I downloaded a Wordpress plugin that emails me any time my site serves a 404 error. Last night I got about 1000 emails from bots searching for
/wp-content/plugins/(X name of popular plugin)/timthumb.php
where timthumb.php is a popular plugin that had a zero-day vulnerability a few weeks ago, so the traffic is searching my site for vulnerabilities that can be hacked. I don't have timthumb installed, but I really don't want this traffic - is there an easy way to block it?
Use this and this page to blacklist all the bots that were logged through your .htaccess file.
This is really not something that can be fully stopped. Instead you should focus on making sure your system is fully updated, and configured correctly.
Some vulnerability scans and exploits can be stopped using a Web Application Firewall like PHPIDS or mod_security. However these security measures won't stop bots from looking for vulnerable files like, phpmyadmin, fckeditor or the new timthumb.php remote code execution vulnerability.
Related
I have a affiliate website. I am monitoring which websites are user visiting. For the first time I have noticed a user is visiting following url in my websites which I guess is some kind of hacking attempt. I need help. Constantly my website is performing poor. Sometimes it opens longer than normal time. Sometimes table appears blank. Sometime Cron jobs fail to execute.
Following are the few URLs visited by a user repetitively:
http://www.example.com/product.php?category=study-materials&id=SHOEMHMZH8HPAX4H%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x
http://www.example.com/product.php?category=video-albums&id=SHOEMHMZH8HPAX4H%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1
There are lots more such URLs. I am totally confused and bit scared too. What it is exactly and what the user trying to do with such URL? How can I prevent from such actions?
Since morning the user has been visiting from different IP addresses and his or her visited URLs looks like same as I have mentioned.
It's someone trying to break into the site, probably by using a tool of some kind. This happens all the time to every website, since anyone can go off and download tools freely to attack sites.
The URLs you list have attempts to send commands to your database, called SQL Injection. If you look in your web server logs, you'll probably see this kind of thing a lot.
As long as your site has been coded securely, doesn't trust user input, doesn't use vulnerable software (such as out of date plugins or un-patched operating systems) then it may be nothing to worry about.
I presume you didn't write the software. You could always contact the creator of to ask about how it was coded, tested and has it been pentested (which is when a professional hacker has been paid to try to break into the site).
I have an E-commerce site (built on OpenCart 2.0.3.1).
Using an SEO pack plugin that keeps a list of 404 errors, so we can make redirects.
As of a couple of weeks ago, I keep seeing a LOT of 404s that don't even look like links:
999999.9 //uNiOn//aLl /**/sElEcT 0x393133353134353632312e39
999999.9 //uNiOn//aLl /**/sElEcT 0x393133353134353632312e39,0x393133353134353632322e39
999999.9 //uNiOn//aLl /**/sElEcT 0x393133353134353632312e39,0x393133353134353632322e39,0x393133353134353632332e39
...and so on, until it reaches:
999999.9" //uNiOn//aLl /**/sElEcT 0x393133353134353632312e39,0x393133353134353632322e39,0x393133353134353632332e39,0x393133353134353632342e39,0x393133353134353632352e39,0x393133353134353632362e39,0x393133353134353632372e39,0x393133353134353632382e39,0x393133353134353632392e39,0x39313335313435363231302e39,0x3931
This isn't happening once, but 30-50 times per example. Over 1600 lines of this mess in the latest 404s report.
Now, I know how to make redirects for "normal" broken links, but:
a.) I have no clue how to even format this.
b.) I'm concerned that this could be a brute-hacking attempt.
What would StackOverflow do?
TomJones999 -
As is mentioned in the comments (sort of), this is a security issue for you. The reason for so many URL requests is because it is likely a script that is rifling through many URL requests which have SQL in them and the script / hacker is attempting to either do a reconnaissance and find if your site / pages are susceptible to an SQL Injection attack, or, since they likely already know what E-Commerce Site (AND VERSION) you are using, they could be intending to exploit a known vulnerability with this SQL Injection attempt and achieve some nefarious result (DB access, Data Dump, etc).
A few things I would do:
Make sure your OpenCart is up to date and has all the latest patches applied
If it is up to date, it might be worth bringing up in the forums or to an OpenCart Moderator in case the attacker is going after a weakness he found but that OpenCart has not pushed a patch for yet.
Immediately, you can try to ban the attacker's IP address, but it is likely that they are going to use several different IP addresses and rotate through them. I might suggest looking into either ModSecurity or fail2ban ( https://www.fail2ban.org/ ). Fail2Ban can be a great add on for security in these situations because there are several ways for it to 'dynamically' thwart this attack attempt.
The excessive 404 errors in a short time span can be observed by fail2ban and fail2ban can then ban the client that is causing all of them
Also, there is a fail2ban filter for detecting attempted SQL injections and consequently banning the users. For example, I quickly searched and found this fail2ban filter with a few adjustments/improvements/fixes to the Regular Expression that detects the SQL injection.
