e107.org: Forums / Core Support / When is this going to end?

e107.org :: Forums :: e107 Support :: Core Support		<< Previous thread \| Next thread >>
When is this going to end?

Go to page [1] 2 3
Moderators: jalist, McFly, bkwon, streaky, C6Dave, SecretR, steved, bugrain, AndyDev, Hansi64, nlstart

Author

Post

Martinj

Tue Jun 29 2010, 08:43AM

Registered Member #42066

Joined: Fri Dec 21 2007, 08:47AM
Location: Leeds, UK
Posts: 347

I don't really like moaning on here, but this is coming to a point where I'm ready to pull the plug on e107 completely.

The constant stream of requests has not let off, infact it's getting much worse. In the last 24hrs I've had literally tens of thousands of requests to contact.php and help_us.php and my email inbox is full of auto-ban's. I have everything in place to reduce the impact but this is still placing a huge strain on my servers and bandwidth. The requests are not just to e107 base files but inside the e107_ folders and other non-core folders.

I've kept my websites up-to-date and i've not been hacked, this attack is because i use e107 and nothing to do with my negligence.

So what choice do I have? I've been waiting weeks for things to calm down and they are just getting worse. My host will end up blocking me, they may tell me to remove all e107 sites, I will be charged for additional bandwidth, visitors will not return due to the speed of my websites, my stats are bordering useless.

The only choice i have is to start preparing a move to another CMS and, if there is no improvement soon, transfer them all across to a new system. Of course once i do that there will be no going back as it will have an impact on my search rankings.

I'm fed up.

Visit martinj.co.uk for more...

Brad R

Tue Jun 29 2010, 09:37AM

Registered Member #18939

Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197

I sympathize. My e107 sites -- and the non-e107 sites on the same server -- have been down for 27 hours now, and counting, due to the 'bot attack. I had blocked one of the 'bots using .htaccess, but I was too slow to add a block for "Casper Bot Search," and now I can't even connect via FTP to change the .htaccess file. (In hindsight, I should have just banned all accesses to contact.php and help_us.php.)

Fortunately, my web host understands that this is not my fault -- like you, I'm up to date and haven't been hacked -- so they're working to get the attacks blocked at the router, and to notify the originating ISPs of the 'bots.

The sad fact is, sooner or later this is going to hit you, whatever you use. Last month it was WordPress (see

and

). This month it's e107's turn. What's unusual about the e107 attack is that some ignorant script kiddie turned it -- I suspect inadvertently -- into a DDoS attack, which makes it painfully obvious. (The painfully obvious attacks are usually the quickest to get fixed. The clever crackers are more surreptitious.)

I expect a lot of the infected sites are going to get shut down soon. Meanwhile, if you can access your site, use .htaccess to block the attacks; this will reduce (but not eliminate) the load on your server, will reduce the bandwidth, and should keep the 'bots out of your stats. See if your web host can block the IP addresses of the 'bots (here's one list:

). Make sure your host knows what's going on -- that you're the victim of a DDoS attack -- and ask for any help they can offer.

AndyP

Tue Jun 29 2010, 10:07AM

Registered Member #19927

Joined: Sun Aug 07 2005, 04:41AM
Location:
Posts: 263

Brad R wrote ...

I expect a lot of the infected sites are going to get shut down soon. Meanwhile, if you can access your site, use .htaccess to block the attacks; this will reduce (but not eliminate) the load on your server, will reduce the bandwidth, and should keep the 'bots out of your stats. See if your web host can block the IP addresses of the 'bots (here's one list:

). Make sure your host knows what's going on -- that you're the victim of a DDoS attack -- and ask for any help they can offer.

Can you please list what actual lines/ code etc we need to add to our .htaccess file

Brad R

Tue Jun 29 2010, 10:13AM

Registered Member #18939

Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197

Well, here's the problem. When it comes to .htaccess, I'm a newbie. I think the following will work, but please don't add it to your .htaccess file until someone more knowledgable verifies that it's correct:

<Files contact.php> order allow,deny deny from all </Files>

If I understand the Files directive correctly, that will prevent access to contact.php in your main directory and all subdirectories -- basically any path that ends with the file "contact.php". But as I said, I don't know that this works. I'm waiting to get access to my server restored so I can try it.

