Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2008-05-06 18:32:49

roelof
Member
Registered: 2005-03-27
Posts: 647

how can i block visitors from a provider.

Hello,

Since 1 March there are some people which try to hack my site.
I have tried to block this with .htaccess which look like this :

#DirectoryIndex index.php index.html

#Options +FollowSymLinks
#Options -Indexes

<IfModule mod_rewrite.c> RewriteEngine On #RewriteBase /relative/web/path/

RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteRule ^(.*) /index.php

RewriteCond %{HTTP:Authorization} !^$ RewriteRule .* – [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>

#php_value register_globals 0

Order Deny,Allow
Deny from *.cable.casema.nl
Allow from all

But it doesn’t work. Blocking from ip-adres doesn’t work either because they can change thier ip-adress.

Who has another idea ?

Roelof

Offline

#2 2008-05-06 18:41:27

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: how can i block visitors from a provider.

How are they trying to “hack” your site?

Offline

#3 2008-05-06 18:45:50

roelof
Member
Registered: 2005-03-27
Posts: 647

Re: how can i block visitors from a provider.

By using this sort of url’s : index.​php?​option=http://​nsmsisoeueeitsdwfdfhfrdefaiss.​land.​ru/.​html/​head?

Roelof

Offline

#4 2008-05-06 18:57:32

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: how can i block visitors from a provider.

roelof, no hacking, just script kiddies and importantly it doesn’t do anything, so don’t worry :)

<Limit GET>
order deny,allow
deny from .cable.casema.nl
allow from all
</Limit>

That should do it.

Last edited by Gocom (2008-05-06 18:58:41)

Offline

#5 2008-05-06 19:09:49

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: how can i block visitors from a provider.

If all those IPnrs are from the same ISP, send detailed log files to the abuse email address of that provider.

If those page requests really did harm (which doesn’t appear to be the case here), the solution would not be to block the IPnrs where these requests originate, but rather to fix the hole that allows them to abuse your website.

Offline

#6 2008-05-06 19:18:41

roelof
Member
Registered: 2005-03-27
Posts: 647

Re: how can i block visitors from a provider.

Hoi GoCom,

Thank you for your help.
I will try this.

Ruud,

I agree with you. But fixen i can’t do. Im not a programmer,
And this annoyes me a lot.

Roelof

Offline

#7 2008-05-07 11:38:19

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,306

Re: how can i block visitors from a provider.

ruud wrote:

[…] but rather to fix the hole that allows them to abuse your website.

From what I read here (inserted <?php include('images/faq.php'); ?>) disabling the use of PHP in the preferences is one way to do so, right? The FAQ page doesn’t really help here. What can I do wrong with TXP itself concerning this issue?

Last edited by uli (2008-05-07 11:42:40)


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

#8 2008-05-07 13:21:54

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: how can i block visitors from a provider.

Disabling the execution of <txp:php> tags (or raw PHP tags) in TXP doesn’t really help, unless you have untrusted users that can post articles in TXP. Other than that specific situation, TXP itself should be safe without requiring any action from the user (apart from keeping TXP up-to-date of course).
If this were not true, TXP would have a security hole and that should be fixed.

Offline

#9 2008-05-07 13:42:33

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,306

Re: how can i block visitors from a provider.

ruud schrieb:

Disabling the execution of <txp:php> tags (or raw PHP tags) in TXP doesn’t really help, unless you have untrusted users that can post articles in TXP.

In the example I linked someone succeeded in cracking the account password and thus could change the index.php. Disabling php execution wouldn’t EDIT: help here stop that code from getting executed? Sorry for asking stupid questions, but I’m not aware of what is possible if you’ve got bad skills.

Last edited by uli (2008-05-07 13:52:05)


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

#10 2008-05-07 20:22:23

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: how can i block visitors from a provider.

If someone has cracked the hosting account password, they can do whatever they want: install software, modify files, reconfigure existing software. Once that happens, there’s just one solution: throw it all away (perhaps save a copy for analysis) and start from scratch.

Disabling PHP execution in TXP doesn’t completely disable the execution of PHP, because TXP itself is a collection of PHP scripts, so it requires PHP code to be executed in order to run. The only thing that preference does is determine whether you can add your own PHP code in templates, forms and articles. As an administrator, you can limit what lower privileged users are allowed to do (so that preference setting does help to limit the damage of a cracked low priviledge TXP user account)… but if someone gained access to your TXP administrator password, it not longer matters how you set that preference, because the cracker could change the preference himself. And more: install plugins, delete articles etc.

Keep asking questions if you have them. Probably one of the more important steps in increasing security is to start asking questions and to become aware of potential problems. Lack of knowledge is a security risk. Any attempt to remedy that cannot be stupid.

Offline

#11 2008-05-08 05:20:08

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: how can i block visitors from a provider.

uli wrote:

In the example I linked someone succeeded in cracking the account password and thus could change the index.php. Disabling php execution wouldn’t EDIT: help here stop that code from getting executed? Sorry for asking stupid questions, but I’m not aware of what is possible if you’ve got bad skills.

Hi uli, the example you posted concerns wordpress which is a totally different software.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#12 2008-05-08 12:36:40

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,306

Re: how can i block visitors from a provider.

ruud, thanks for explaining!

colak, yup, different ;)
But by sayin that, you don’t mean that an intruder with the described potential would turn his back on a TXP installation, do you? ;)

What about putting scripts containing the unencrypted db password on the same server than the installation is on? Doesn’t matter anymore, accessed is accessed? I just wondered about a script I found proposed around here.

(Maybe this thread should be transferred to General Discussions.)


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

Board footer

Powered by FluxBB