Welcome to WebmasterWorld Guest from 18.208.187.169

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Block MaMa CaSpEr and Bot Search in .htaccess

Block Byroenet RFI vulnerabiltiy scanners using .htaccess directives

     
4:03 pm on Aug 4, 2010 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts: 319
votes: 0


There is an Indonesian based Byroenet IRC vulnerability scanner probing all websites for a vulnerable contact.php script, usually part of Joomla or e107. The attacks use POST to include a remote file and inject hostile codes into exploited websites. The scanner in this instance goes by a variety of hard coded hacking "crew" names, including the following: MaMa CaSpEr, b3b4s Bot Search, dex Bot Search, Dex Bot Search, kmccrew Bot Search, plaNETWORK Bot Search, rk q kangen, sasqia Bot Search, sledink Bot Search, Mozilla/5.0, Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u), perl post. They will no doubt be adding more user agents from time to time, reflecting new hacking crews.

To protect Apache server websites from these attacks, add the following directives to your root .htaccess. Expect more user agents to come from new crews.

Uncomment the POST condition if you do not allow a direct visitor POST to your blog, via a blog page named contact.php

# RewriteCond %{THE_REQUEST} ^POST\ /your blog directory/.*contact\.php [OR]
RewriteCond %{HTTP_USER_AGENT} ^MaMa|plaNETWORK|dex| [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Bot\ Search|casper|crew|kangen [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0|perl\ post$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.76\ \[ru]\ \(X11;\ U;\ SunOS\?\ 5\.7\ sun4u\)$
RewriteRule .* - [F]

Change the RewriteRule to include a custom 403 page, if you use one.
Example with a custom 403 page in the web root:

RewriteRule !^403\.(s?html|php)$ - [F]


Note. There is no reason to allow robots.txt when forbidding hack tools.

If you do have a page named contact.php, make sure you examine the code for security checks against remote file inclusion (RFI) exploits. Or, rename that file and change the links to it (then have it checked for vulnerabilities)!

Get the latest version of any CMS or blog software you have installed on your server or website. This specifically includes Joomla and e107 CMS scripts! Plus, Check your web root directory for the presence of a file containing the name "casper" or anything ending in .pl that you didn't put there.
4:25 pm on Aug 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Thanks for posting this. Very useful for those not using a whitelist approach to server access...

Jim
8:39 pm on Aug 10, 2010 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts: 319
votes: 0


Thanks Jim.

Here are more .htaccess directives pertaining to exploits used by this hacking gang and other similar to them.

# Mod_Access block-rule:

<Files *>
order deny,allow
# Block Indonesia
deny from 110.136.176.0/20 118.96.0.0/15 125.164.64.0/19
</Files>

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/ [OR]
RewriteCond %{THE_REQUEST} _inject%20 [NC,OR]
RewriteCond %{THE_REQUEST} ^POST\ .*/e107\ HTTP/1\.[01]$ [OR]
RewriteCond %{QUERY_STRING} ^sIncPath=%7Cecho [OR]
RewriteCond %{QUERY_STRING} ^sIncPath=http://.+\.fileave\.com/
RewriteRule .* - [F]