Comments from better-informed people would be welcome now!

C6Dave

Tue Jun 29 2010, 11:11AM

AKA 2dopey

Registered Member #9506

Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298

Problem now is that we have several threads running with the answers all fragmented but:

Yakumo wrote ...

this is what i put in my .htaccess

SetEnvIfNoCase user-agent "^Mozilla/4.76 \[ru\] $X11; U; SunOS 5.7 sun4u$" bad_bot=1 SetEnvIfNoCase user-agent "^Casper\ Bot\ Search" bad_bot=1 <FilesMatch "(.*)">Order Allow,Deny Allow from all Deny from env=bad_bot </FilesMatch>

so far i think it is stopping all those unwanted bots ^^

"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995

Martinj

Tue Jun 29 2010, 11:51AM

Registered Member #42066

Joined: Fri Dec 21 2007, 08:47AM
Location: Leeds, UK
Posts: 347

@Brad R - Thanks for your comments, problem is it's not just the contact.php page... for example the exploit is sending POST requests to my search page looking for 'contact' ... also hitting .pdf files with ?contact.php in the url query.

@2d - Thanks, I tried that also but the 'casper' useragent took over what from 'sun4u'. I appreciate the code works but I'm sure the useragent will change again soon. Consider the next wave using a random number in the useragent, after they read here how people are blocking it.

Does anyone know how to turn off the custom error 404 pages? I dont have anything in my .htaccess that redirects the 404 requests but it still does.

Visit martinj.co.uk for more...

septor

Tue Jun 29 2010, 12:11PM

Registered Member #37

Joined: Sun Aug 11 2002, 05:20AM
Location:
Posts: 700

2dopey wrote ...

Problem now is that we have several threads running with the answers all fragmented but:

Yakumo wrote ...

this is what i put in my .htaccess

SetEnvIfNoCase user-agent "^Mozilla/4.76 \[ru\] $X11; U; SunOS 5.7 sun4u$" bad_bot=1 SetEnvIfNoCase user-agent "^Casper\ Bot\ Search" bad_bot=1 <FilesMatch "(.*)"> Order Allow,Deny Allow from all Deny from env=bad_bot </FilesMatch>

so far i think it is stopping all those unwanted bots ^^

Queue news post linking all helpful information together...

Security issue? e107 security is here to help.

My e107 related scripts can now be found on GitHub. Use at your own risk.
Public ready scripts will be pushed to plugins.e107 only.

Martinj

Tue Jun 29 2010, 12:14PM

Registered Member #42066

Joined: Fri Dec 21 2007, 08:47AM
Location: Leeds, UK
Posts: 347

Thats producing an internal server error 500 for me, tried tweaking the code but it's not playing. I think the full stops need escaping or the spaces dont. Like i say, blocking by useragent it only a temp fix in my opinion.

[ Edited Tue Jun 29 2010, 12:15PM ]

Visit martinj.co.uk for more...

Brad R

Tue Jun 29 2010, 12:22PM

Registered Member #18939

Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197

Martinj wrote ...

@Brad R - Thanks for your comments, problem is it's not just the contact.php page... for example the exploit is sending POST requests to my search page looking for 'contact' ... also hitting .pdf files with ?contact.php in the url query.

Yeah, I'm getting that too. I don't know if you can fix that by putting *contact.php in the Files directive. You might have to use FilesMatch instead. (.htaccess experts? Anyone?)

wrote ...
Does anyone know how to turn off the custom error 404 pages? I dont have anything in my .htaccess that redirects the 404 requests but it still does.

Your server might have configured a default action for 404 requests. I'd suggest adding the 404 redirect to your .htaccess file, and redirect to a short and simple HTML page. I haven't edited .htaccess directly for this; my host offers cPanel, and this is configured in the "Error Pages" section.

Edited to add: Judging from the Apache docs

, I think this will work to block any request ending in "contact.php":

<FilesMatch "contact\.php$"> order allow,deny deny from all </FilesMatch>

Edited again: on further research, I've learned that the previous will not work. FilesMatch only examines the file name, not the query string. So anything of the form filename.pdf?contact.php will be missed. I think SetEnvIfNoCase can be used to test the query string.

