Jump to content

Archived

This topic is now archived and is closed to further replies.

Debs

XSS/ BAD BEHAVIOR BLOCK

Recommended Posts

amazing....I have had it up since yesterday and can't believe how many attempts:

 

 

Getting similar results to Jayman11's post above, pretty much on a daily basis. The vast majority the result of an intrusion attempt using "file_manager.php/login.php" in one form or another.

 

Long ago I removed file_manager from my shops, so I would suppose these intrusion attempts are futile. So...

 

1) Do I really need to block such attempts? Well, because I am not an expert at this I don't know so I am playing it safe. Maybe I will change my mind if I learn something different. But blocking these attempts was an eye opener to me on how common such attempts are.

 

2) As Debs posted earlier in this forum, she would periodically sweep her .htaccess of the intruding IPs especially if they had been there a while. I think I will do the same because some of these IPs may block potential legitimate customers. For example if my IP were on there, every internet user on my same provider at least here locally, would be blocked.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Getting similar results to Jayman11's post above, pretty much on a daily basis. The vast majority the result of an intrusion attempt using "file_manager.php/login.php" in one form or another.

 

Long ago I removed file_manager from my shops, so I would suppose these intrusion attempts are futile. So...

 

1) Do I really need to block such attempts? Well, because I am not an expert at this I don't know so I am playing it safe. Maybe I will change my mind if I learn something different. But blocking these attempts was an eye opener to me on how common such attempts are.

 

2) As Debs posted earlier in this forum, she would periodically sweep her .htaccess of the intruding IPs especially if they had been there a while. I think I will do the same because some of these IPs may block potential legitimate customers. For example if my IP were on there, every internet user on my same provider at least here locally, would be blocked.

 

You are not blocking/banning IPs just on file_manager.php but "any_file".php/login.php

 

Many attempts on my site are preceded by admin or file_manager but I wouldn't remove the condition - after all, it's nice to know that if the hacker had got through that ban there are additional precautions in place which would ensure that they fail.

 

.htaccess is your first line of defence and Bad Behavior protects your whole site so that nothing can get infected (hopefully) so as to transfer that infection internally.

 

These attempts are not done by an individual hacker per attempt but by a computer making thousands - probably millions - of attempts per second (it takes less than a second for a computer program to try every word in the dictionary in a password field - hope you use strong random passwords ;) )

 

The same program could be applied to finding a renamed admin - but the .htaccess condition would catch it within the first attempts (maximum attempts at a hack from the same IP on my site has been 4 before it got banned - all within the first second)

 

If you have a dedicated IP address, it is yours alone, no one else will share it unless you are part of a network. Only if you have a dynamic IP address will your getting banned affect others. Most hackers will use proxy servers anyway so possibly no great loss when banned.

 

The only reason for sweeping is that sometimes the "proxy server" is an innocent that has been infected and is sending out the hack by remote


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

You are not blocking/banning IPs just on file_manager.php but "any_file".php/login.php

 

Many attempts on my site are preceded by admin or file_manager but I wouldn't remove the condition - after all, it's nice to know that if the hacker had got through that ban there are additional precautions in place which would ensure that they fail.

 

.htaccess is your first line of defence and Bad Behavior protects your whole site so that nothing can get infected (hopefully) so as to transfer that infection internally.

 

These attempts are not done by an individual hacker per attempt but by a computer making thousands - probably millions - of attempts per second (it takes less than a second for a computer program to try every word in the dictionary in a password field - hope you use strong random passwords ;) )

 

The same program could be applied to finding a renamed admin - but the .htaccess condition would catch it within the first attempts (maximum attempts at a hack from the same IP on my site has been 4 before it got banned - all within the first second)

 

If you have a dedicated IP address, it is yours alone, no one else will share it unless you are part of a network. Only if you have a dynamic IP address will your getting banned affect others. Most hackers will use proxy servers anyway so possibly no great loss when banned.

 

The only reason for sweeping is that sometimes the "proxy server" is an innocent that has been infected and is sending out the hack by remote

 

Hey Julian...

