Jump to content

Archived

This topic is now archived and is closed to further replies.

Debs

XSS/ BAD BEHAVIOR BLOCK

Recommended Posts

Hi,

 

I got it working. Seems too many orders in there...

 

When I commented out this stuff from the top of my htaccess file it started to work.

 

#<Limit GET POST>

#order deny,allow

#deny from all

#allow from all

#</Limit>

#<Limit PUT DELETE>

#order deny,allow

#deny from all

#</Limit>

 

I don't know what that does, but that ALLOW FROM ALL seems to mean business. You know if those lines there serve any purpose and if it's okay to leave them out?

 

I apologize for the quick reply I must make, I only have a minute. The rules you blocked... It depends on what they went with.

 

This below should be placed at the bottom (below the other rules in the mod). Here is the required syntax. If you do not observe it, it may result in server errors. The ones you blocked were part of another set of rules. They may or may not be needed. I am not sure what they are for. It appears they were conflicting. You can do a Google search and see what they mean when placed with what was above them etc.

 

#These rules you need:

<Files 403.shtml>

order allow,deny

allow from all

</Files>

Share this post


Link to post
Share on other sites

I apologize for the quick reply I must make, I only have a minute. The rules you blocked... It depends on what they went with.

 

This below should be placed at the bottom (below the other rules in the mod). Here is the required syntax. If you do not observe it, it may result in server errors. The ones you blocked were part of another set of rules. They may or may not be needed. I am not sure what they are for. It appears they were conflicting. You can do a Google search and see what they mean when placed with what was above them etc.

 

#These rules you need:

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

Seems to be working. Blocking about 10 Ips a day. Mostly spam bots looking for a guestbook from a cms I had installed. I deleted everything off my server but my store now though, so no more holes in other forums or cms or whatever. Found a couple weird things in my temp directly, someone stringing statements togther blahblah.php.blah.php that sort of thing but using real osc file names. Be nice to be able to stop all that sort of nonsense dead with this IP block.

Share this post


Link to post
Share on other sites

Seems to be working. Blocking about 10 Ips a day. Mostly spam bots looking for a guestbook from a cms I had installed. I deleted everything off my server but my store now though, so no more holes in other forums or cms or whatever. Found a couple weird things in my temp directly, someone stringing statements togther blahblah.php.blah.php that sort of thing but using real osc file names. Be nice to be able to stop all that sort of nonsense dead with this IP block.

 

Well I'm glad it's working for you. After the first week your blocks should trickle down to only 1-2 a week as the repeat offenders are blocked.

 

your temp... you can read what the hackers are trying to accomplish and append the code to stop them. For instance; ban "cms" RewriteRule cms\.php$ bad_conduct/ban.php [NC,L]

 

Now you may not wish to do the above (example block) if you have old trafic pointing to your old guestbook cms stuff. That should be properly forwarded so you do not lose your incoming traffic. If they are trying to get into the admin of your cms/guestbook... that you may want to block.

 

You do not need the folder or file on your site to ban a hacker who attempts to access it. Just be sure to test if you do this so you do not loosely ban any needed osc file.

 

Kind regards,

Debs

Share this post


Link to post
Share on other sites

Well I'm glad it's working for you. After the first week your blocks should trickle down to only 1-2 a week as the repeat offenders are blocked.

 

your temp... you can read what the hackers are trying to accomplish and append the code to stop them. For instance; ban "cms" RewriteRule cms\.php$ bad_conduct/ban.php [NC,L]

 

Now you may not wish to do the above (example block) if you have old trafic pointing to your old guestbook cms stuff. That should be properly forwarded so you do not lose your incoming traffic. If they are trying to get into the admin of your cms/guestbook... that you may want to block.

 

You do not need the folder or file on your site to ban a hacker who attempts to access it. Just be sure to test if you do this so you do not loosely ban any needed osc file.

 

Kind regards,

Debs

 

I've seen it catch things like this a few times:

 

products_new.php?osCsid=ddfb4b399f4c99d

 

Is that bad? What's going on there? Attaching an oscsid number to products or whatever. I know it's not supposed to do that but I've noticed that happen to me before too.

Share this post


Link to post
Share on other sites

DAMN! I wish I found this contribution a week or two ago....my site was hacked a few days ago and I didn't have a good backup so I had to reset and start over.

Anyway, this is a GREAT contribution!! It worked perfect the first time I tried it on both domains.

Thank you!!

 

I wanted to ask real quick about one of the posts on the first page-there was some htaccess code to block bots from downloading your website or something like that....I believe there were 2 pieces of code.

Can I add those also? The more protection the better....having to rebuild my site is a real heartbreaker...I gotta make sure it doesn't happen again.

