Debs Posted August 18, 2010 Share Posted August 18, 2010 XSS/ BAD BEHAVIOR BLOCK Blocks hacking attempts and automatically bans the hacker access to your website. Recently It seems whenever I log into the oscommerce forums... I see a new post stating their website has been hacked. There was nothing available that covered what I needed. I came up with this method, it has proven very effective. so... I packaged up what I use to stop XSS and other hack attempts. It should work for most people. No tough requirements. You must have access to your .htaccess (the standard Apache/Linux web server) It is a simple install. One new folder and one addition to your .htaccess file. Most install problems will be if you have not read the install instructions. Some people may have file permission issues. Covered in the install file. I hope I haven't made an error in the install... I proofed it a couple times before uploading. You should be set. Hopefully this helps keep your business/ website secure. http://addons.oscommerce.com/info/7509 Kind regards, Debs Link to comment Share on other sites More sharing options...
Jon53 Posted August 18, 2010 Share Posted August 18, 2010 Why is there already a deny from 67.19.142.226 in the .htaccess ? Link to comment Share on other sites More sharing options...
Debs Posted August 18, 2010 Author Share Posted August 18, 2010 Why is there already a deny from 67.19.142.226 in the .htaccess ? My last hack attempt came from him a few days ago. I think it was just a static ip from Texas. A "home hacker". He was up to no good. You can delete the ip. Link to comment Share on other sites More sharing options...
Francys Posted August 19, 2010 Share Posted August 19, 2010 lo debs, do you by any chance have a known method that you can post to block website downloaders, like teleport pro, etc thanks for this nice contrib Franc Link to comment Share on other sites More sharing options...
Debs Posted August 20, 2010 Author Share Posted August 20, 2010 lo debs, do you by any chance have a known method that you can post to block website downloaders, like teleport pro, etc thanks for this nice contrib Franc ########## start block SetEnvIfNoCase User-Agent "^Yandex*" bad_bot SetEnvIfNoCase User-Agent "^HTTrack" bad_bot SetEnvIfNoCase User-Agent "^WebCopier" bad_bot SetEnvIfNoCase User-Agent "^SiteCopy" bad_bot SetEnvIfNoCase User-Agent "ia_archiver" bad_bot SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot SetEnvIfNoCase User-Agent "^Teleport" bad_bot SetEnvIfNoCase User-Agent "^psycheclone" bad_bot SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot <Limit GET POST> Order Allow,Deny Allow from all Deny from env=bad_bot </Limit> ########## end block <Limit GET HEAD POST> order allow,deny deny from keywordspy.com deny from keywordspypro.com deny from spyfu.com deny from spyfoo.com deny from foospy.com deny from fuspy.com allow from all </LIMIT> RewriteCond %{HTTP_REFERER} keywordspy\.com [NC,OR] RewriteCond %{HTTP_REFERER} keywordspypro\.com RewriteCond %{HTTP_REFERER} spyfu\.com [NC,OR] RewriteCond %{HTTP_REFERER} foospy\.com [NC,OR] RewriteCond %{HTTP_REFERER} fuspy\.com [NC,OR] RewriteCond %{HTTP_REFERER} spyfoo\.com [NC] RewriteRule .* - [F] ########## end block You're welcome. This is what I use. Link to comment Share on other sites More sharing options...
Debs Posted August 20, 2010 Author Share Posted August 20, 2010 lo debs, do you by any chance have a known method that you can post to block website downloaders, like teleport pro, etc thanks for this nice contrib Franc For blocking some of the website downloaders etc. You just need this below. ########## start block SetEnvIfNoCase User-Agent "^HTTrack" bad_bot SetEnvIfNoCase User-Agent "^WebCopier" bad_bot SetEnvIfNoCase User-Agent "^SiteCopy" bad_bot SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot SetEnvIfNoCase User-Agent "^Teleport" bad_bot SetEnvIfNoCase User-Agent "^psycheclone" bad_bot SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot <Limit GET POST> Order Allow,Deny Allow from all Deny from env=bad_bot </Limit> ########## end block Link to comment Share on other sites More sharing options...
pctekcomponents Posted August 22, 2010 Share Posted August 22, 2010 I seem to be having a few issues getting this to run on my site. I keep getting the following errors..... Warning: fopen(../.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 18 Warning: fopen(data.html) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 29 Warning: fwrite(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 30 Warning: fclose(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 31 Forbidden! What should my file permissions be set at as i've contacted my host and they say that they have fixed the file permissions/ownership for my site. Thanks Link to comment Share on other sites More sharing options...