 

Thanks for responding, I am good with a strong password, it's enough of a health mix of characters that I can't remember it and have to go look it up and if I need it. :)

 

Regarding the IP, I don't know the ins and outs of hacking, but on the IP issue my internet provider has a dynamic IP. My assumption has been that for example if say a dozen of my neighbors had the same internet carrier as i did and they signed on to do some browsing we'd come up the same on a who-is-my-ip search. So if that's a correct assumption, say I'd block myself from one of my shops, I presumed that my neighbors in the same internet provider would get blocked as well.

 

That's how I was taking the concept....


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Dynamic IPs can have that effect and it would just depend on how may addresses your ISP holds as to what the chances of your neighbour getting the same number as you at any one time :lol:

 

To find out more about hacking and open your eyes a bit ;)


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Dynamic IPs can have that effect and it would just depend on how may addresses your ISP holds as to what the chances of your neighbour getting the same number as you at any one time :lol:

 

To find out more about hacking and open your eyes a bit ;)

 

Great link you passed on there, it's book marked and will make great leisure time reading. B) Seriously, I will. It's interesting stuff to me.

 

You know, back when I decided I wanted to have my "own" site I had no idea how complex it is when you consider domains/hosting/software/security/SEO/photo editing/css/js...and a partridge in a pear tree to do it properly. :blink:

 

Thanks for the input.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites
What not to do

Don't just repair the damaged files and hope this experience doesn't happen again. That is not enough.

 

Nobody is ever supposed to be able to add, delete, or change files in your website without your permission. It should never happen, and it usually doesn't. Most websites don't get hacked. If yours did, there is something wrong with it, or with the server, or with the webhost, or with the security on your PC. You have to figure out how this happened so you can prevent it from happening again.

 

Great advice, and if heeded, would put an end to the second tier of the attack being launched on oscommerce websites.

 

IN FACT, that URL should go in the signature of as many people on this forum as possible, it has some great advice for step by step ways to secure your site. Great find.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

It is probably not a good idea to block "admin" as any other admin (photo galleries etc.) on your site would also become blocked.

 

I have many hacks reading:

 

/catalog/index.php?cPath=778/admin/file_manager.php/login.php

 

What would it hurt to insert

 

RewriteCond %{QUERY_STRING} ^(.*)/admin/(.*)$ [NC,OR]

 

In the .htaccess file, when the admin folder was renamed?

 

I would be very curious to know.

 

Regards, Rene

Share this post


Link to post
Share on other sites

I have many hacks reading:

 

/catalog/index.php?cPath=778/admin/file_manager.php/login.php

 

What would it hurt to insert

 

RewriteCond %{QUERY_STRING} ^(.*)/admin/(.*)$ [NC,OR]

 

In the .htaccess file, when the admin folder was renamed?

 

I would be very curious to know.

 

Regards, Rene

 

 

Hi Rene,

 

If you look at your example:

 

/catalog/index.php?cPath=778/admin/file_manager.php/login.php

 

you will note that file_manager.php is followed by login.php so putting the following

 

 

RewriteRule \.php/login\.php bad_conduct/ban.php [NC,L]

 

where you are saying any .php file followed by login.php will catch every instance of admin anyway but more importantly every instance of .php/login.php

 

 

Julian


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Thanks Julian.

 

I am not a scripter....:-), but I can see what you mean here.

 

I will put it in the .htacc. and see if it will cath the bad boyz.

 

This Contrib is excellent by the way, thanks DEBS! Been looking for something like this for soem time now, I have even banned IP addresses by hand up to yesterday :-)

 

Cheers, Rene

Share this post


Link to post
Share on other sites

Hi to anyone who can help.

 

I have the addon working correctly and I made the changes you suggested from my other post Xpajun.

 

But my oscommerce still has the /catalog.

 

So testing this mod, I do get banned if I type www.mysite.com/file_manager.php/login.php or mysite.com/something/file_manager/login.php

 

But I do not get banned if I type mysite.com/catalog/file_manager.php.

 

Is there a way around this?

Share this post


Link to post
Share on other sites

You shouldnt get banned because filemanager should be in the admin directory. What this mod is looking for is the combinaton of .php/login.php which is the way the basic exploit is being levelled at outdated versions of Oscommerce like 2.2

 

Remember, the fault was never in file_manager.php but in the $PHP_SELF code in application_top.php which allowed attackers to manufacture admin privaleges by appending login.php to the end of other filenames.

