To be on the safe side

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
Murgen
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Jan 16, 2006 6:08 pm
Location: Halderberge System

To be on the safe side

Post by Murgen » Sun Jul 23, 2006 3:23 pm

I want to thank all Joomla! developers for their time and effort. I returned from my holiday last sunday and spent a couple of days patching the 5 Joomla! sites under my supervision to 1.10.0. No harm was done to them during my absence because they are not indexed by search-engines. :)

I suggest 4 steps to be as safe as possible:

1. Keep close track of Joomla! patches, this goes for every component/module/bot you plugged into Joomla! as well.

2. CHMOD all directories and files according the advised settings. Tightens security to the required level.

3. Running on Apache look into the .htaccess file. There is a thread on this forum about this file and it is useful to help you keep the vultures out.

4. Consider the need of being listed in search-engines ... do you really need to be indexed? Since we give Joomla! the credits it deserves we keep the Joomla meta-tag in the header ... giving away the engine identity when indexed by ths search-bots. The scriptkiddies out there just perform a search on Yahoo or whatever and get a nice list of Joomla! sites to go to. Makes ya think, does it not? If you really need the search-engines I suggest you disallow the bots indexing your Joomla! directory and instead make a forwarder index.html in the root with the meta-tags you want to be indexed.

Since English is not my native tongue I hope I made sense, if not, please let me know.
Jan  van Vugt - Europe - Project Mercenary
The code is more what you'd call "guidelines" than actual rules.

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Re: To be on the safe side

Post by crash777 » Tue Jul 25, 2006 6:56 pm

Murgen wrote: 4. Consider the need of being listed in search-engines ... do you really need to be indexed? Since we give Joomla! the credits it deserves we keep the Joomla meta-tag in the header ... giving away the engine identity when indexed by ths search-bots. The scriptkiddies out there just perform a search on Yahoo or whatever and get a nice list of Joomla! sites to go to. Makes ya think, does it not? If you really need the search-engines I suggest you disallow the bots indexing your Joomla! directory and instead make a forwarder index.html in the root with the meta-tags you want to be indexed.
You made perfect sense! Thank you for this advice!!
Can you provide any instruction on setting up a bot forwarder for meta-tags? Also, some Joomla sites have various sections and the cool thing about Joomla is that the keywords can be different depending on the page (content item). Too many keywords in a meta list would cause search engines to lower your listing qualifications...
Thanks!
Aaron

Murgen
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Jan 16, 2006 6:08 pm
Location: Halderberge System

Re: To be on the safe side

Post by Murgen » Wed Jul 26, 2006 9:01 am

I'm not the expert here but I use 2 files and place them in the root of my webspace (running Apache):

The first is a robot.txt, which is merely an instruction for search-bots.

robot.txt
User-Agent: *
Disallow: /

Or more specific for certain bots (but there are so many now-a-days):
robot.txt
User-agent: Googlebot
Disallow: /

User-Agent: Scooter-3.2.FNR
Disallow: /

User-Agent: ia_archiver
Disallow: /


The second file is the famous .htaccess file which I consider as the first entry to my cybercastle ... Thanks to this forum my .htaccess has 3 chapters. The first locks all subdirectories, only the root can be indexed. The second part is a security-part, it defines the rewrite ruies and is the second gate in my cybercastle. The 3rd part solves a problem with quotes causing trailing slashes:

.htaccess

order deny,allow
deny from all


########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a tag in URL
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

php_flag magic_quotes_gpc on
Then you need something in the root to fire-up Joomla!. This will do the job for you:

index.html





You can add any meta you want there. I told you, I'm not the expert, the good thing about my setup is that my site is indexed but does not reveil technical details. Just the url with text from the first page.
Jan  van Vugt - Europe - Project Mercenary
The code is more what you'd call "guidelines" than actual rules.

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Re: To be on the safe side

Post by crash777 » Wed Jul 26, 2006 11:03 am

Murgen wrote: The first is a robot.txt, which is merely an instruction for search-bots.

The second file is the famous .htaccess file which I consider as the first entry to my cybercastle ... Thanks to this forum my .htaccess has 3 chapters. The first locks all subdirectories, only the root can be indexed. The second part is a security-part, it defines the rewrite ruies and is the second gate in my cybercastle. The 3rd part solves a problem with quotes causing trailing slashes:

.htaccess

order deny,allow
deny from all


########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a tag in URL
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

php_flag magic_quotes_gpc on
Then you need something in the root to fire-up Joomla!. This will do the job for you:

index.html





You can add any meta you want there. I told you, I'm not the expert, the good thing about my setup is that my site is indexed but does not reveil technical details. Just the url with text from the first page.
Okay so the robots.txt block out ALL of the Joomla files. This effectively keeps your site from being indexed. Would this have any affect on site scanners such as html/css, link checkers, or security scanners (like http://chorizo-scanner.com/)? If not, I think I do like this idea..


order deny,allow
deny from all

This goes into the htaccess file and denies access to any directory by simply browsing? Not quite understanding the need for this section..