Debs Posted August 22, 2010 Author Share Posted August 22, 2010 I seem to be having a few issues getting this to run on my site. I keep getting the following errors..... Warning: fopen(../.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 18 Warning: fopen(data.html) [function.fopen]: failed to open stream: Permission denied in /home/*********/*********/bad_conduct/ban.php on line 29 Warning: fwrite(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 30 Warning: fclose(): supplied argument is not a valid stream resource in /home/*********/*********/bad_conduct/ban.php on line 31 Forbidden! What should my file permissions be set at as i've contacted my host and they say that they have fixed the file permissions/ownership for my site. Thanks The htaccess file (AND the folder /bad_conduct) must both reside in the root. Not the store folder, the root of your site/ /bad_conduct/data.html File permissions: 644 You could also try to rename data.html to a different extension such as .txt and then change line 29 (ban.php) to reflect the change $fopen = fopen("data.txt", "a"); If that does not work... then remove the folder and the htaccess addition. An easy uninstall. Recheck your install instructions, as that is your most likely issue. Link to comment Share on other sites More sharing options...
Debs Posted August 22, 2010 Author Share Posted August 22, 2010 The htaccess file (AND the folder /bad_conduct) must both reside in the root. Not the store folder, the root of your site/ /bad_conduct/data.html File permissions: 644 You could also try to rename data.html to a different extension such as .txt and then change line 29 (ban.php) to reflect the change $fopen = fopen("data.txt", "a"); If that does not work... then remove the folder and the htaccess addition. An easy uninstall. Recheck your install instructions, as that is your most likely issue. /bad_conduct/data.html File permissions: 644 perhaps even try 744 for the data.html... if 644 did not work. I have never had to go above 644 though. Link to comment Share on other sites More sharing options...
pctekcomponents Posted August 22, 2010 Share Posted August 22, 2010 Thanks for the quick reply, Debs. It looks like i've done everything as per the install instructions the HTACCESS file and bad_conduct folder are in the root(public html) folder of my site htaccess and data.html both set to 644 bad_conduct folder set to 755 tried changing data.html to .txt but i still get the same errors. Will check again with my host. I hope I can get this working as it looks to be a very useful contrib. Thanks again. Edit: tried setting data.html to 744....same errors Link to comment Share on other sites More sharing options...
pctekcomponents Posted August 22, 2010 Share Posted August 22, 2010 my problem is definately related to permissions as i temporarily set all neccessary files to 777 and the contrib worked as it should. Just waiting on a further response from my host Link to comment Share on other sites More sharing options...
pctekcomponents Posted August 22, 2010 Share Posted August 22, 2010 seems the lowest i can get this to work on my site is with permissions set to 646. Link to comment Share on other sites More sharing options...
Debs Posted August 22, 2010 Author Share Posted August 22, 2010 seems the lowest i can get this to work on my site is with permissions set to 646. I think you should be ok with 646 on data.html. The written to data file is never revealed, and you can rename it anything you like (if changed, also change the location in the ban.php file to match the new name). Direct access to the folder bad_conduct/ (although never revealed to anyone) is already protected. Anyone who tries to access it directly is banned/ blocked. Your host certainly should already have your .htaccess protected from the world. If you are uncertain, It wouldn't hurt to deny access to it. Place the code below (in your domain’s root) .htaccess # STRONG HTACCESS PROTECTION <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files> Link to comment Share on other sites More sharing options...
pctekcomponents Posted August 22, 2010 Share Posted August 22, 2010 Thanks debs. My host has confirmed that it is no one can access the files so its all good now :) Link to comment Share on other sites More sharing options...
Debs Posted August 22, 2010 Author Share Posted August 22, 2010 Thanks debs. My host has confirmed that it is no one can access the files so its all good now :) Sounds great, good luck on your site! Link to comment Share on other sites More sharing options...