Anyway, Thanks again!!:thumbsup:

Share this post


Link to post
Share on other sites

The other htaccess code you are refering to was to block a few bad spiders and site downloaders... Somebody had inquired about it.

You can use both.

The other code should be placed above the start of "########## BAD BEHAVIOR BLOCK rules to ban exploits"

The XSS/ BAD BEHAVIOR BLOCK should be at the end of your htaccess, as it will be appending to it.

 

Kind regards,

Debs

Share this post


Link to post
Share on other sites

I've seen it catch things like this a few times:

 

products_new.php?osCsid=ddfb4b399f4c99d

 

Is that bad? What's going on there? Attaching an oscsid number to products or whatever. I know it's not supposed to do that but I've noticed that happen to me before too.

It will only catch that url if there was a script entered after it to attempt hacking into your server. It does not attach anything to the URL, it will strip the appended hack script (if attached), and block the attack.

Share this post


Link to post
Share on other sites

It will only catch that url if there was a script entered after it to attempt hacking into your server. It does not attach anything to the URL, it will strip the appended hack script (if attached), and block the attack.

 

Nice! :)

Share this post


Link to post
Share on other sites

Hi I renamed my admin catalog to something else and I would really like to block anyone trying to acces /admin is that possible?

Share this post


Link to post
Share on other sites

Hi I renamed my admin catalog to something else and I would really like to block anyone trying to acces /admin is that possible?

 

It is probably not a good idea to block "admin" as any other admin (photo galleries etc.) on your site would also become blocked.

Share this post


Link to post
Share on other sites

Thank you for your reply, I've renamed many things so i don't believe I have anything left called admin. If I do I'll rename that to

Share this post


Link to post
Share on other sites

Please do not send me a personal message if your question can be answered here. It would be most helpful to others for me to answer any questions here in the open forum.

 

There are many updates and contributions to protect your website... Please look them all over and install the ones you believe will do you the most good. I'm certain many of you, like myself, have dozens or even hundreds of pages on your website/ servers. Pages related directly to your business oscommerce store... and others such as photo galleries, static product data/information pages etc. They may (or some may not) be linked directly to your sql database or even your osc store, although they do reside on your same site/ host.

 

Anyways, this simple website protection not only covers your oscommerce site (it is not dependent on osc files) but rather protects your entire website from many of the most common attacks. It's a quick add-on, easily customizable and most importantly; it STOPS (blocks/ bans) the hacker from continued attempts to hack your website! It should work with any oscommerce contribution/ add-on. I use it on numerous websites, including non oscommerce sites.

 

osCommerce has many holes known to hackers. This will stop the guys looking directly for a osc website to hack (yes hackers search directly for osc websites to attack/ hack). They will not get the chance to use trial and error to learn your setup. Really that's the whole purpose I developed it. Simple yet effective. If you have trouble installing... please read the instructions to be certain you did not miss something, as this is very easy to install and configure.

 

Kind regards,

Debs

Share this post


Link to post
Share on other sites

I banned myself today...

 

 

 

 

Thank you :thumbsup:


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Hi Debs,

 

thanks for this valuable contribution. I have installed it in the document root and when I tested it, by putting something like ?cPath=http://... behind a URL, it blocked me right away and added my IP to the .htaccess file. After that I couldn't get to any page of the website. So far it looks like the install was successful.

 

I also have the admin/file_manager.php removed.

 

A couple of hours later however, the daily "stream" of php and html uploads to the catalog/images directory continued as before, without being blocked by your script. The ownership of the uploaded files is apache, suggesting that the apache server was somehow used for the upload. When using ftp, a different user name "owns" the files. We run the site on a dedicated server and we are the only user account on that machine.

 

Do you have any idea how the uploads are performed and how I can block them? Most of them look very harmful. I have denied access to php and html files in the images directory through a .htaccess file but would rather block uploads before they appear.

 

Your help is highly appreciated.

 

Regards, Robert

Share this post


Link to post
Share on other sites

Hi Debs,

 

thanks for this valuable contribution. I have installed it in the document root and when I tested it, by putting something like ?cPath=http://... behind a URL, it blocked me right away and added my IP to the .htaccess file. After that I couldn't get to any page of the website. So far it looks like the install was successful.

 

I also have the admin/file_manager.php removed.

 

A couple of hours later however, the daily "stream" of php and html uploads to the catalog/images directory continued as before, without being blocked by your script. The ownership of the uploaded files is apache, suggesting that the apache server was somehow used for the upload. When using ftp, a different user name "owns" the files. We run the site on a dedicated server and we are the only user account on that machine.

 

Do you have any idea how the uploads are performed and how I can block them? Most of them look very harmful. I have denied access to php and html files in the images directory through a .htaccess file but would rather block uploads before they appear.

 

Your help is highly appreciated.

 

Regards, Robert

 

This will protect your website from hackers...a bit to late though, as your website was already compromised.

