Jump to content

Archived

This topic is now archived and is closed to further replies.

Debs

XSS/ BAD BEHAVIOR BLOCK

Recommended Posts

XSS/ BAD BEHAVIOR BLOCK

Blocks hacking attempts and automatically bans the hacker access to your website.

Recently It seems whenever I log into the oscommerce forums... I see a new post stating their website has been hacked.

 

There was nothing available that covered what I needed. I came up with this method, it has proven very effective.

so... I packaged up what I use to stop XSS and other hack attempts.

It should work for most people.

 

No tough requirements.

You must have access to your .htaccess (the standard Apache/Linux web server)

It is a simple install. One new folder and one addition to your .htaccess file.

 

Most install problems will be if you have not read the install instructions. Some people may have file permission issues. Covered in the install file.

 

I hope I haven't made an error in the install... I proofed it a couple times before uploading. You should be set.

 

Hopefully this helps keep your business/ website secure.

 

http://addons.oscommerce.com/info/7509

 

Kind regards,

Debs

Share this post


Link to post
Share on other sites

Why is there already a deny from 67.19.142.226 in the .htaccess ?

 

My last hack attempt came from him a few days ago.

I think it was just a static ip from Texas. A "home hacker". He was up to no good. You can delete the ip.

Share this post


Link to post
Share on other sites

lo debs,

do you by any chance have a known method that you can post to block website downloaders, like teleport pro, etc

thanks for this nice contrib

Franc

Share this post


Link to post
Share on other sites

lo debs,

do you by any chance have a known method that you can post to block website downloaders, like teleport pro, etc

thanks for this nice contrib

Franc

 

########## start block

SetEnvIfNoCase User-Agent "^Yandex*" bad_bot

SetEnvIfNoCase User-Agent "^HTTrack" bad_bot

SetEnvIfNoCase User-Agent "^WebCopier" bad_bot

SetEnvIfNoCase User-Agent "^SiteCopy" bad_bot

SetEnvIfNoCase User-Agent "ia_archiver" bad_bot

SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot

SetEnvIfNoCase User-Agent "^Teleport" bad_bot

SetEnvIfNoCase User-Agent "^psycheclone" bad_bot

SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot

SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot

 

<Limit GET POST>

Order Allow,Deny

Allow from all

Deny from env=bad_bot

</Limit>

########## end block

 

<Limit GET HEAD POST>

order allow,deny

deny from keywordspy.com

deny from keywordspypro.com

deny from spyfu.com

deny from spyfoo.com

deny from foospy.com

deny from fuspy.com

allow from all

</LIMIT>

 

RewriteCond %{HTTP_REFERER} keywordspy\.com [NC,OR]

RewriteCond %{HTTP_REFERER} keywordspypro\.com

RewriteCond %{HTTP_REFERER} spyfu\.com [NC,OR]

RewriteCond %{HTTP_REFERER} foospy\.com [NC,OR]

RewriteCond %{HTTP_REFERER} fuspy\.com [NC,OR]

RewriteCond %{HTTP_REFERER} spyfoo\.com [NC]

RewriteRule .* - [F]

########## end block

 

 

You're welcome. This is what I use.

Share this post


Link to post
Share on other sites

lo debs,

do you by any chance have a known method that you can post to block website downloaders, like teleport pro, etc

thanks for this nice contrib

Franc

 

For blocking some of the website downloaders etc. You just need this below.

########## start block

SetEnvIfNoCase User-Agent "^HTTrack" bad_bot

SetEnvIfNoCase User-Agent "^WebCopier" bad_bot

SetEnvIfNoCase User-Agent "^SiteCopy" bad_bot

SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot

SetEnvIfNoCase User-Agent "^Teleport" bad_bot

SetEnvIfNoCase User-Agent "^psycheclone" bad_bot

SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot

 

<Limit GET POST>

Order Allow,Deny

Allow from all

Deny from env=bad_bot

</Limit>

########## end block

Share this post


Link to post
Share on other sites

I seem to be having a few issues getting this to run on my site.

 

I keep getting the following errors.....

 

Warning: fopen(../.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 18

 

Warning: fopen(data.html) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 29

 

Warning: fwrite(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 30

 

Warning: fclose(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 31

Forbidden!

 

What should my file permissions be set at as i've contacted my host and they say that they have fixed the file permissions/ownership for my site.

 

Thanks

Share this post


Link to post
Share on other sites

I seem to be having a few issues getting this to run on my site.

 

I keep getting the following errors.....

 

Warning: fopen(../.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 18

 

Warning: fopen(data.html) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 29

 

Warning: fwrite(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 30

 

Warning: fclose(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 31

Forbidden!

 

What should my file permissions be set at as i've contacted my host and they say that they have fixed the file permissions/ownership for my site.

 

Thanks

 

 

The htaccess file (AND the folder /bad_conduct) must both reside in the root. Not the store folder, the root of your site/

 

/bad_conduct/data.html

File permissions: 644

 

You could also try to rename data.html to a different extension such as .txt

and then change line 29 (ban.php) to reflect the change

$fopen = fopen("data.txt", "a");

 

If that does not work... then remove the folder and the htaccess addition.

