[PHP] Blocking URL hacking attemps

[sono-io]

I'm using a script called BlackHole that uses PHP and a hidden 
directory to catch bad bots and block them by their IP address from the site 
[http://perishablepress.com/blackhole-bad-bots/].  It's working very well, but 
I'd like to expand on the idea.

When looking at our access logs, I see someone adding code to our 
URL's in hopes to, apparently, hack into our site.  If our URL is like this:

http://www.example.com/pages/bolts.php

they are adding to it like this:

http://www.example.com/pages/bolts.php/wp-content/themes/functions/thumb.php.cache/external_e19f4bb51bc2262e07d23b79b916c12c.php
or
http://www.example.com/pages/bolts.php/cart.php
or
http://www.example.com/pages/bolts.php/wp-content/themes/functions/thumb.phptimthumb.php
or
http://www.example.com/pages/bolts.php/bratislava/stare-mesto

Is there a way that I can trap the extra info in the URL's and pass 
it to the BlackHole script to ban these attempts as well?  I'm thinking I'll 
need to compare the entered URL with $_SERVER[PHP_SELF] and if there's extra 
info, like another *.php, after the page name, then ban the IP.  I realize 
that's a rather simplistic explanation and there may be a better way to 
accomplish this.

If anyone has any examples they can share, I'd really appreciate.

Thanks,
Marc
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Blocking URL hacking attemps

[Mihamina Rakotomandimby]

On 04/22/2012 07:55 PM, sono...@fannullone.us wrote:

Is there a way that I can trap the extra info in the URL's and pass it to the


I miss the interest of that system: the URL doesnt exist, so the nasty 
client will get a 404 and you're done.


If you want to do more filtering, I would suggest coupling with 
fail2ban, so that filtering will occur at TCP level.


--
RMA.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Blocking URL hacking attemps

[admin]

-Original Message-
From: sono...@fannullone.us [mailto:sono...@fannullone.us] 
Sent: Sunday, April 22, 2012 12:55 PM
To: PHP General
Subject: [PHP] Blocking URL hacking attemps

I'm using a script called BlackHole that uses PHP and a hidden
directory to catch bad bots and block them by their IP address from the site
[http://perishablepress.com/blackhole-bad-bots/].  It's working very well,
but I'd like to expand on the idea.

When looking at our access logs, I see someone adding code to our
URL's in hopes to, apparently, hack into our site.  If our URL is like this:

http://www.example.com/pages/bolts.php

they are adding to it like this:

http://www.example.com/pages/bolts.php/wp-content/themes/functions/thumb.php
.cache/external_e19f4bb51bc2262e07d23b79b916c12c.php
or
http://www.example.com/pages/bolts.php/cart.php
or
http://www.example.com/pages/bolts.php/wp-content/themes/functions/thumb.php
timthumb.php
or
http://www.example.com/pages/bolts.php/bratislava/stare-mesto

Is there a way that I can trap the extra info in the URL's and
pass it to the BlackHole script to ban these attempts as well?  I'm thinking
I'll need to compare the entered URL with $_SERVER[PHP_SELF] and if
there's extra info, like another *.php, after the page name, then ban the
IP.  I realize that's a rather simplistic explanation and there may be a
better way to accomplish this.

If anyone has any examples they can share, I'd really appreciate.

Thanks,
Marc
--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php




Marc,
First I would suggest you look at htaccess or web.config depending
on your flavor of OS. 
Examine the URL patterns and rewrite the URL appending to the string. This
will allow you a little more control.
I completely disagree on the blocking IP concept and this can lead to
network latency and other issues, redirecting traffic is more efficient.

I think the scare factor of products like black hole are really just that. 
Bots are not always a bad thing, when your server becomes more popular
people are interested in content so controlling the bots is key. 
IP addresses can be spoofed and if you have an auto block this could be your
undoing in the long run.



Rick..






 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php