 

They could be getting in a number of ways. Quite possibly they have your server user-name and password... This is easily obtained if you have a key logger/ virus on your computer. If you use IE, this free scanner may be of use to check your computer: http://www.bitdefender.com/scanner/online/free.html

 

Being your website was compromised, the hackers have no doubt left a few "back doors" on your server. At this point it may be best to clean your server and reinstall from a clean backup...

 

Wipe the site clean, delete every file and change passwords before starting. Then upload a new .htaccess file banning all but your own ip access. This is important as you could again get hacked in the next couple hours it takes to get the website replaced and secure.

Use a good backup, (not necessarily your most recent backup).

Then check file and folder settings and add security.

 

Never access your server from your computer, no matter how secure you think it is, never type in user name and password. Use a security and encryption tool, USB Password Manager like Portable RoboForm. This is not only much more secure, but also quicker.

 

I only wish I had a better answer for you... once your website is hacked, adding protection alone will not help... You must clean it first.

 

Regards,

Debs

Share this post


Link to post
Share on other sites

This will protect your website from hackers...a bit to late though, as your website was already compromised.

 

They could be getting in a number of ways. Quite possibly they have your server user-name and password... This is easily obtained if you have a key logger/ virus on your computer. If you use IE, this free scanner may be of use to check your computer: http://www.bitdefender.com/scanner/online/free.html

 

Being your website was compromised, the hackers have no doubt left a few "back doors" on your server. At this point it may be best to clean your server and reinstall from a clean backup...

 

Wipe the site clean, delete every file and change passwords before starting. Then upload a new .htaccess file banning all but your own ip access. This is important as you could again get hacked in the next couple hours it takes to get the website replaced and secure.

Use a good backup, (not necessarily your most recent backup).

Then check file and folder settings and add security.

 

Never access your server from your computer, no matter how secure you think it is, never type in user name and password. Use a security and encryption tool, USB Password Manager like Portable RoboForm. This is not only much more secure, but also quicker.

 

I only wish I had a better answer for you... once your website is hacked, adding protection alone will not help... You must clean it first.

 

Regards,

Debs

 

 

Being you are on a dedicated server... you may want to contact someone here like Burt: http://forums.oscommerce.com/user/69-burt/page__tab__aboutme (http://www.clubosc.com/)

 

To start with, you would want someone to check out your server configuration... If Gary is unavailable, make a post on the forums here for advice on the proper setup for your server.

Share this post


Link to post
Share on other sites

Being you are on a dedicated server... you may want to contact someone here like Burt: http://forums.oscommerce.com/user/69-burt/page__tab__aboutme (http://www.clubosc.com/)

 

To start with, you would want someone to check out your server configuration... If Gary is unavailable, make a post on the forums here for advice on the proper setup for your server.

 

Thanks Debs for your prompt reply. I will once more go through the osCommerce installation and replace every file with the "shadow" version I have on my local computer (linux, never use windows to access the server). Did that before, although it didn't help. If modifications are made to files, does it always update the file's date stamp? Because I check for changes that way regularly.

 

I sometimes find empty "manufacturers" in the list of manufacturers with images being php files, and I sometimes find fake products with php files as product pictures. It looks like it's easy to bypass the admin login and use "add manufacturer" or "add product" feature to upload something Can I protect against that or should your script tackle any such uploads if my server were "clean"?

 

I value your suggestion to sort of rebuild the server and I will go that way but I also like to learn more about possible leaks in osCommerce which may not be blocked by your script.

 

Thanks for your support,

Robert

Share this post


Link to post
Share on other sites

Hi Debs,

 

I followed your suggestion to renew the store's installation. I also had a server support technician at my provider check the operating system for any backdoors. They ran a thorough check but found nothing suspicious.

 

I still have php file uploads to the catalog/images directory, even after I checked everything and installed your "patch". I went through the apache log files on the server. This is what the access log shows at moments that match with the time stamp of the uploaded files:

 

88.231.144.84 - - [30/Dec/2010:04:29:14 -0500] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.0" 200 6109 "-" "-"

 

85.99.155.85 - - [31/Dec/2010:11:04:14 -0500] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.0" 200 6109 "-" "-"

 

83.166.171.182 - - [01/Jan/2011:08:51:14 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 6134 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

 

83.166.171.182 - - [01/Jan/2011:11:21:11 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 6134 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

 

They are all POST actions, using a file from the admin branch.

 

I could rename the admin directory to sort of go stealth but I'm afraid that would only be a temporary patch. When you see the logs above, is there anything I can add to your .htaccess file to filter out these uploads, or do you have any other suggestions?

 

Thanks for your support!

