If blocking china and the russians with .htaccess won't do it...

cernst77 · 06-14-2011, 02:19 AM

... Then what will?

Someone injected files on my web server and got my site a malicious rating on Trend Micro.

I restored from a backup and started watching my logs.

I also picked a different dyndns alias than the one I got hacked on.

I see this stuff:

[error] [client 58.218.199.250] script '/(path omitted)/judge112233.php' not found or unable to stat
[error] [client 58.218.199.227] script ''/(path omitted)/cgi-bin/son!****you.php' not found or unable to stat.

(nice name they have for that second exploit script eh?)

How do I prevent these jokers from even reaching my server? I have already tried large blocks of deny from statements in .htaccess and I still see these, about once a day - it could be worse I know, but I don't want these idiots anywhere near my web site!

The last thing I need is an employer accessing my web site and being stopped by their virus scanner with a malicious site warning!

Help?

oracleguy · 06-14-2011, 03:36 AM

When you got hacked before, how did they get in? Depending on how they compromised the server, htaccess may or may not help. Are you still seeing requests from IP blocks that you have denied in your htaccess file?

cernst77 · 06-14-2011, 03:49 AM

Quote:

Originally Posted by oracleguy

When you got hacked before, how did they get in? Depending on how they compromised the server, htaccess may or may not help. Are you still seeing requests from IP blocks that you have denied in your htaccess file?

Yup.

They got in I am pretty sure by having public upload turned on (I turned it off) or through free e107 CMS plugins known to have backdoors in them.

When I restored to a backup a full week before the trouble started (I have all the way to 01/01/2011 so if need be I can back up even further!)

I deleted my entire forum, deleted all the plugins, changed all the passwords, moved phpmyadmin to still another alias, etc.

I just got new requests logged to my apache error.log

Code:

[error] client 109.237.214.63 File does not exist: /(path omitted)/w00tw00t.at.blackhats.romainian.antisec:)
[error] client 109.237.214.63 File does not exist: /(path omitted)/MyAdmin
[error] client 109.237.214.63 File does not exist: /(path omitted)/phpmyadmin

====== Partial copy of my .htaccess ========

# e107 .htaccess script for hosts with mod_rewrite
# If e107 is not installed in the document root, then make RewriteBase
# RewriteBase /your-e107-folder/
<FilesMatch \.php$>
ErrorDocument 400 /error.php?400
ErrorDocument 401 /error.php?401
ErrorDocument 403 /error.php?403
ErrorDocument 404 /error.php?404
ErrorDocument 500 /error.php?500
</FilesMatch>
ErrorDocument 404 /404.html
ErrorDocument 403 default
RewriteEngine on
RewriteBase /

<Limit GET HEAD POST>
order allow,deny
# Manual Blocks
deny from 58.218.199.

# Country: AFGHANISTAN
# ISO Code: AF
# Total Networks: 22
# Total Subnets: 98,560
deny from 27.116.56.0/22
deny from 58.147.128.0/19
deny from 61.5.192.0/20
deny from 111.125.152.0/21
deny from 111.223.244.0/22
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 124.199.112.0/20
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
deny from 180.222.136.0/21
deny from 182.50.176.0/20
deny from 202.56.176.0/20
deny from 202.86.16.0/20
deny from 203.174.27.0/24
deny from 203.215.32.0/20
deny from 210.80.0.0/19
deny from 210.80.32.0/19
## Country: CHINA
# ISO Code: CN
# Total Networks: 3,410
# Total Subnets: 331,821,056
deny from 1.0.1.0/24
deny from 1.0.2.0/23
deny from 1.0.8.0/21
deny from 1.0.32.0/19

.... lots more countries added via countryipblocks.net (not that it is doing any good ...)

Yes at the bottom is an "allow from all"
hmm. do I need to change the top to say order "deny, allow" ??? I am pretty sure countryipblocks.net generated that part too.

cernst77 · 06-14-2011, 03:50 AM

There is actually a smiley in the part of the address there on the blackhats request. Forum converted it to a graphic smiley

cernst77 · 06-14-2011, 03:54 AM

oop those errors BTW are generated by GET requests coming from those URL's with HTTP/1.1 303 390 "-" "ZmEu"

the following two are 404 478 "-" "ZmEu" in the GET request, respectively.

I want these guys to go away! Is there no way to stop their attempts? at least the files they think they planted seem to be missing!