Magic quotes.. is that something you are turning on because your account does not have it on? I have it on on my server and my joomla says it is on.. is that enough?

Then you add the index.html to show to the bots essentially.. this is essentially a redirect to the index.php file of joomla.. pretty straight forward.
I am still concerned with the keywords. If a site has a lot of content items that are ever changing and each one has their own keywords then those will not be picked up by any bots right? I am wondering if there is a way to serve keywords to the engines without offering other details of the site..

In any case, thank you for providing the detail!!
Thanks!
Aaron

User avatar
X-centrik
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Thu Aug 25, 2005 5:27 pm
Contact:

Re: To be on the safe side

Post by X-centrik » Thu Jul 27, 2006 4:00 pm

Robot.txt files are only useful for those search engines that are willing to read it and follow the restrictions (I have even seen the Yahoo Image Search Bot ignore this on occasion). If you really want to keep the nasties at the door you can also use .htaccess to block search engines and site grabbers. I use a list I found compiled on a different forum (can't remember which). Many spam bots are now spoofing legit search engines and browsers so no guarantee it will keep them all out.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:[email protected] [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^OmniExplorer_Bot [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^pmafind [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
Note that every line you add to your htaccess creates a tiny bit more server load so make sure you don't have an overly anxious server admin.

Further fortification of your Robot.txt can be accomplished by being specific about who you want kept out. This is useful for those of us who still want Google and Yahoo indexing our sites, at the very least it helps keep the bandwidth usage down:
#START AGENT SPECIFIC DISALLOWS