An easy uninstall. Recheck your install instructions, as that is your most likely issue.

Share this post


Link to post
Share on other sites

The htaccess file (AND the folder /bad_conduct) must both reside in the root. Not the store folder, the root of your site/

 

/bad_conduct/data.html

File permissions: 644

 

You could also try to rename data.html to a different extension such as .txt

and then change line 29 (ban.php) to reflect the change

$fopen = fopen("data.txt", "a");

 

If that does not work... then remove the folder and the htaccess addition.

An easy uninstall. Recheck your install instructions, as that is your most likely issue.

 

/bad_conduct/data.html

File permissions: 644

perhaps even try 744 for the data.html... if 644 did not work. I have never had to go above 644 though.

Share this post


Link to post
Share on other sites

Thanks for the quick reply, Debs.

 

It looks like i've done everything as per the install instructions

 

the HTACCESS file and bad_conduct folder are in the root(public html) folder of my site

htaccess and data.html both set to 644

bad_conduct folder set to 755

 

tried changing data.html to .txt but i still get the same errors. Will check again with my host.

 

I hope I can get this working as it looks to be a very useful contrib.

 

Thanks again.

 

Edit: tried setting data.html to 744....same errors

Share this post


Link to post
Share on other sites

my problem is definately related to permissions as i temporarily set all neccessary files to 777 and the contrib worked as it should.

Just waiting on a further response from my host

Share this post


Link to post
Share on other sites

seems the lowest i can get this to work on my site is with permissions set to 646.

 

I think you should be ok with 646 on data.html. The written to data file is never revealed, and you can rename it anything you like (if changed, also change the location in the ban.php file to match the new name).

 

Direct access to the folder bad_conduct/ (although never revealed to anyone) is already protected. Anyone who tries to access it directly is banned/ blocked.

 

Your host certainly should already have your .htaccess protected from the world. If you are uncertain, It wouldn't hurt to deny access to it.

Place the code below (in your domain’s root) .htaccess

 

# STRONG HTACCESS PROTECTION

<Files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all

</Files>

Share this post


Link to post
Share on other sites

Thanks debs.

My host has confirmed that it is no one can access the files so its all good now :)

Sounds great, good luck on your site!

Share this post


Link to post
Share on other sites

Sounds great, good luck on your site!

 

You should already have error documents setup on your server...

 

Apache custom error 403 configuration

This custom error page can be configured with a single line in the .htaccess file for the relevant directory, as shown below.

If this instruction is given in the root level document directory, it applies to all subdirectories.

 

Here is an example:

In your .htaccess

 

ErrorDocument 401 /401.shtml

ErrorDocument 403 /403.shtml

ErrorDocument 404 /404.shtml

 

or another example with a few more and a different extention:

 

ErrorDocument 400 /400.html

ErrorDocument 401 /401.html

ErrorDocument 403 /403.html

ErrorDocument 404 /404.html

ErrorDocument 500 /500.html

 

At minimum, you do need a 403 error document setup

Share this post


Link to post
Share on other sites

Hi Debs,

 

I have followed Spooks' fourm post 'how to secure your site ... ...'

http://forums.oscommerce.com/index.php?showtopic=313323

 

In that post, he suggested to use 'ANTI Cross Site Scripting attacks'

http://addons.oscommerce.com/info/6044

 

 

Could you be able to combine both Contribution 6044 and yours together as one or let me know if there is any need to replace pixclinic's 6044 with yours?

 

I am sure your contibution must be good as you have had it for a while. But I am having problems with my hosting company regarding REWRITE ENGINE on / off in conf.ini of the shared platform server. The reason I mention it here, I tired to use Ultimate SEO Url contribution and it modifies .htaccess file to make rewritting but ended up having arguement with hosting company over the phone, on twitter and their support forum lmao.

 

I have disabled rewrite engine in .htaccess for now until I end my problem with hosting company, however those codes have piled up and I think I have lost track on what belongs to what contributions lol :ppp

 

I am very new to php and linux, learning alone with site building and error hunting :( hard work I have to say. esp really dont want to mess with my .htaccess file as it can throw my site out of window if I deleted or modified something that was ment to protect my site from been hacked. (my site been hacked over a week ago without all spooks' suggested patches, my fault tho).

 

Any advice on your contribution is appricated.

 

Regards,

Kai

Share this post


Link to post
Share on other sites

Hi Debs,

 

I have followed Spooks' fourm post 'how to secure your site ... ...'

http://forums.oscommerce.com/index.php?showtopic=313323

 

In that post, he suggested to use 'ANTI Cross Site Scripting attacks'

http://addons.oscommerce.com/info/6044

 

 

Could you be able to combine both Contribution 6044 and yours together as one or let me know if there is any need to replace pixclinic's 6044 with yours?

 

I am sure your contibution must be good as you have had it for a while. But I am having problems with my hosting company regarding REWRITE ENGINE on / off in conf.ini of the shared platform server. The reason I mention it here, I tired to use Ultimate SEO Url contribution and it modifies .htaccess file to make rewritting but ended up having arguement with hosting company over the phone, on twitter and their support forum lmao.