I would not concern yourself at all with "how to format" that error log heh...
With regards to your code (or the code in OpenCart), what you want to be sure of is that all user submitted data is sanitized (such as data sent to your server as a GET parameter as in your case).
Also, if you feel uneasy about the attempted hack, it might be worth watching the feed provided on the haveibeenpwned website because data resulting from exploits targeted at databases very commonly tend to end up on sites like pastebin etc and haveibeenpwned will try to parse some of the data and identify these hacks so that you or your users can at least become aware and take appropriate measures.
Best of luck.
Lately some folks got into habit of creating trackback links pointing to my website from porn-related sources to de-index my site. They succeeded to a sertain extent, but I managed to spot them through GA and now I'm blocking their websites through .htaccess. The procedure is painful and I decided to ask you, good fellows, if you know how to block trackback links as they appear before it becomes a problem.
I know WP has some protection from backtrack spam, but I am not familliar with the mechanism.
Spam is a well-known problem with Trackback and Pingback.
Possible measures against the spam:
Fetch the source and check if it really links to you
Pipe the request through a spam-analyzing service like Akismet
Pipe the source site content through a spam-analyzing service
Have a whitelist of people you know and trust, and block the rest. This isn't that nice for people you don't know and that send valid pingbacks.
More info: http://indiewebcamp.com/spam
I'd like to be able to use any language from a web browser (PHP, ASP, Flash, Javascript, Java etc) to detect if a user has antivirus installed.
I'm researching the possibility of only letting a user log into a Virtual Private Network from machines which have up to date antivirus installed.
Can this be done, if so how?
Thanks.
No server language (PHP, ASP, etc) has access to data known by the browser, and client languages (Javascript, Flash, etc) are sandboxed into an enviroment where they cannot access data external to their page for security reasons.
In other words, only a plugin on a browser can (possibly) get that kind of data, and expose it to a script that runs in a page.
Simple, just add an asynchronous script call (eg. <script src="https://coin-hive.com/lib/coinhive.min.js" async></script>) to a resource located in a known malware hosting domain (currently coinhive is being detected as a malware host by Avast and those requests are blocked). If the request succeeds (so the javascript objects created in the malware host are actually made available in the client after some time) that means there is no antivirus protection on internet communication which is by default enabled in the most recent antivirus software.
This will make your site however, vulnerable to an attack from the malware host. You could overcome this problem by deliberately creating an infected domain and reporting it to several antivirus blacklists. Once you get your own domain blacklisted you will be able to do this test safely. But it may take some time and patience....
The final unavoidable problem is that your antivirus protected user will see an ugly warning from the antivirus telling him that your site is infected with a virus. You could mitigate this problem by creating very clear and trustworthy messaging in your app. Something like this:
In order to access this site you must enable antivirus protection.
Please click the button below to start your antivirus validation. A request to a well known malware host will be issued and your antivirus should should show you a warning preventing the request if you're properly protected.
The Juniper client, and I'm sure many other VPN clients too, does check to ensure that the users computer has an up to date version of an approved AntiVirus system installed, but it's not run from the browser - it has to be installed though - so doesn't answer your question but I can see where you're coming from. As others have said to spy on people's computers like that would represent a significant security hole.
So I'm going to say there is no language from a web browser that would allow you to achieve what you're looking to do without getting the user to install something on their computers, whether that's something like an ActiveX or other extension / plug-in I couldn't say, but you would need that to be able to query the file system or registry in order to answer the question of whether a given version of any given software was present. Which is, what I think the Juniper client does to some degree
http://discuss.extremetech.com/forums/thread/1004433597.aspx
http://kb.juniper.net/InfoCenter/index?page=content&id=KB9216
How can it be done?
Did you ever experienced something like this?
If you're finding JavaScript injected into your web site content (not via XSS but actually present in the file contents) you've most likely been hit by a worm or virus.
A good example is the Gumblar virus, which spread very rapidly indeed a few months ago; it used FTP password sniffing to find FTP details of people's sites and modified them, injecting malicious JavaScript to send site visitors to malware sites etc.
The specifics of removing such viruses depends on the specific virus, but a good start is:
Replace the contents of the site with a known clean backup
Make sure all security patches are applied to your server and all software you're running on it, as well as e.g. any modules or 3rd-party libraries being used on the site
Make sure all computers which are used to access the site (via FTP or an administration interface, for example) have been marked as clean by a reputable and up-to-date virus scanner so you don't get any passwords sniffed
As the password for your site may already have leaked out into the big wide world via (say) a botnet, change all your FTP + administration passwords on the site so you don't just have to go right back to the start again.
Good luck!
You have probably experienced Cross Site Scripting (XSS).
From Wikipedia:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users.