New Turkey IPs To Ban in htaccess

[Procommerce]

Hi Folks,

 

As we usually do every morning, today we checked on our Access-Log and looked for any strange POST instance... We have our sites secured, but, you know, there is always someone sniffing around... Today we found something like this:

 

"POST /admin/administrators.php/login.php?action=insert ...

"POST /admin/file_manager.php/login.php?action=processuploads HTTP/1.1" 3 ...

 

From various IP... Of course that they were looking into nothing because we did what is proposed in the Securing your Site Guide, but nevertheless, we kind of dislike this, so a long time ago, we decided to ban some complete countries range of IPs... via htaccess, so today if you also want to ban Turkey, you will have to add the following range to your file:

 

95.0.0.0 to 95.15.255.255

78.160.0.0 to 78.191.255.255

[Xpajun]

I can see no point in banning the whole of a country because someone has had a couple of hackers try to access their site allegedly from that particular country - why not ban IPs from the whole world?

 

Of course if you want to carry on banning countries indiscriminately it's ok by me - I'm quite happy to take their money

[Guest]

Julian,

 

 

It is a well known fact that Turkey has a vast majority of hackers that focus on osCommerce sites. I posted a similar message a couple of weeks ago after someone from Turkey, using a new IP tried to hack into 4 of my sites and several of my clients sites. None of the hack attempts were successful, but I banned the IP anyway.

 

There are two security contributions by experienced members of this forum that suggest banning all of Turkey because of the reputation it has. However, if you wish to support those who are destroying your clients sites, by all means go ahead !

 

 

 

Chris

[♥FWR Media]

I can see no point in banning the whole of a country because someone has had a couple of hackers try to access their site allegedly from that particular country - why not ban IPs from the whole world?

 

Of course if you want to carry on banning countries indiscriminately it's ok by me - I'm quite happy to take their money

 

I don't ban countries personally but I fully understand why people do/want to.

 

 

I have for example a number of customers for whom the vast majority of malicious access attempts come from Turkey and China. These countries produce the customer zero revenue, therefore the sensible thing to do is to ban those countries.

[Xpajun]

Chris, I am not supporting anyone that is destroying osCommerce sites, but I fail to see what good banning a whole country can do, unless you are saying these hackers are not clever enough to use a proxy server to get around the banning?

[Xpajun]

Robert strangely although I have sales in both Turkey and China I don't see hack attempts; but I do see them from South America but should I ban all of South America when I have customers there also...

 

 

I think not ;) I'll just keep banning the IPs that try to hack - get them all that way :thumbsup:

[♥FWR Media]

Robert strangely although I have sales in both Turkey and China I don't see hack attempts; but I do see them from South America but should I ban all of South America when I have customers there also...

 

 

I think not ;) I'll just keep banning the IPs that try to hack - get them all that way :thumbsup:

 

Julian

 

I never suggested that YOU should ban anything, I simply gave you examples of my customers for whom it was the only sensible option.

 

Banning individual IPs is a total waste of time ( short term e.g. a few hours or a day can be useful ).

 

If someone tries to hack your site and they have a static IP then you should invite them into the hall of fame of useless hackers not ban them.

[Guest]

Chris, I am not supporting anyone that is destroying osCommerce sites, but I fail to see what good banning a whole country can do, unless you are saying these hackers are not clever enough to use a proxy server to get around the banning?

 

 

I have personally been trying to find a way to ban ALL proxy servers from my websites. IMO, if someone feel the need to proxy to get to my site, I don't want them on it.

 

 

Chris

[jose_garcia]

I´ve experienced the same problem.

There is nothing to do with IP deny access. They go using jump servers, for instance our traffic was moved to a Turkish web (porn) and the hacker come from a German IP first and after from a chinese one.

What I mean is that the deny access for Ip Country or location is not the solution.

Here it is my experience with turkish attacks:

Sometime you have had a security breach (probably when you install an OSC addon) then hackers has installed a shell manager (not just one, probably at least 4 or 5). A simple shell manager apps could upload files accessing from public access, another more complex could doing the same than an administrator tool, change permission, edit files, etc.

They use to be wroten in perl but the hacker access use to be through a .php file.

You have to run a heavy number of test and cleaning task, mostly because they use to upload de files in the products or images files, where it is quite complicate to find it.

I don't want to extend more but I invite anybody to send me a private email to share how can we repair the hacking attacks and how we could reduce the risk.

The following task are mandatory:

- check your site for not usual files (mostly Php extensions)- Usefull OSC extension sitemonitor.

- Correct directories permission to 755 and images in the same way. - Usefull OSC extension check permission.

- Correct files permission except config.php, all of them should 644 (some addons could request another permission levels, you have to choose between functionality and security)

- Check tmp, backup and .ssh folders, they could create authorized keys in the ssh folder.

- Change your admin, ftp, mysql passwords, frequently

- If you can, don't use the filemanager.php (get out this file) to manage your site.

- Delete the banner_manager.php, it is well known it is another security breach.

- Take care about files with extension jpg, png, gif, etc... that could have 777 permission they could be file codes injected.

- Try to find files like: halt, cmd11, up, bd1 with .php extensions, then delete.

- Cpanel for hosting services is really secure (mmmmmmm)?, ask you hosting provider to check some access, but also take care about phising (yes), I have heard some cpanel has been hacked and the problem could came from the hosting (for instance an intermediate box requesting your password with the user as it is quite easy to take the user for the URL info and request your password that could be the needed info)

- Finally, I advise to have a folder with the following files: .htaccess; index.html and index.php. It is quite usefull to repair the damage quickly but not to avoid the attacks. Of course a full backup of your site it is extremly high recommended.

I don't want to extend more, but I invite anybody to send me a private email [email protected] to share how can we repair the hacking attacks and how we could reduce the risk together.

[Xpajun]

Julian

 

I never suggested that YOU should ban anything, I simply gave you examples of my customers for whom it was the only sensible option.

 

Banning individual IPs is a total waste of time ( short term e.g. a few hours or a day can be useful ).

 

If someone tries to hack your site and they have a static IP then you should invite them into the hall of fame of useless hackers not ban them.

 

Sorry Robert - I was trying to agree with you :blush:

[spoofy]

Here is my work around to this problem.

 

1) Ensure that the admin panel is located in a different folder for example, mysite.com/secretadmin/

 

2) create a directory /admin/ and there are 2 files - .htaccess and index.php

 

3) all 404 errors are routed via htaccess to index.php

 

4) anyone who tries to access any file (such as file_manager.php or login.php or administrators.php) is handled by index.php

 

5) index.php basically stores their ip address in a database and the rest of the site is banned for that ip address

 

The concept is that I don't have to manually add ip addresses. Only I know the location of the correct admin panel. Others trying to access it have ill intentions so they get banned therefore unable to access the site from there on.

 

I am working on adding some more features to this and will post it up soon in the contributions section