Secret Messages Could Be Hiding In Your Server Logs

[Ryan Flowers] writes in with a clever little hack that can allow you to hide data where nobody is going to go looking for it. By exploiting the fact that a web server will generally log all HTTP requests whether or not it’s valid, he shows how you can covertly send a message by asking the server for a carefully crafted fictitious URL.

We aren’t talking about requesting “yousuck.txt” from the server that hosts your least favorite website, either. As [Ryan] demonstrates, you can compress a text file, encode it with uuencode, and then send it line by line to the destination server with curl. He shows how the process, which he calls “CurlyTP” can be done manually on the command line, but it would be a simple matter of wrapping it up in a Bash script.

To get the message back, you just do the opposite. Use grep to find the lines in the log file that contain the encoded data, and then put them through uudecode to get the original text back. Finding the appropriate lines in the log file is made easier by prepending a prearranged keyword to the beginning of the URL requests. The keyword can be changed for each message to make things easier to keep track of.

If you’re still wondering why anyone would go through the trouble to do this, [Ryan] provides an excellent example: a covert “dead drop” where people could leave messages they’d rather not send through the usual channels. As long as the sender used a service to mask their true IP address, they could anonymously deliver messages onto the server without having to use any special software or protocol they might not have access to. Even the most restrictive firewalls and security measures aren’t likely to be scanning URLs for compressed text files.

We’ve seen web-based dead drops done with Python in the past, and even purpose built “PirateBoxes” that allow people to covertly exchange files, but we like how this method doesn’t require any special configuration on the server side. You should check your server logs, somebody might be trying to tell you something.

Dead Drop Concept Inspired By [Ender Wiggin] Family


[Tyler Spilker’s] DDD project is a Digital Dead Drop system based on Python and a Raspberry Pi as a server. It’s pretty rough around the edges at this point — which he freely admits. But we like the concept and figure it might spark an interesting conversation in the comments section.

Now by far our favorite dead drop concept is this USB drive lewdly sticking out of a brick wall. But you actually need to be on-site where this drive is mortared into the wall in order to access it. [Tyler] instead developed a webpage that gives him a text box to enter his messages. These are encrypted using key pairs and pushed to his remote RPi server. This way he can write down his thoughts knowing they’re stored securely and never in danger of being accessed from a lost or stolen cellphone.

If free thought isn’t what you’re trying to transfer from one place to another you probably want something like a Pirate Box.

A Pirate Box For Sharing Files

This is [illwill]’s Pirate Box, the newest addition to the network over at NESIT, the Meriden, CT hackerspace.

A pirate box is a completely anonymous wireless file server, kind of like a wireless version of a dead drop. It’s the perfect device for transferring files at a LAN party or hackerspace. The guts of [illwill]’s portable server comes from an old Fonera router NESIT had lying around. After installing OpenWRT, connecting a few batteries, and finding a wonderful lunch box / treasure chest enclosure on ebay, [illwill] had a portable file server perfect for sharing files.

The pirate box isn’t connected to the Internet. Instead, users can connect to each other and the 16GB USB drive by simply connecting to the router’s WiFi and opening up a browser. All web page requests are redirected to the Pirate Box page, where users can chat and share files. The folks at NESIT uploaded a few public domain files to their pirate box, but they’re anxiously waiting to see what files other users will upload.XVID.AC3.HQ.Hive-CM8.