Debs Posted August 27, 2010 Author Share Posted August 27, 2010 Sounds great, good luck on your site! You should already have error documents setup on your server... Apache custom error 403 configuration This custom error page can be configured with a single line in the .htaccess file for the relevant directory, as shown below. If this instruction is given in the root level document directory, it applies to all subdirectories. Here is an example: In your .htaccess ErrorDocument 401 /401.shtml ErrorDocument 403 /403.shtml ErrorDocument 404 /404.shtml or another example with a few more and a different extention: ErrorDocument 400 /400.html ErrorDocument 401 /401.html ErrorDocument 403 /403.html ErrorDocument 404 /404.html ErrorDocument 500 /500.html At minimum, you do need a 403 error document setup Link to comment Share on other sites More sharing options...
Guest Posted September 27, 2010 Share Posted September 27, 2010 Hi Debs, I have followed Spooks' fourm post 'how to secure your site ... ...' http://www.oscommerce.com/forums/index.php?showtopic=313323 In that post, he suggested to use 'ANTI Cross Site Scripting attacks' http://addons.oscommerce.com/info/6044 Could you be able to combine both Contribution 6044 and yours together as one or let me know if there is any need to replace pixclinic's 6044 with yours? I am sure your contibution must be good as you have had it for a while. But I am having problems with my hosting company regarding REWRITE ENGINE on / off in conf.ini of the shared platform server. The reason I mention it here, I tired to use Ultimate SEO Url contribution and it modifies .htaccess file to make rewritting but ended up having arguement with hosting company over the phone, on twitter and their support forum lmao. I have disabled rewrite engine in .htaccess for now until I end my problem with hosting company, however those codes have piled up and I think I have lost track on what belongs to what contributions lol :ppp I am very new to php and linux, learning alone with site building and error hunting :( hard work I have to say. esp really dont want to mess with my .htaccess file as it can throw my site out of window if I deleted or modified something that was ment to protect my site from been hacked. (my site been hacked over a week ago without all spooks' suggested patches, my fault tho). Any advice on your contribution is appricated. Regards, Kai Link to comment Share on other sites More sharing options...
Debs Posted September 27, 2010 Author Share Posted September 27, 2010 Hi Debs, I have followed Spooks' fourm post 'how to secure your site ... ...' http://www.oscommerce.com/forums/index.php?showtopic=313323 In that post, he suggested to use 'ANTI Cross Site Scripting attacks' http://addons.oscommerce.com/info/6044 Could you be able to combine both Contribution 6044 and yours together as one or let me know if there is any need to replace pixclinic's 6044 with yours? I am sure your contibution must be good as you have had it for a while. But I am having problems with my hosting company regarding REWRITE ENGINE on / off in conf.ini of the shared platform server. The reason I mention it here, I tired to use Ultimate SEO Url contribution and it modifies .htaccess file to make rewritting but ended up having arguement with hosting company over the phone, on twitter and their support forum lmao. I have disabled rewrite engine in .htaccess for now until I end my problem with hosting company, however those codes have piled up and I think I have lost track on what belongs to what contributions lol :ppp I am very new to php and linux, learning alone with site building and error hunting :( hard work I have to say. esp really dont want to mess with my .htaccess file as it can throw my site out of window if I deleted or modified something that was ment to protect my site from been hacked. (my site been hacked over a week ago without all spooks' suggested patches, my fault tho). Any advice on your contribution is appricated. Regards, Kai Hello Kai, No need to replace what you have with mine. This mod does require rewrite engine on, plus knowing how to set a folder permission. If you already have a "finely tuned website" this contribution will allow more control over hack attempts. I wish you luck with your site. Kind regards, Debs Link to comment Share on other sites More sharing options...
Guest Posted September 27, 2010 Share Posted September 27, 2010 Hello Kai, No need to replace what you have with mine. This mod does require rewrite engine on, plus knowing how to set a folder permission. If you already have a "finely tuned website" this contribution will allow more control over hack attempts. I wish you luck with your site. Kind regards, Debs Hi Debs Thanks for your reply. Yes I use putty via SSH to change folder permissions and no problem with that. I will leave your contribution aside for now but I will also keep an eye on it for future updates ;) I think I really need to do at the moment, to get a result with my hosting company whether they will turn on the rewrite engine, or I will have to move to another hoster. Thanks for you time again. Regards Kai Link to comment Share on other sites More sharing options...