User-agent: Abacho
Disallow: /

User-agent: acontbot
Disallow: /

User-agent: ah-ha
Disallow: /

User-agent: AIBOT
Disallow: /

User-agent: aipbot
Disallow: /

User-agent: Amfibibot
Disallow: /

User-agent: AnswerBus
Disallow: /

User-agent: appie
Disallow: /

User-agent: Arachmo
Disallow: /

User-agent: Arameda
Disallow: /

User-agent: Argus
Disallow: /

User-agent: Ask Jeeves
Disallow: /

User-agent: ASPSeek
Disallow: /

User-agent: asterias
Disallow: /

User-agent: baiduspider
Disallow: /

User-agent: BecomeBot
Disallow: /

User-agent: BigCliqueBOT
Disallow: /

User-agent: boitho
Disallow: /

User-agent: Boitho-robot
Disallow: /

User-agent: BruinBot
Disallow: /

User-agent: btbot
Disallow: /

User-agent: bumblebee
Disallow: /

User-agent: CipinetBot
Disallow: /

User-agent: citenikbot
Disallow: /

User-agent: ConveraCrawler
Disallow: /

User-agent: ConveraMultiMediaCrawler
Disallow: /

User-agent: cosmos
Disallow: /

User-agent: CostaCider
Disallow: /

User-agent: CrawlConvera
Disallow: /

User-agent: CrawlWave
Disallow: /

User-agent: CXL-FatAssANT
Disallow: /

User-agent: DataCha0s
Disallow: /

User-agent: DataFountains
Disallow: /

User-agent: Deepindex
Disallow: /

User-agent: DiamondBot
Disallow: /

User-agent: DNSGroup
Disallow: /

User-agent: DTAAgent
Disallow: /

User-agent: Eule-Robot
Disallow: /

User-agent: EuripBot
Disallow: /

User-agent: Euripbot
Disallow: /

User-agent: eventax
Disallow: /

User-agent: Exabot
Disallow: /

User-agent: Exabot
Disallow: /

User-agent: fantomas
Disallow: /

User-agent: Faxobot
Disallow: /

User-agent: FDSE
Disallow: /

User-agent: FirstGov.gov Search
Disallow: /

User-agent: fluffy
Disallow: /

User-agent: FyberSpider
Disallow: /

User-agent: Gaisbot
Disallow: /

User-agent: Galaxy
Disallow: /

User-agent: GalaxyBot
Disallow: /

User-agent: gazz
Disallow: /

User-agent: genevabot
Disallow: /

User-agent: geniebot
Disallow: /

User-agent: GeoBot
Disallow: /

User-agent: Girafabot
Disallow: /

User-agent: GOFORITBOT
Disallow: /

User-agent: Googlebot-Image
Disallow: /

User-agent: GroschoBot
Disallow: /

User-agent: gsa-crawler
Disallow: /

User-agent: holmes
Disallow: /

User-agent: HooWWWer
Disallow: /

User-agent: Hotzonu
Disallow: /

User-agent: htdig
Disallow: /

User-agent: http://www.btbot.com/btbot.html
Disallow: /

User-agent: ia_archiver
Disallow: /

User-agent: ichiro
Disallow: /

User-agent: IconSurf
Disallow: /

User-agent: Iltrovatore-Setaccio
Disallow: /

User-agent: InfociousBot
Disallow: /

User-agent: INGRID
Disallow: /

User-agent: INGRID
Disallow: /

User-agent: InnerpriseBot
Disallow: /

User-agent: intraVnews
Disallow: /

User-agent: Jayde Crawler
Disallow: /

User-agent: LapozzBot
Disallow: /

User-agent: LocalcomBot
Disallow: /

User-agent: Lycos
Disallow: /

User-agent: Mackster
Disallow: /

User-agent: Matrix
Disallow: /

User-agent: Metaspinner
Disallow: /

User-agent: Mirago
Disallow: /

User-agent: MJ12bot
Disallow: /

User-agent: Mnogosearch
Disallow: /

User-agent: MojeekBot
Disallow: /

User-agent: MonkeyCrawl
Disallow: /

User-agent: Mozdex
Disallow: /

User-agent: MSNPTC
Disallow: /

User-agent: MSRBOT
Disallow: /

User-agent: NaverBot
Disallow: /

User-agent: NaverRobot
Disallow: /

User-agent: NavissoBot
Disallow: /

User-agent: NetMind-Minder
Disallow: /

User-agent: Networking4all
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: ng
Disallow: /

User-agent: nicebot
Disallow: /

User-agent: NimbleCrawler
Disallow: /

User-agent: NLCrawler
Disallow: /

User-agent: NuSearch Spider
Disallow: /

User-agent: Nutch
Disallow: /

User-agent: NutchOSU-VLIB
Disallow: /

User-agent: Ocelli
Disallow: /

User-agent: Ocelli
Disallow: /

User-agent: Octopus
Disallow: /

User-agent: Omnipelagos
Disallow: /

User-agent: Openbot
Disallow: /

User-agent: Openfind
Disallow: /

User-agent: Orbiter
Disallow: /

User-agent: Orbiter
Disallow: /

User-agent: outfoxbot
Disallow: /

User-agent: Pajaczek
Disallow: /

User-agent: Patwebbot
Disallow: /

User-agent: PEERbot
Disallow: /

User-agent: PhpDig
Disallow: /

User-agent: pipeLiner
Disallow: /

User-agent: Poirot
Disallow: /

User-agent: polybot
Disallow: /

User-agent: Pompos
Disallow: /

User-agent: Popdexter
Disallow: /

User-agent: QweeryBot
Disallow: /

User-agent: Reaper
Disallow: /

User-agent: RufusBot
Disallow: /

User-agent: SandCrawler
Disallow: /

User-agent: SANSARN
Disallow: /

User-agent: SBIder
Disallow: /

User-agent: schibstedsokbot
Disallow: /

User-agent: scooter
Disallow: /

User-agent: Scrubby
Disallow: /

User-agent: Search-10
Disallow: /

User-agent: search.ch
Disallow: /

User-agent: Searchmee!
Disallow: /

User-agent: SearchSpider
Disallow: /

User-agent: Seekbot
Disallow: /

User-agent: Sensis Web Crawler
Disallow: /

User-agent: Sensis.com.au Web Crawler
Disallow: /

User-agent: Shim+Bot
Disallow: /

User-agent: ShunixBot
Disallow: /

User-agent: SideWinder
Disallow: /

User-agent: silk
Disallow: /

User-agent: SiteSpider
Disallow: /

User-agent: sna-0.0.1
Disallow: /

User-agent: snap.com
Disallow: /

User-agent: SpeedySpider
Disallow: /

User-agent: Spinne
Disallow: /

User-agent: Squid-Prefetch
Disallow: /

User-agent: SquigglebotBot
Disallow: /

User-agent: StackRambler
Disallow: /

User-agent: sureseeker
Disallow: /

User-agent: SygolBot
Disallow: /

User-agent: SynoBot
Disallow: /

User-agent: Szukacz
Disallow: /

User-agent: Teoma
Disallow: /

User-agent: Tkensaku
Disallow: /

User-agent: TridentSpider
Disallow: /

User-agent: TutorGigBot
Disallow: /

User-agent: Ultraseek
Disallow: /

User-agent: unchaos_crawler
Disallow: /

User-agent: updated
Disallow: /

User-agent: URL Spider Pro
Disallow: /

User-agent: URL Spider SQL
Disallow: /

User-agent: Vagabondo
Disallow: /

User-agent: Vagabondo
Disallow: /

User-agent: W3CRobot
Disallow: /

User-agent: webcrawl.net
Disallow: /

User-agent: WebFindBot
Disallow: /

User-agent: WebIndexer
Disallow: /

User-agent: WhizBang
Disallow: /

User-agent: Wotbox
Disallow: /

User-agent: WWWeasel
Disallow: /

User-agent: xirq
Disallow: /

User-agent: XunBot
Disallow: /

User-agent: YadowsCrawler
Disallow: /

User-agent: Yahoo-Blogs
Disallow: /

User-agent: Zao
Disallow: /

User-agent: Zatka
Disallow: /

User-agent: Zealbot
Disallow: /

User-agent: ZipppBot
Disallow: /

User-agent: ZyBorg
Disallow: /

#END AGENT SPECIFIC DISALLOWS
Hope this helps...


Locked

Return to “Security - 1.0.x”