 

Examples:

 

www.mysite.com/admin/categories.php/login.php

www.mysite.com/admin/administrators.php/login.php

www.mysite.com/index.php/admin/administrators.php/login.php

www.mysite.com/index.php/admin/configuration.php/login.php

www.mysite.com/product_info.php/admin/categories.php/login.php?cPath=&action=new_product_preview

 

By putting login.php into a URL in that manner, the attacker is able to bypass the need for an admin login in order to carry out admin commands, irregardless of the filename being accessed in the admin directory. So if you are looking at blocking the malicious request, it will always have .php/login.php somewhere in the request.

 

If it doesn't then it won't be successful in bypassing the need for an admin login.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

You shouldnt get banned because filemanager should be in the admin directory. What this mod is looking for is the combinaton of .php/login.php which is the way the basic exploit is being levelled at outdated versions of Oscommerce like 2.2

 

Remember, the fault was never in file_manager.php but in the $PHP_SELF code in application_top.php which allowed attackers to manufacture admin privaleges by appending login.php to the end of other filenames.

 

Examples:

 

www.mysite.com/admin/categories.php/login.php

www.mysite.com/admin/administrators.php/login.php

www.mysite.com/index.php/admin/administrators.php/login.php

www.mysite.com/index.php/admin/configuration.php/login.php

www.mysite.com/product_info.php/admin/categories.php/login.php?cPath=&action=new_product_preview

 

By putting login.php into a URL in that manner, the attacker is able to bypass the need for an admin login in order to carry out admin commands, irregardless of the filename being accessed in the admin directory. So if you are looking at blocking the malicious request, it will always have .php/login.php somewhere in the request.

 

If it doesn't then it won't be successful in bypassing the need for an admin login.

 

 

It does not matter where file_manager.php is, what the condition is saying is "If you put file_manager.php on the end of your url you will be banned!"

 

Having said that file_manager.php is rarely (if ever) the last part of a hackers url and the condition:

 

RewriteRule file_manager\.php$ bad_conduct/ban.php [NC,L]

 

is flawed by having the limiting $ after it, if the $ is removed then having file_manager.php anywhere within the url will get you banned

 

But as has been noted above by Taipo, the hacker's url always include ".php/login.php regardless of whether admin or file_manager is used and this is why the condition:

 

RewriteRule \.php/login\.php bad_conduct/ban.php [NC,L]

 

is better as it covers every occurrence of a hacker's url hack attempt

 

 

rocaholic,

 

I'm not sure why you did not get banned unless you added something after file_manager.php - then it would not work, however because you have included the .php/login.php you are doubly covered now anyway ;)


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

In the past few days I was doing some installing and/or working with existing administrative tools in a couple of my shops and got myself banned via the Bad Bahavior scripts.

 

I disabled the script that the caused the ban and then unbanned myself so I could continue, but then noticed that the ban action when I was in my admin folder caused my admin folder directory to be listed on the bad_conduct/ban.php file. Including the name of my admin folder. So I cleaned that up as well.

 

Just a head's up for those that may not have thought of this because leaving the admin folder name there means it could be found by anyone who views the 'http://www.yourshop.com/bad_conduct/ban.php' file.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

I tested it out again.

 

http://www.mywebsite.com/catalog/admin/file_manager.php/login.php

 

Not banned. 404 Not Found page.

 

http://www.mywebsite.com/admin/file_manager.php/login.php

 

Banned by Bad Block.

 

This is the following code I have for my .htaccess which is located in the public_html/

 


RewriteCond %{HTTP_HOST} ^mywebsite.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.mywebsite.com$
RewriteRule ^/?$ "http\:\/\/www\.mywebsite\.com\/catalog" [R=301,L]

########## BAD BEHAVIOR BLOCK rules to ban exploits
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ bad_conduct/ban.php [L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

RewriteRule file_manager\.php bad_conduct/ban.php [NC,L]
RewriteRule \.php/login\.php bad_conduct/ban.php [NC,L]
RewriteRule setup\.php$ bad_conduct/ban.php [NC,L]
RewriteRule images/.*\.php$ bad_conduct/ban.php [NC,L]
RewriteRule tinybrowser\.php$ bad_conduct/ban.php [NC,L]

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 216.68.142.98
deny from 67.19.142.226
deny from 113.57.252.72
deny from 117.201.94.122
deny from 178.33.146.200
deny from 123.30.109.21

 

Any idea why it's not working when I use the /catalog after my website?

