to rewrite the other script as it functioned, not for it to be any more effective.
I suppose. I wonder what would be a better way to find their web server. Maybe looking for IPs that run a web server using nginx, but don't respond to the host specified in their rDNS record. Then again, that would lead to way too many hosts.
I doubt they'll set up a PTR record. What they'd do if they're smart is firewall their box so it only accepts port 80 requests from Cloudflare's systems. Anything else can be discarded, e.g.:

  iptables -A INPUT DROP
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp --dport 80 -s w.x.y.z/xx -j ACCEPT
Probably. There are a lot of hosting/VPS companies out there that have instant provisioning and don't ask too many questions. I imagine it would be pretty hard to find them this way unless they do something stupid.
Meh. Neither are particularly inspiring. Yeah, thejester's is pedantically long and uses way too many variables, while lulzsec seems to have an aversion to variables, running ip2long($argv[1]) up to three times per loop.

Also, the "lulzier" version does not separately handle the case where a webserver is found but does not return a response containing the needle. It's true that thejester's script is not particularly efficient in wasting a socket connect to do this separate check, but for a one-off task, who cares.

Creative and adept use of php is always a fun read.
Thank you, all the best from the superior coders at Lulz Security.

Why the ____ do the normally mindful folks at HN vote this kind of thing up?

I am just as confused as you. Any coder here should be able to whip up an equivalent script in their language of choice in a few minutes.

Obviously, the popularity of lulzsec is the main factor here.

lulzier hunter - by bottle_of_rum

So, who's bottle_of_rum, then?

(comment deleted)