Getting sick of attempted hacks

[♥mdtaylorlrim]

I constantly get probed by users attempting to access /admin/file_manager.php and others. This is one of the attempts from last night.

 

/catalog/admin/file_manager.php/login.php?: 1 Time(s)

 

Of course it resulted in a 404 and no harm was done. But, this is one of about 100 attempts with varying URLs. I have tried various methods to automatically stop the attempts and just have not yet arrived at a perfect solution.

 

What is a perfect solution? Well, my thought would be this...

 

When a Request URI is detected the ip address is banned using iptables for a short time. Maybe 1 hour.

 

So, I have utilized a few methods to attempt to make this happen, but without success. Some things work, others don't. I just have not found the best solution yet...

 

One thing I tried was writing a script and calling it /catalog/admin/file_manager.php and the function of the script would be to feed the command to the iptables to ban the ip. Sometimes it works and sometimes it doesn't.

 

Another was, creating directory alias' for directories like /phpMyAdmin-2.3.5/ or /phpmyadmin/ or /pma/ or any one of many directory requests attempting to find a phpMyAdmin installation. In the directory that they would all be redirected to would be a script that did the same as above. Banned the address . Sometimes it worked and sometimes it didn't.

 

Another was to use the directory alias as above with nothing in the directory, and use a custom 404 error page that did the iptables ban. Again, sometimes...

 

So, has anyone ever successfully implemented something like this? If so what method did you use? Any hints or help would be appreciated.

[♥FWR Media]

You would drive yourself mad trying to identify and block each hack attempt .. it's pointless to ban IPs ( except brute forcing and this should only be temporary ) .. pointless to identify every attempt.

 

There are millions of script kiddies out there.

 

Make sure the server/site is as secure as possible, make sure you have applied all recommended security patches and some of the serious anti hack scripts ( most are rubbish ). remove file mangler and the define language one.

 

Secure any writeable directories with a .htaccess file to turn off the php engine and block the running of potentially dangerous scripts.

[♥mdtaylorlrim]

Thsnk for the comments Bob, but looking for the specific information.

[♥FWR Media]

Thsnk for the comments Bob, but looking for the specific information.

 

Specific information about what though? it is a pointless exercise.

[♥mdtaylorlrim]

it is a pointless exercise.

It probably is to a lot of folks. To me it is not.

 

If you have not done this then save your typing fingers..I'm looking for someone that has. No offense intended.

[burt]

Does not this addon do pretty much as you describe, other than use iptables; http://addons.oscommerce.com/info/5914

 

This should be straightforward to base new code on that does as you wish.

[♥mdtaylorlrim]

Does not this addon do pretty much as you describe, other than use iptables; http://addons.oscommerce.com/info/5914

 

This should be straightforward to base new code on that does as you wish.

Not quite, but I might be able to utilize some of it. Really, I am getting close to a workable solution but am stumped on a RewriteRule.

 

RewriteEngine On

RewriteCond %{REQUEST_URI} .* [NC]

RewriteRule (.*) /index.php [L]

 

What I am wanting is a rewrite rule to put in a .htaccess file that will send any URI to index.php regardless what is there...more directories, filenames, etc.

 

This is in an .htaccess file in a directory and the only thing in the directory is an index.php file. So...if this was in the directory /mydir/ and someone went to...

 

http://hostname.com/mydir/anything/something/thisfile.php

 

I want the following to be served.

 

http://hostname.com/mydir/index.php

 

Just cannot get the rewrite rule correct.

[♥FWR Media]

Not quite, but I might be able to utilize some of it. Really, I am getting close to a workable solution but am stumped on a RewriteRule.

 

RewriteEngine On

RewriteCond %{REQUEST_URI} .* [NC]

RewriteRule (.*) /index.php [L]

 

What I am wanting is a rewrite rule to put in a .htaccess file that will send any URI to index.php regardless what is there...more directories, filenames, etc.

 

This is in an .htaccess file in a directory and the only thing in the directory is an index.php file. So...if this was in the directory /mydir/ and someone went to...

 

http://hostname.com/mydir/anything/something/thisfile.php

 

I want the following to be served.

 

http://hostname.com/mydir/index.php

 

Just cannot get the rewrite rule correct.

 

oscommerce is not monolithic it is file per function .. if you redirect "everything" to index.php the script simply won't work.

 

Could you give more detail as to what you specifically want to achieve .. e.g. do you want a targetted directory to redirect to this index.php file?

 

Note: I am giving one more shot at helping despite your previous comment.

[♥mdtaylorlrim]

Sure Bob, I'll try and be clear.

 

I have a list of directories that the script kiddies are always trying to access in an attempt to hack into things like osC, MajorDomo, MSOffice, etc... All of these directories are aliased to one common directory. Here is a short list of a file in the httpd/conf.d/baduser.conf file.

 

Alias /phpmyadmin /var/www/block

Alias /p/m/a /var/www/block

Alias /catalog/admin /var/www/block

...

...

 

 

If someone browses to http://mydomain.com/catalog/admin/file_manager they end up in the /var/www/block directory.

 

Then, in the /var/www/block directory is an .htaccess file.