[ Edited Tue Jun 29 2010, 03:10PM ]

Martinj

Tue Jun 29 2010, 01:10PM

Registered Member #42066

Joined: Fri Dec 21 2007, 08:47AM
Location: Leeds, UK
Posts: 347

I'm using the following .htaccess which works for now (at least), as the above code results in an error 500 page...

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.76\ \[ru\]\ $X11;\ U;\ SunOS\ 5\.7\ sun4u$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Casper\ Bot\ Search
RewriteRule ^(.*)$ http://fuck.off

[ Edited Tue Jun 29 2010, 03:48PM ]

Visit martinj.co.uk for more...

Nowwhat

Tue Jun 29 2010, 03:14PM

Registered Member #38024

Joined: Thu Jul 05 2007, 02:08PM
Location: Lost in the south of France
Posts: 1208

How to eject "contact.php" and "help_us.php" scanners with the help of the root .htaccess file.

My URL : www.papy-team.fr [so the .htaccess file is here link=www.papy-team.fr]www.papy-team.fr/.htacces[/link] - don't worry, Apache wont let you read it.
Apache is nothing more or less then the software that send out Internet pages to your browser.

Apache always reads the instruction it finds in these hidden .htaccess files.

To say to Apache that the request should be routed away from your site if the phrase "contact.php" is in the URL, you should put this in your .htaccess file :
RewriteCond %{REQUEST_URI} contact.php
RewriteRule ^(.*) http://www.google.com

Needless to say, I didn't ask if Google is happy with this - so try could try http://www.fbi.gov (better ask before also

).

Try my site now : http://www.papy-team.fr/contact.php and you will understand whats happening.

Why choosing the .htaccess approach of handling this (temporary) problem ?
1) Because most people that take care their own site can't access other utilities, like firewall rules.
2) Using the built in function in e107 to ban by IP for some 'non-wanted' users is one thing, flooding from hundreds of IP's is another. e107 can handle the load, the web server, that interprets the PHP code (thousands of lines) won't. Most of us are using shared hosts - and these hosts are running thousands of websites at the same from the same system.
So, when YOUR website is being attacked because you use a Joomla/Drupal/DotClear/e107/pphBB3/whatever, your host will contact you (best) or just shut down your site (worst).

And of course, you are not to blame - but merely another victim in the process.

Btw : what one can do with these .htacess files should be underestimated.
Good to know : Internet will tell you everything about these files - i.e. mine is nearly 10Kb in size, filled up with lines that protect my site.

[ Edited Tue Jun 29 2010, 03:19PM ]

Knowing where you are helps if you want to know where to go.

Brad R

Tue Jun 29 2010, 03:24PM

Registered Member #18939

Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197

Better yet, redirect them to http://www.google.invalid, which will cause their request to fail.

Martinj

Tue Jun 29 2010, 03:33PM

Registered Member #42066

Joined: Fri Dec 21 2007, 08:47AM
Location: Leeds, UK
Posts: 347

Same difference really.

It's the top level domain (eg .com). Theres no such TLD as .invalid... or .off (not yet, but there will be soon enough)

Visit martinj.co.uk for more...

Nowwhat

Tue Jun 29 2010, 03:39PM

Registered Member #38024

Joined: Thu Jul 05 2007, 02:08PM
Location: Lost in the south of France
Posts: 1208

Ok, Martinh, your

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.76\ \[ru\]\ $X11;\ U;\ SunOS\ 5\.7\ sun4u$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Casper\ Bot\ Search
RewriteRule (.*) - [F]

rocks !

I just found out that I have also tons off these lines in my web log file (260 Mb for just today ?!!? )

Like:
....
79.137.233.6

- [29/Jun/2010:00:03:58 +0200] "POST /contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:58 +0200] "POST /forum/e107_plugins/forum/contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:58 +0200] "POST /forum/e107_plugins/contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:58 +0200] "POST /forum/contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:59 +0200] "POST /contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:59 +0200] "POST /forum/e107_plugins/forum/contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:59 +0200] "POST /forum/e107_plugins/contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6

- [29/Jun/2010:00:03:59 +0200] "POST /forum/contact.php HTTP/1.1" 302 204 "-" "Casper Bot Search"
79.137.233.6