 

I have disabled rewrite engine in .htaccess for now until I end my problem with hosting company, however those codes have piled up and I think I have lost track on what belongs to what contributions lol :ppp

 

I am very new to php and linux, learning alone with site building and error hunting :( hard work I have to say. esp really dont want to mess with my .htaccess file as it can throw my site out of window if I deleted or modified something that was ment to protect my site from been hacked. (my site been hacked over a week ago without all spooks' suggested patches, my fault tho).

 

Any advice on your contribution is appricated.

 

Regards,

Kai

 

 

Hello Kai, No need to replace what you have with mine. This mod does require rewrite engine on, plus knowing how to set a folder permission. If you already have a "finely tuned website" this contribution will allow more control over hack attempts. I wish you luck with your site. Kind regards,

Debs

Share this post


Link to post
Share on other sites

Hello Kai, No need to replace what you have with mine. This mod does require rewrite engine on, plus knowing how to set a folder permission. If you already have a "finely tuned website" this contribution will allow more control over hack attempts. I wish you luck with your site. Kind regards,

Debs

 

 

Hi Debs

 

Thanks for your reply. Yes I use putty via SSH to change folder permissions and no problem with that.

 

I will leave your contribution aside for now but I will also keep an eye on it for future updates ;)

 

I think I really need to do at the moment, to get a result with my hosting company whether they will turn on the rewrite engine, or I will have to move to another hoster.

 

Thanks for you time again.

 

Regards

Kai

Share this post


Link to post
Share on other sites

Hello,

 

I ran the test.

 

It recorded my IP address, which was viewable with the data.html link

 

BUT, it didn't block me from the site. I could keep on browsing as usual. I saw my IP appended to the .htacess file as well.

 

Any ideas, as to why I'm not blocked?

 

Thanks

Share this post


Link to post
Share on other sites

Hello,

 

I ran the test.

 

It recorded my IP address, which was viewable with the data.html link

 

BUT, it didn't block me from the site. I could keep on browsing as usual. I saw my IP appended to the .htacess file as well.

 

Any ideas, as to why I'm not blocked?

 

Thanks

Things to double check:

1. Is it installed in the root of your site, regardless of your store structure?

2. Did you add all of the htaccess rules?

 

########## BAD BEHAVIOR BLOCK rules to ban exploits

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ bad_conduct/ban.php [L]

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

 

RewriteRule setup\.php$ bad_conduct/ban.php [NC,L]

RewriteRule file_manager\.php$ bad_conduct/ban.php [NC,L]

 

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

deny from 124.158.195.79 <-- remove this line, it is there to show structure, yet is is a real hackers ip

 

 

3. And did you leave an empty space/ line at the end of your .htaccess? You must have an empty line before saving.

 

Double check.

Share this post


Link to post
Share on other sites

Things to double check:

1. Is it installed in the root of your site, regardless of your store structure?

2. Did you add all of the htaccess rules?

 

########## BAD BEHAVIOR BLOCK rules to ban exploits

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ bad_conduct/ban.php [L]

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

 

RewriteRule setup\.php$ bad_conduct/ban.php [NC,L]

RewriteRule file_manager\.php$ bad_conduct/ban.php [NC,L]

 

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

deny from 124.158.195.79 <-- remove this line, it is there to show structure, yet is is a real hackers ip

 

 

3. And did you leave an empty space/ line at the end of your .htaccess? You must have an empty line before saving.

 

Double check.

 

Yes, did all those things. It's recording new addresses...this is what it appended:

 

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

 

but see how it did it over and over because it didn't block him on the first attempt? There's must be something else in the file that's making the deny not work, but I'm a beginner so I have no idea what to look for.

Share this post


Link to post
Share on other sites

Yes, did all those things. It's recording new addresses...this is what it appended:

 

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

deny from 64.15.159.171

 

but see how it did it over and over because it didn't block him on the first attempt? There's must be something else in the file that's making the deny not work, but I'm a beginner so I have no idea what to look for.

 

You also should make sure you have your error pages on the server (they should be there by default).

 

As a last resort, try removing this last block of code:

 

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

Again leave a space at the end of your .htaccess file.

Share this post


Link to post
Share on other sites

You also should make sure you have your error pages on the server (they should be there by default).

 

As a last resort, try removing this last block of code:

 

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

Again leave a space at the end of your .htaccess file.

 

It still doesn't block me at all. Have no idea, google had no answers so far either. Seems like a neat contrib.

Share this post


Link to post
Share on other sites

Hi,

 

I got it working. Seems too many orders in there...

 

When I commented out this stuff from the top of my htaccess file it started to work.

 

#<Limit GET POST>

#order deny,allow

#deny from all

#allow from all

#</Limit>

#<Limit PUT DELETE>

#order deny,allow

#deny from all

#</Limit>

 

I don't know what that does, but that ALLOW FROM ALL seems to mean business. You know if those lines there serve any purpose and if it's okay to leave them out?

Share this post


Link to post
Share on other sites

×