Block MaMa CaSpEr and Bot Search in .htaccess |
Subject: Block MaMa CaSpEr and Bot Search in .htaccess by McDonald on 2010/9/26 6:20:12 In my logs and counter (PHP-Stats) I noticed that some bots (ip's) tried to insert a vulnerably contact.php script. Also bots as MaMa CaSpEr and plaNETWORK. The following is an extract from WebmasterWorld.com: From Wizcrafts: There is an Indonesian based Byroenet IRC vulnerability scanner probing all websites for a vulnerable contact.php script, usually part of Joomla or e107. The attacks use POST to include a remote file and inject hostile codes into exploited websites. The scanner in this instance goes by a variety of hard coded hacking "crew" names, including the following: MaMa CaSpEr, b3b4s Bot Search, dex Bot Search, Dex Bot Search, kmccrew Bot Search, plaNETWORK Bot Search, rk q kangen, sasqia Bot Search, sledink Bot Search, Mozilla/5.0, Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u), perl post. They will no doubt be adding more user agents from time to time, reflecting new hacking crews. To protect Apache server websites from these attacks, add the following directives to your root .htaccess. Expect more user agents to come from new crews. Uncomment the POST condition if you do not allow a direct visitor POST to your blog, via a blog page named contact.php # RewriteCond %{THE_REQUEST} ^POST\ /your blog directory/.*contact\.php [OR]
RewriteCond %{HTTP_USER_AGENT} ^MaMa|plaNETWORK|dex| [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Bot\ Search|casper|crew|kangen [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0|perl\ post$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.76\ \[ru]\ \(X11;\ U;\ SunOS\?\ 5\.7\ sun4u\)$
RewriteRule .* - [F] Change the RewriteRule to include a custom 403 page, if you use one. Example with a custom 403 page in the web root: RewriteRule !^403\.(s?html|php)$ - [F] Note. There is no reason to allow robots.txt when forbidding hack tools. If you do have a page named contact.php, make sure you examine the code for security checks against remote file inclusion (RFI) exploits. Or, rename that file and change the links to it (then have it checked for vulnerabilities)! Get the latest version of any CMS or blog software you have installed on your server or website. This specifically includes Joomla and e107 CMS scripts! Plus, Check your web root directory for the presence of a file containing the name "casper" or anything ending in .pl that you didn't put there. Reply from Wizcrafts: Here are more .htaccess directives pertaining to exploits used by this hacking gang and other similar to them. # Mod_Access block-rule:
<Files *>
order deny,allow
# Block Indonesia
deny from 110.136.176.0/20 118.96.0.0/15 125.164.64.0/19
</Files>
Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/ [OR]
RewriteCond %{THE_REQUEST} _inject%20 [NC,OR]
RewriteCond %{THE_REQUEST} ^POST\ .*/e107\ HTTP/1\.[01]$ [OR]
RewriteCond %{QUERY_STRING} ^sIncPath=%7Cecho [OR]
RewriteCond %{QUERY_STRING} ^sIncPath=http://.+\.fileave\.com/
RewriteRule .* - [F] |