Share this post


Link to post
Share on other sites

I am still trying to improve my site´s security, so installed xss and right away tested it with some of the examples from the install instructions ....

 

 

... htt://www.mysitename.com/sqlweb/scripts/setup.php (as well as others)

 

I got the 403 Permission denied screen that tells me that I am banned.

 

I go ahead and check my .htaccess file and my IP is actually in it. Perfect I think. Then go ahead and enter another page on my website and just continue to surf my site as if nothing had happended ;)

 

 

 

So I still can surf my site although my IP is in my htaccess file? After playing around it is three or four times in there. And I am still not banned.

 

 

The funny thing is: Depending on the code I enter in the browsing line - as I said, I was playing around ... I do get bann notice admin emails from osc_sec and IP Trap. Strange enough... I still can surf my website.

 

 

My root htaccess file is rather big now as I have some code from fimbels htaccess protection contribution, from osc_sec, IP trap and ultimate seo urls in there. Maybe too much of all that?

 

Can anyone give me a hint where to start looking at?

Share this post


Link to post
Share on other sites

Generally this is caused by the use of the AllowOverride directive.

 

Usually this is set by your webhost in the apache configuration file and is usually set to

AllowOverride All

 

If you find the AllowOverride in your htaccess you can either make sure its set to All or even better, just comment it out and try to see if your IP ban then is activated. This goes for any .htaccess files in subdirectories too like the admin directory.

 

No doubt there are others in these forums that are more clued up on htaccess than I am and can add more to this discussion for you.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Generally this is caused by the use of the AllowOverride directive.

 

Usually this is set by your webhost in the apache configuration file and is usually set to

AllowOverride All

 

Thanks for your response, Taipo!

 

 

My admin .htaccess contains nothing more than what ist needed for .htpasswd protection. I just followed the instructions my provider gave me.

 

 

In the main catalog/.htaccess file the AllowOverride directive was actually there, already commented out by # (I have no idea if I did this and when)

 

 

it looked like:

 

 

#

#<Directory "/usr/local/apache/htdocs">

# AllowOverride Options

#</Directory>

#

 

 

I tried and removed the # and could not access my site anymore receiving a 500 Error of missconfiguration. Same happened when I tried to change the "options" into "All"

 

I played a little more and removed all code I have added with fimble´s htaccess protection contribution. No better result though.

Share this post


Link to post
Share on other sites

htaccess works in hierachial fashion. So you also need to look at any htaccess files in the higher up directories like the main catalog directory and any directories accessible above that one. If an override code exists above the admin directory then it will also affect the way apache recognizes or ignores the directives in the htaccess file.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I checked every single folder within my catalog directory

 

the override directive was found in catalog/includes, but uncommented as "# AllowOverride Limit"

 

The word "override" is not found in any other .htaccess file.

 

I do appreciate your time and effort! However I drop it at this point. I have no idea what I am doing. And my rules are, if I can´t get it to work in two days I won´t get it to work in a week ;)

 

And, to be honest I feel save enough without XSS as I have read that this contribution isn´t doing anything that IP Trap, OSC_SEC or Security_Pro contributions haven´t already done. And with these contributions working now, I have about 1010 times more security than I had over the last two years where I had nothing in place but a renamed admin folder that was htpassword protected. I think I got a bit paranoid because I read so much about what had happened to others ;)

Share this post


Link to post
Share on other sites

If I remember correctly, this contribution doesn't work with IP Trap, of the two I would recommend this one - IP Trap requires the hacker to visit certain places where the trap can be sprung; this contribution allows the banning of hackers wherever on your site they may be


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Some good tips around here

What I find a lot in error log is peckers will have a script starting to search for know server directories e.g phpmyadmin, sql or like a 30 or so others

 

How to block an attacker instantly with .htaccess when scanning for such directories?


Getting the Phoenix off the ground

Share this post


Link to post
Share on other sites

I have had this add-on running since april 10th, 2011 now.

 

It probably has catched most IP adresses from which our hackers operate.

 

December month I had only 17 hack attempts, which would be the figure almost every day when I started catching.

 

So again, I can strongly recommend this add-on. It's simple to install, and brings no maintenance.

 

Cheers, honda4.

Share this post


Link to post
Share on other sites

×