Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New to the CF scene
    Join Date
    Jun 2011
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Angry If blocking china and the russians with .htaccess won't do it...

    ... Then what will?

    Someone injected files on my web server and got my site a malicious rating on Trend Micro.

    I restored from a backup and started watching my logs.

    I also picked a different dyndns alias than the one I got hacked on.

    I see this stuff:

    [error] [client 58.218.199.250] script '/(path omitted)/judge112233.php' not found or unable to stat
    [error] [client 58.218.199.227] script ''/(path omitted)/cgi-bin/son!****you.php' not found or unable to stat.

    (nice name they have for that second exploit script eh?)

    How do I prevent these jokers from even reaching my server? I have already tried large blocks of deny from statements in .htaccess and I still see these, about once a day - it could be worse I know, but I don't want these idiots anywhere near my web site!

    The last thing I need is an employer accessing my web site and being stopped by their virus scanner with a malicious site warning!

    Help?

  • #2
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    When you got hacked before, how did they get in? Depending on how they compromised the server, htaccess may or may not help. Are you still seeing requests from IP blocks that you have denied in your htaccess file?
    OracleGuy

  • #3
    New to the CF scene
    Join Date
    Jun 2011
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by oracleguy View Post
    When you got hacked before, how did they get in? Depending on how they compromised the server, htaccess may or may not help. Are you still seeing requests from IP blocks that you have denied in your htaccess file?
    Yup.

    They got in I am pretty sure by having public upload turned on (I turned it off) or through free e107 CMS plugins known to have backdoors in them.

    When I restored to a backup a full week before the trouble started (I have all the way to 01/01/2011 so if need be I can back up even further!)

    I deleted my entire forum, deleted all the plugins, changed all the passwords, moved phpmyadmin to still another alias, etc.

    I just got new requests logged to my apache error.log

    Code:
    [error] client 109.237.214.63 File does not exist: /(path omitted)/w00tw00t.at.blackhats.romainian.antisec:)
    [error] client 109.237.214.63 File does not exist: /(path omitted)/MyAdmin
    [error] client 109.237.214.63 File does not exist: /(path omitted)/phpmyadmin


    ====== Partial copy of my .htaccess ========

    # e107 .htaccess script for hosts with mod_rewrite
    # If e107 is not installed in the document root, then make RewriteBase
    # RewriteBase /your-e107-folder/
    <FilesMatch \.php$>
    ErrorDocument 400 /error.php?400
    ErrorDocument 401 /error.php?401
    ErrorDocument 403 /error.php?403
    ErrorDocument 404 /error.php?404
    ErrorDocument 500 /error.php?500
    </FilesMatch>
    ErrorDocument 404 /404.html
    ErrorDocument 403 default
    RewriteEngine on
    RewriteBase /

    <Limit GET HEAD POST>
    order allow,deny
    # Manual Blocks
    deny from 58.218.199.

    # Country: AFGHANISTAN
    # ISO Code: AF
    # Total Networks: 22
    # Total Subnets: 98,560
    deny from 27.116.56.0/22
    deny from 58.147.128.0/19
    deny from 61.5.192.0/20
    deny from 111.125.152.0/21
    deny from 111.223.244.0/22
    deny from 117.55.192.0/20
    deny from 117.104.224.0/21
    deny from 119.59.80.0/21
    deny from 121.100.48.0/21
    deny from 121.127.32.0/19
    deny from 124.199.112.0/20
    deny from 125.213.192.0/19
    deny from 175.106.32.0/19
    deny from 180.94.64.0/19
    deny from 180.222.136.0/21
    deny from 182.50.176.0/20
    deny from 202.56.176.0/20
    deny from 202.86.16.0/20
    deny from 203.174.27.0/24
    deny from 203.215.32.0/20
    deny from 210.80.0.0/19
    deny from 210.80.32.0/19
    ## Country: CHINA
    # ISO Code: CN
    # Total Networks: 3,410
    # Total Subnets: 331,821,056
    deny from 1.0.1.0/24
    deny from 1.0.2.0/23
    deny from 1.0.8.0/21
    deny from 1.0.32.0/19

    .... lots more countries added via countryipblocks.net (not that it is doing any good ...)

    Yes at the bottom is an "allow from all"
    hmm. do I need to change the top to say order "deny, allow" ??? I am pretty sure countryipblocks.net generated that part too.
    Last edited by Inigoesdr; 06-14-2011 at 04:18 PM.

  • #4
    New to the CF scene
    Join Date
    Jun 2011
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    There is actually a smiley in the part of the address there on the blackhats request. Forum converted it to a graphic smiley

  • #5
    New to the CF scene
    Join Date
    Jun 2011
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    oop those errors BTW are generated by GET requests coming from those URL's with HTTP/1.1 303 390 "-" "ZmEu"

    the following two are 404 478 "-" "ZmEu" in the GET request, respectively.

    I want these guys to go away! Is there no way to stop their attempts? at least the files they think they planted seem to be missing!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •