Jump to content
Our Partners

Archived

This topic is now archived and is closed to further replies.

geoffreywalton

Are All Your Index.php Files Hacked?

By geoffreywalton, in Security

Recommended Posts

♥geoffreywalton    139

geoffreywalton
Posted

Ran into an interesting little hack on a 2.3.1 site.

 

The customers site has a shop installed in a sub-directory called shop and all of his index.php files had code added to them. Just a little matter of 15 of the little bu**ers.

 

Checking the access logs I found this, the real script name has been changed to ascriptname.

 

91.224.160.132 - - [03/Jun/2012:09:30:36 -0500] "POST /ascriptname.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 82 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.04 Chromium/15.0.871.0 Chrome/15.0.871.0 Safari/535.2"

 

A file called rytwi.php was created in a download directory at this time.

 

The next entry in the log was

 

91.224.160.132 - - [03/Jun/2012:09:30:37 -0500] "POST /downloads/rytwi.php HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"

 

A little change to the .htaccess in the site root directory should fix it!!

 

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

 

So the whole thing looks like this.

 

ErrorDocument 404 http://www.Customer_site.com/404page.php

Redirect /catalog http://www.Customer_site.com/shop

# Deny domain access to spammers and other scumbags
RewriteEngine on
php_flag register_globals off
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

# Redirect index.php to domain.com
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.Customer_site.com/ [R=301,L]


# Redirect domain.com to www.domain.com
RewriteCond %{HTTP_HOST} ^Customer_site.com [NC]
RewriteRule ^(.*)$ http://www.Customer_site.com/$1 [L,R=301]
RewriteBase /

# filter for most common exploits
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

# ban spam bots
RewriteCond %{HTTP_USER_AGENT} almaden [OR]
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]
RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]
RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]
RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DA [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]
RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} email [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]
RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]
RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]
RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]
RewriteCond %{HTTP_USER_AGENT} ^likse [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]
RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]
RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]
RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]
RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]
RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
RewriteCond %{HTTP_REFERER} ^http://www.Customer_site.com$
RewriteRule !^http://[^/.]\.Customer_site.com.* - [F,L]

# stop hotlinking (gif/jpg) and serve alternate content
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?Customer_site\.com/.*$ [NC]
RewriteRule .*\.(gif|jpg)$ http://www.Customer_site.com/images/stolen.gif [R,NC,L]
</ifModule>

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">
deny from all
</FilesMatch>

# Disable .htaccess viewing from browser
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

# Disable access to config.php
<Files ~ "shop\includes\configure.php$">
deny from all
</Files>


# FORCE TYPE
<Files site>
ForceType application/x-httpd-php
</Files>

# XSS Protection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ 404page.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

osCommerce VTS and Site Monitor can both find the hacked index.php files.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post

Link to post
Share on other sites

♥DunWeb    921

DunWeb
Posted

@@geoffreywalton

 

The customers site has a shop installed in a sub-directory called shop and all of his index.php files had code added to them. Just a little matter of 15 of the little bu**ers.

 

Did I read this wrong ? Were there 15 index.php files ? As far as I know, osCommerce only uses ONE. Did you ascertain how the hacker gained access to the v2.3.1 site ? I have not found any vulnerabilities in v2.3.1. Was it the hosting providers insecure server ?

 

Just looking for more detail Geoffrey so everyone knows what to look for.

 

 

 

Chris

:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post

Link to post
Share on other sites

♥geoffreywalton    139

geoffreywalton
Posted

As far as I know OSC uses 4 index.php files.

 

Anyway there were multiple directories each with index.php files in them as well as OSC in a sub-directory called /store.

 

Yes the way they get in is to use the auto append to append a file with their code in it, then accessed rytwi.php and then added the code to all the index.php files, and then all the usual cr*p they do.

 

Bit of a waste to say they did this & this over and above every index.php is infected because you still need to check every single file as well as the entire contents of the db.

 

No need to update VTS as curent version will already detect files hacked in this way.

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post

Link to post
Share on other sites

Juto    8

Juto
Posted

The origin of many malware scripts like c99shell which often hacks osC:

http://ccteam.ru/

ip:178.170.161.34

ISP data

NetRange: 178.0.0.0 - 178.255.255.255

CIDR: 178.0.0.0/8

 

Thus, add this to your htaccess:

deny from 178.0.0.0/8

 

You can also check your site with:

 

http://phpsec.org/projects/phpsecinfo/

 

Sara

Contributions:

http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681

Share this post

Link to post
Share on other sites

♥geoffreywalton    139

geoffreywalton
Posted

Seems like others are being hacked and different actions being performed.