 

Robert

Share this post


Link to post
Share on other sites

Hi Debs,

 

I followed your suggestion to renew the store's installation. I also had a server support technician at my provider check the operating system for any backdoors. They ran a thorough check but found nothing suspicious.

 

I still have php file uploads to the catalog/images directory, even after I checked everything and installed your "patch". I went through the apache log files on the server. This is what the access log shows at moments that match with the time stamp of the uploaded files:

 

88.231.144.84 - - [30/Dec/2010:04:29:14 -0500] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.0" 200 6109 "-" "-"

 

85.99.155.85 - - [31/Dec/2010:11:04:14 -0500] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.0" 200 6109 "-" "-"

 

83.166.171.182 - - [01/Jan/2011:08:51:14 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 6134 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

 

83.166.171.182 - - [01/Jan/2011:11:21:11 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 6134 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

 

They are all POST actions, using a file from the admin branch.

 

I could rename the admin directory to sort of go stealth but I'm afraid that would only be a temporary patch. When you see the logs above, is there anything I can add to your .htaccess file to filter out these uploads, or do you have any other suggestions?

 

Thanks for your support!

 

Robert

 

Hi Robert, yes the admin directory must be renamed. If possible you should also ban access to your "admin" to all but yourself!

 

## add this to your .htaccess (in new admin name) folder

Order Deny,Allow

Deny from all

## add your ip...

Allow from 00.00.000.000

 

 

You should make a post in the security forum asking for help, stating your site has been hacked. With all the members here... someone may immediately know how they are getting in.

Of course you should also follow the pinned post on how to secure your site. They will certainly be alarmed when they see you have not yet renamed your admin.

 

The admin (after renaming) must also be further protected. By default, the admin directory is not secure, there is a fix for this. You may have already applied the patch... double check or add password protection through your server/htaccess.

You must also remove a few of your default admin php files that are commonly used by hackers to access your admin.

This is all discussed in the pinned topic on how to secure your site.

 

Kind regards,

Debs

Share this post


Link to post
Share on other sites

Robert

 

The link on line2 of this page takes you theough the steps to add ht access and ensure people are logged in before thay can run a script. Which is what those logs show is being done.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Robert

 

The link on line2 of this page takes you theough the steps to add ht access and ensure people are logged in before thay can run a script. Which is what those logs show is being done.

 

HTH

 

G

 

Hi Geoffrey,

 

thanks for your hints, interesting reading! The site is clean, no files were infected, only stuff uploaded. I have admin renamed and I'm working on a few more patches like update my security pro plugin to a newer version. I had several security measures in place since long but hackers get smarter too so I guess it was time for some more work.

 

Thanks for your support.

 

Robert

Share this post


Link to post
Share on other sites

Glad to be of help.

 

Security Pro does really makes this contribution redundant.

 

Security Pro 2.0 has been released.

Totally new more modern code ( albeit PHP4 compatible ).
More protection.
Compatible with osCommerce all versions including 2.3.1.

A word about .htaccess XSS contributions. I don't know if anyone realises but none that I have seen do anything but try and replicate what Security Pro already does better, although more so now .. example ..

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
base64_encode is covered by security Pro

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
Tags can not get through security pro as <> and % are banned characters

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
Again tags cannot get through Security Pro

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
GLOBALS is now banned by Security Pro

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
_REQUEST now banned by Security Pro


RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
This one may be worth keeping as the request method is not querystring based

Just so you are not adding unnecessary code to .htaccess as these rules are quite server intensive and the file gets filled with rubbish. 

 

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/page__view__findpost__p__1553997

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Glad to be of help.

 

Security Pro does really makes this contribution redundant.

 

Security Pro 2.0 has been released.

Totally new more modern code ( albeit PHP4 compatible ).
More protection.
Compatible with osCommerce all versions including 2.3.1.

A word about .htaccess XSS contributions. I don't know if anyone realises but none that I have seen do anything but try and replicate what Security Pro already does better, although more so now .. example ..

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
base64_encode is covered by security Pro

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
Tags can not get through security pro as <> and % are banned characters

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
Again tags cannot get through Security Pro

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
GLOBALS is now banned by Security Pro

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
_REQUEST now banned by Security Pro


RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
This one may be worth keeping as the request method is not querystring based

Just so you are not adding unnecessary code to .htaccess as these rules are quite server intensive and the file gets filled with rubbish. 

 

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/page__view__findpost__p__1553997

 

HTH

 

G

 

 

I use security pro. It does help on files loading application top.

Share this post


Link to post
Share on other sites

Actually Security Pro does not make this program redundant, if anything they tend to compliment each other.

 

Security Pro may stop the scripting getting through but this program drops the broad hint to the hackers that they can not access your site to insert the script in the first place.

 

Since installing this contribution hack attempts on my whole site (not just osC) have diminished to zero very quickly - they remained active with just Security Pro installed


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

×