Thursday, March 6, 2008

query hackers - htaccess - Helicon - ISAPI - rewrite - Google

For several weeks now, I've been detecting hack attempts involving appending urls to my query strings. So instead of my actual query of 'Contact' or 'Item1' etc. I get someone’s link to a site that they have already compromised. Here are a few examples: 

http://honamfishing.co.kr/phpmysqladmin/libraries/oduzov/nel... http://sans-packing.ru/img/jipeqap/ehudute/ http://sahel55.com/articles/omaduro/kimumid/ http://www.psikolojikyardim.org/etkinlik/include/eto/nixaz/ http://www.pattibus.it/phplib-7.2b/pages/ilosi/dohigal/

I found a few suggestions on how to block these but the best ones were all for Apache servers using .htaccess but I'm using MS Internet Information Server which doesn't have this feature. IIS uses ISAPI filters to work on incoming requests and one of them, URLSCAN, is customizable. So I tried blocking these types of queries with URLSCAN but that didn't work. Yesterday I found a solution that is working. I downloaded the free version of ISAPI_Rewrite from Helicon Tech. Here's their short description of the software: 

"ISAPI_Rewrite is Apache mod_rewrite compatible URL rewriter for Microsoft IIS server (please see the compatibility chart). It is used for search engine optimization, to proxy another server's content, stop hotlinking or strengthen server security. It supports distributed .htaccess configuration files, enhanced regular expressions and nearly all mod_rewrite features. And there is also freeware Lite version of this product!" 

This allows you to set up rules that will rewrite the http request before passing it on the web server. Sounds simple enough but I'd almost forgotten how tricky 'regular expressions' can be. Blocking the 'http:' in a query was pretty easy but it took me a while to figure out how to allow Google to use these for some gadgets that I host. In researching this, I found a nice quote..."if the solution to a problem includes regular expressions then you've still got a problem". With that in mind, I thought I'd post my solution here: 


RewriteEngine On

RewriteCond %{QUERY_STRING} ^.+http [NC]

RewriteCond %{QUERY_STRING} !google [NC]

RewriteRule .* - [L,F]



1. gbuisman said...

I'm just looking through some log files and find this among a few others Fri 06 June 2008; 14.37 /stories.php?target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F Fri 06 June 2008; 14.37 /stories.php?target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F Fri 06 June 2008; 14.37 /stories.php?target=http%3A%2F%2Fwww.service-exposants.com%2Fstore%2Fiyi%2Fzobakiq%2F the hackers adres seems to be adress: justgo.rohwerder-hinz.net I just run into the problem, and you seem to have some good information, so I think you might be interested. It seems the targetsites are using php3 I wonder if they can get any 'letal' information on me this way, I don't think so, as I wrote all the underlying code myself.

-- Add Your Comment --

Email address is not published
Remember Me

Write the characters in the image above

Things to Do
John's business web site
Google RSS and Gadget

Visit or Join Blog Catalog
Things to Buy

Nice tool to speed up your PC

Look for Pocket Controller Pro
Things to Read
Mezzanine View
Politics - Environment - Technology
Bridging the Gap...
to better writing
Autorotate's Flying Circus
Politics with humor - enjoy
Things to Buy

Best for Windows on Mac

Great backup software - low price
'Who sent you' top 10
Shameless Plugs
VBS Reachout Adventures
Vacation Bible School Program
Keep'n' Safe
Good deals on gun safes
Screw Outfitters
Complete line of Faspac fasteners
Tom Haseltine Photography
Note cards and more
East Point Seafood
Order canned seafood from cannery