 

http://forums.oscommerce.com/topic/386862-egy-spider-hacking-attempt/page__view__findpost__p__1635635

 

The solution is to upgrade php but another solution is on https://bugs.php.net/bug.php?id=61910

 

this mod_rewrite condition and
rule should take care of it for Apache users:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

 

So the original solution I came up with is along the right lines, but this one appears to be better as it covers more threats.

 

You can tell if your server is vunerable by putting this in to your browser

 

http://www.yoursite.com/?-s

 

or in my case I tried

 

www.mysite.com/shop/banned/IP_Trapped.txt?-s

 

which shows the banned ips.

 

HTH

 

G

 

Now off to get Easy Populate to update category descriptions during a file upload!!

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post

Link to post
Share on other sites

ggrant3    4

ggrant3
Posted

Seems like others are being hacked and different actions being performed.

 

http://forums.oscommerce.com/topic/386862-egy-spider-hacking-attempt/page__view__findpost__p__1635635

 

The solution is to upgrade php but another solution is on https://bugs.php.net/bug.php?id=61910

 

this mod_rewrite condition and
rule should take care of it for Apache users:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

 

So the original solution I came up with is along the right lines, but this one appears to be better as it covers more threats.

 

You can tell if your server is vunerable by putting this in to your browser

 

http://www.yoursite.com/?-s

 

or in my case I tried

 

www.mysite.com/shop/banned/IP_Trapped.txt?-s

 

which shows the banned ips.

 

HTH

 

G

 

Now off to get Easy Populate to update category descriptions during a file upload!!

 

So using this:

this mod_rewrite condition and
rule should take care of it for Apache users:
	RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
	RewriteRule ^(.*) $1? [L]

 

inside of the root htaccess file replaces what you wrote in your first post, right?

 

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

 

or were you talking about another solution you had?

 

 

Also, I just tried using

/?-s

at the end of my domain and nothing happened. The browser just kept timing out. Should I have had something come up if my site was vulnerable?

Share this post

Link to post
Share on other sites

♥geoffreywalton    139

geoffreywalton
Posted

If you put in

 

http://www.yoursite.com/?-s

 

and you get to see the source code of index.php your server is vunerable to this kind of attack.

 

I would not use these 2 lines

 

RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]

 

and would add these after a rewrite rule line

 

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post

Link to post
Share on other sites

Mort-lemur    168

Mort-lemur
Posted

Hi,I

 

tried the site.co.uk/?-s attempt and am pleased to say that OSC SEC stopped it dead and banned me from my own site :-) with the following reason for the ban :

REASON FOR BAN: osC_Sec detected an attempt to exploit a PHP bug. (CVE-2012-1823)

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post

Link to post
Share on other sites

♥geoffreywalton    139

geoffreywalton
Posted

That is good news!!

 

The trouble is when you have a information site in the root directory and osc in a sub directory such as /catalog or /shop. If you have a site like this htacess is the only protection, as Os Sec will protect hack attempts on the directory osc is in and those "below" it but not against the root directory.

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post

Link to post
Share on other sites

nedragdnuos    2

nedragdnuos
Posted

Hi all,

 

I have just tried the above test on my shop - http://www.yoursite.com/?-s

 

I received the email no problem so I am pleased that OS sec is working, but now I am trying to access my shopfront and am having no luck.

 

My IP address has not been added to .htaccess deny so I am wondering how do I go about "unblocking" myself from my own site LOL.

 

Any help will be appreciated.

 

Cheers!!

Share this post

Link to post
Share on other sites

MrPhil    648

MrPhil
Posted

Your IP address isn't listed in any .htaccess file? Be sure to check if your host just created a new one somewhere just to ban YOU! If you can't find anything, open a support ticket with your host explaining that you were running the check for PHP vulnerability, and you seem to have gotten yourself on some ban list, and could you please be taken off. By the way, if in testing this you were hitting your server many times in a short time period, it's possible that you're being banned as a Denial of Service attacker. You would have to explain the situation to your host tech support and get unbanned.

Share this post

Link to post
Share on other sites

nedragdnuos    2

nedragdnuos
Posted

Hi Phil, thank you for your prompt reply.

 

Yep, the IP was not in any .htaccess files and after contacting my hosting service they said that my IP was not on any of their lists, so after all that I simply uploaded yesterdays backup files and hey presto I was able to access the whole site again.

 

I have a strange feeling that I may have missed a write to a file somewhere, but of course now, in my haste to get the site back online, I never took a copy of the dead site so I cant compare files from one to the other...... well I could always try that attack again but I DONT THINK SO LOL.

 

All I can say is that if OSC Sec is that effective then I am very glad I have it installed and it has already caught a couple of suspect IPs in the meantime.

 

Thanks again for your help Phil.

 

Cheers!

Share this post

Link to post
Share on other sites
Go To Topic Listing Security
×