mod_rewrite for spam/hack efforts in the URL

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

mod_rewrite for spam/hack efforts in the URL

Post by jsundqui » Sat Mar 08, 2008 5:34 pm

I've used mod_rewrite for a while to guard against the common hack attempts, although the syntax is quite taxing.

For example, for a while, I have been guarding against (a now old) SQL injection hack with the following in my .htaccess file:

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L] 
Which has worked well for years

Recently, I get what appear to be more spam than hack attempts where I get, for example, a viewtopic request that instead of a standard viewtopic.php?p=17643#17643 I get a viewtopic?p=http://some-russian-spam-site.ru/stuff/?

These don't seem to be hack attempts from what I can see, probably more to get their URLs into search engines. But still, I would like to fail them like I do the SQL injection attacks.

But I can't figure out how to do this. I've tried many combinations. I have tried the simplest just looking for ru:

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)ru [NC]
RewriteRule ^.*$ - [F,L]
But that doesn't work, and of course I want to find the term ".ru/" so I believe I need something like ^(.*)\.ru\/ or something. RegEx just isn't my forte, however.

So my question is, how do I get mod_rewrite to fail a request that passes a parameter that has .ru/ in it? It can't be that hard, but I've been trying for a couple of hours with no luck.

Thanks.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Re: mod_rewrite for spam/hack efforts in the URL

Post by espicom » Sun Mar 09, 2008 12:03 am

mod_rewrite really isn't the right hammer to use on this size screw... mod_security is far more flexible, if tuned correctly. Not to mention there are a number of changes (mentioned in the Sticky message on spam in this forum) that will keep the spammers away...

And yes, the sample you gave IS a hack attempt, which phpBB doesn't give into. At least, it's not supposed to, because the link will not resolve to a number...
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

Re: mod_rewrite for spam/hack efforts in the URL

Post by jsundqui » Sun Mar 09, 2008 2:42 am

Thanks.

I've got the spammers pretty much at bay after putting in a couple of the suggestions "in the sticky" a couple of years ago, including a twist of my own I coded in that requires registrants to actually know something about the board's subject matter. No spam registrations in over a year now.

But as you say, this apparently is a hack attack, not a ploy to get their URLs in some search engine return as I originally thought. I'll take a look at mod-security. As you say, these attempts are not getting anywhere, but I don't want to wait until their techniques improve, especially since I have a portal mod and an album mod that also take parameters (and they have tried those scripts as well, to no effect so far). I am not familiar with mod_security; not sure if my hoster has it or not.

Also, how would these resolve to a number?

A real example of what I am seeing (and no, it is more than just russian sites) is:

/portal.php?h=http://luckpotparty.eclub.lv/images?
and
/portal.php?h=http://holegirl.eclub.lv/.images/pictureofme?

I know these are for a portal mod, and thus not technically phpBB, but this is just what I see most recently. They are also similarly targeting viewtopic.php

Thanks for the quick response.

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: mod_rewrite for spam/hack efforts in the URL

Post by ric323 » Sun Mar 09, 2008 2:47 am

jsundqui wrote:Also, how would these resolve to a number?
They won't. That is the whole point. phpBB only expects a number as a parameter, so the string is parsed through a function which discards anything which is not a number, so there is no way to use this as an exploit.
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

Re: mod_rewrite for spam/hack efforts in the URL

Post by jsundqui » Sun Mar 09, 2008 3:26 am

The portal.php (again, I realize this is not phpBB, per se) accepts strings to redirect to some static pages separate from the board. But as far as I can tell, I am safe because there are only several specific static pages that it can go to.

I guess I will just ignore these attacks for now. But there sure seem to be a lot of them all of a sudden.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Re: mod_rewrite for spam/hack efforts in the URL

Post by espicom » Sun Mar 09, 2008 4:40 am

Usually, these are targets that contain compromise code, hoping the vulnerable program will "include" it, giving the attacker control of the computer. Several MODs will do that, if you haven't got the latest version. Especially when the URL ends with a question mark... it's usually a script that recognizes what is calling it, and customizes what is returned.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Locked

Return to “2.0.x Support Forum”