Clownshoes Posted November 8, 2010 Share Posted November 8, 2010 Hello, I ran the test. It recorded my IP address, which was viewable with the data.html link BUT, it didn't block me from the site. I could keep on browsing as usual. I saw my IP appended to the .htacess file as well. Any ideas, as to why I'm not blocked? Thanks Link to comment Share on other sites More sharing options...
Debs Posted November 9, 2010 Author Share Posted November 9, 2010 Hello, I ran the test. It recorded my IP address, which was viewable with the data.html link BUT, it didn't block me from the site. I could keep on browsing as usual. I saw my IP appended to the .htacess file as well. Any ideas, as to why I'm not blocked? Thanks Things to double check: 1. Is it installed in the root of your site, regardless of your store structure? 2. Did you add all of the htaccess rules? ########## BAD BEHAVIOR BLOCK rules to ban exploits RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ bad_conduct/ban.php [L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule setup\.php$ bad_conduct/ban.php [NC,L] RewriteRule file_manager\.php$ bad_conduct/ban.php [NC,L] <Files 403.shtml> order allow,deny allow from all </Files> deny from 124.158.195.79 <-- remove this line, it is there to show structure, yet is is a real hackers ip 3. And did you leave an empty space/ line at the end of your .htaccess? You must have an empty line before saving. Double check. Link to comment Share on other sites More sharing options...
Clownshoes Posted November 9, 2010 Share Posted November 9, 2010 Things to double check: 1. Is it installed in the root of your site, regardless of your store structure? 2. Did you add all of the htaccess rules? ########## BAD BEHAVIOR BLOCK rules to ban exploits RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ bad_conduct/ban.php [L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule setup\.php$ bad_conduct/ban.php [NC,L] RewriteRule file_manager\.php$ bad_conduct/ban.php [NC,L] <Files 403.shtml> order allow,deny allow from all </Files> deny from 124.158.195.79 <-- remove this line, it is there to show structure, yet is is a real hackers ip 3. And did you leave an empty space/ line at the end of your .htaccess? You must have an empty line before saving. Double check. Yes, did all those things. It's recording new addresses...this is what it appended: deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 but see how it did it over and over because it didn't block him on the first attempt? There's must be something else in the file that's making the deny not work, but I'm a beginner so I have no idea what to look for. Link to comment Share on other sites More sharing options...
Debs Posted November 9, 2010 Author Share Posted November 9, 2010 Yes, did all those things. It's recording new addresses...this is what it appended: deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 deny from 64.15.159.171 but see how it did it over and over because it didn't block him on the first attempt? There's must be something else in the file that's making the deny not work, but I'm a beginner so I have no idea what to look for. You also should make sure you have your error pages on the server (they should be there by default). As a last resort, try removing this last block of code: <Files 403.shtml> order allow,deny allow from all </Files> Again leave a space at the end of your .htaccess file. Link to comment Share on other sites More sharing options...
Clownshoes Posted November 9, 2010 Share Posted November 9, 2010 You also should make sure you have your error pages on the server (they should be there by default). As a last resort, try removing this last block of code: <Files 403.shtml> order allow,deny allow from all </Files> Again leave a space at the end of your .htaccess file. It still doesn't block me at all. Have no idea, google had no answers so far either. Seems like a neat contrib. Link to comment Share on other sites More sharing options...
Clownshoes Posted November 11, 2010 Share Posted November 11, 2010 Hi, I got it working. Seems too many orders in there... When I commented out this stuff from the top of my htaccess file it started to work. #<Limit GET POST> #order deny,allow #deny from all #allow from all #</Limit> #<Limit PUT DELETE> #order deny,allow #deny from all #</Limit> I don't know what that does, but that ALLOW FROM ALL seems to mean business. You know if those lines there serve any purpose and if it's okay to leave them out? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.