TinyPortal

General => Chit chat => Topic started by: PowerPyx on January 31, 2010, 10:57:51 AM

Title: Helping abuse desks to make the net safer
Post by: PowerPyx on January 31, 2010, 10:57:51 AM
Hi there,

some times ago I wonder about all that entrys in my error log, where the error has some kind of /fu.txt?? at it's end and some includes, and other "bad" things. After talking with my Server-Admin about that i searched the net how we can prevent those calls from smf + tp. I found a Website called "Glastopf" where you can generate a .htaccess which will redirect those attacks to a honeypot. Out of the Informations they collect, the abusedesks of the hosters can be informed which Customer of them has an unsecure website or a hacked PC.

http://honeystats.info/home

Unfortunatly the original .htaccess generated over there will not work correctly on smf + tp. It doesn't work because of the way thread and post calls are done with search engine friendly links enabled. Then I start to rewrite the .htaccess a bit. Now everybody with smf + tp can use that modified .htaccess while all things work fine.

The original one (DO NOT USE THIS WITH SMF+TP installed! check the 2nd code block with a well functional version for SMF+TP!), generated without an ID looks like this


####################################
### Generated by honeystats.info ###
####################################

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*(=[a-z0-9]{3,}:\/\/) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(=([a-z0-9]+\.){1,2}[a-z0-9]{2,}) [NC]
RewriteRule ^(.+)$ http://www.htaccess2feeds.com/no_id_set/$1?%{QUERY_STRING}


to use it with smf + tp i modified it this way:


Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*(=([a-zA-Z0-9]{3,}:\/\/)).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\.\.\/.*).* [NR,OR]
RewriteCond %{QUERY_STRING} (.*http:\/\/.+) [NC]
RewriteRule ^(.+)$ http://www.htaccess2feeds.com/no_id_set/$1?%{QUERY_STRING}


I knew that this isn't perfect and some malicious calls will not be redirected to the honeypot, but I think it's a good start over at all. If someone here as an Idea how to optimize the .htaccess, be my guest :)

This RewriteConditions and the RewriteRule will not harm your Website, nor will it send any private Information about you, your Website or it's content to the honeypot. It only collects the Query links after index.php? if the Query string matches to the Conditions.

Please help all to make the net safer!

If you allready have a .htaccess on your webspace, then just include the the RewriteCond's and the RewriteRule in the existing .htaccess.
If you have troubles with your website after uploading / including the .htaccess then just delete it.

Yours
Pyx

PS: sorry for my english, i knew it's not the best ;)
Title: Re: Helping abuse desks to make the net safer
Post by: Skhilled on January 31, 2010, 04:36:07 PM
Cool! I'll go check this out. Thanks. :)

I've been battling those guys with the ".txt???" hack for a few years now. LOL
Title: Re: Helping abuse desks to make the net safer
Post by: IchBin on January 31, 2010, 08:21:53 PM
That's a great idea for that site. If they could get enough people to do this, it would be nice if ISP's would be responsible enough to secure their network from such infected clients.