 

RewriteEngine On

RewriteCond %{REQUEST_URI} .* [NC]

RewriteRule (.*) /index.php [L]

 

This rewrite rule should cause any URL that ends up in this directory to result in the serving of index.php but I obviously have it incorrect as it does not work all the time.

 

The index.php file includes this...

 

$intruder_ip_address = $_SERVER['REMOTE_ADDR'];

putenv("IP_TO_BAN=".$intruder_ip_address;

system("/bin/blockip", $r);

 

/bin/blockip is a C program that does a system call that bans the address.

 

 

 

So, my problem is that the RewriteRule does not catch everything and I cannot figure out why. It needs to strip the entire URI and replace it with whatever it takes to serve the index.php file. I think what is happening is that it strips everything and ends up serving http://mydomain.com/index.php and it *should* serve the index,php in this directory.

 

If the browser ended up in the /var/www/block directory I want the index.php file served regardless what URI was requested.

[♥FWR Media]

To my knowledge RewriteRules only work from the base directory mysite.com/

 

RewriteBase /

 

Relates to mysite.com/

 

Were I to do this I wouldn't use .htaccess rules as they are server heavy and not particularly robust in certain cases, I would create a class instantiated at the top of application_top.php ( presuming it is osC as the root index.php ).

 

The script would ..

 

1) Check if the ip was banned and act appropriately.

 

2) Create a new ban based on the REQUEST_URI or PATH_INFO and whether it was a targetted path.

 

3) Redirect both of the above to a specific file with a relevant header, or of course let it through if the access didn't raise a flag.

[♥mdtaylorlrim]

Actually, I think I have it working now.

 

In the .htaccess file I completely removed the rewrite rules and replaced it with this.

 

ErrorDocument 404 /path/index.php

 

 

This allows anything not found to go to the indicated 404 error document. In this case the index.php file. Works for any number of directories, etc, as long as they are in the path of this directory. I did have to AllowOverride FileInfo for the directory.

 

After a moderate amount of testing time I'll move the directive into a <Directory> container in the httpd.conf file.

 

 

I don't like anything in .htaccess files. Anything in an .htaccess file can go into the httpd.conf file so that is where my stuff resides, even UltimateSEO Urls rewrites.

[♥FWR Media]

Actually, I think I have it working now.

 

In the .htaccess file I completely removed the rewrite rules and replaced it with this.

 

ErrorDocument 404 /path/index.php

 

 

This allows anything not found to go to the indicated 404 error document. In this case the index.php file. Works for any number of directories, etc, as long as they are in the path of this directory. I did have to AllowOverride FileInfo for the directory.

 

After a moderate amount of testing time I'll move the directive into a <Directory> container in the httpd.conf file.

 

 

I don't like anything in .htaccess files. Anything in an .htaccess file can go into the httpd.conf file so that is where my stuff resides, even UltimateSEO Urls rewrites.

 

Well inexistant files should of course be dealt with by header 404 not found. I thought you were having problems with hack attempts to existant files.

[♥mdtaylorlrim]

Well inexistant files should of course be dealt with by header 404 not found. I thought you were having problems with hack attempts to existant files.

No, no. About twice a week I have a log file full of attempts to access files in /catalog/admin/... (the real admin file has been renamed so it is definitely a hack attempt at something) or to /phpmyadmin/ or /phpMyAdmin-2.1 or to /phpMyAdmin-2.2 and on and on. Sometimes well over a hundred attempts to find an unsecured directory to MySql, phpMyAdmin, an unsecured osC Admin directory, or many, many other scripts from MajorDomo to MSOffice.

 

What I do is place a 60 second ban on any IP address attempting to access those non existent directories. It prevents the remaining 100+ attempts from happening. The script kiddie fails on the second and third attempt and likely moves on, unless it is a script that runs unattended. Which is also a possibility.

[Debs]

You could try my addon. It only takes a few minutes to install.

 

http://www.oscommerce.com/forums/topic/363197-xss-bad-behavior-block/

[WebDev22]

We're in the process of migrating away from osCommerce. There were way too many security issues to deal with that kept us from growing the business.

[♥mdtaylorlrim]

You could try my addon. It only takes a few minutes to install.

 

http://www.oscommerce.com/forums/topic/363197-xss-bad-behavior-block/

I already had most of that except the script line and the setup line. And your ban.php file, although it adds the deny to the address it notifies the offender that you are onto him. I prefer it to be a silent, unknown, no response sort of thing... And yours does not address the hack attempts at all the different directories, which is what I was majorly after.

 

And, yours is a permanent ban while mine is not. Mine releases the ban so you do not have to maintain a never ending, ever growing list of banned ip addresses. If it was an honest mistake then it will rectify itself without my intervention.

 

 

Good mod though.

[Wayne Weedon]

It happens a lot eh! I get at least several a week. Usually from Russia, Ukraine and of course Turkey.

 

I seem to recall it took only a matter of days after my site went live for the 1st attempts at a hack. After phpmyadmin if I recall correctly and that was from South America. Keeps you on your toes anyway!

 

Today saw a new one, from Russia (with love?), that was was seeking "spaw2" Whatever it is I dont use it and no doubt whatever it is has some Vulnerability.

 

One thing I think we can be certain of, is they read this forum and no doubt check out the "rate my site" or feedback section.

 

Wayne....