Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. [1.9.x] Suspicious PHP error log entries...

[1.9.x] Suspicious PHP error log entries...

1 Jul 28, 2007 06:48    

My b2evolution Version: 1.9.x

Hi,

The view counter of blog entries stopped working so I decided to take a look at the logs to see if I could find something that would explain this behavior. I did not find anything related to that problem but I saw:

[19-Jul-2007 14:53:28] b2evolution error: Unhandled disp type [http://garc.kit.net/xpl/c99.php?] in /home/olivierl/public_html/blog/skins/_dispatch.inc.php at line 28
[20-Jul-2007 18:34:56] b2evolution error: Unhandled disp type [http://www.redcluster.net/modules/Forums/admin/atrix.txt?] in /home/olivierl/public_html/blog/skins/_dispatch.inc.php at line 28
[22-Jul-2007 07:42:17] b2evolution error: Unhandled disp type [http://www.sintoniacs.xpg.com.br/cmd.txt?] in /home/olivierl/public_html/blog/skins/_dispatch.inc.php at line 28
[23-Jul-2007 17:53:59] b2evolution error: Unhandled disp type [http://wantedhacker.vilabol.uol.com.br/c99.txt?] in /home/olivierl/public_html/blog/skins/_dispatch.inc.php at line 28
[25-Jul-2007 23:41:10] b2evolution error: Unhandled disp type [http://wantedhacker.vilabol.uol.com.br/c99.txt?] in /home/olivierl/public_html/blog/skins/_dispatch.inc.php at line 28
[25-Jul-2007 23:45:23] b2evolution error: Unhandled disp type [http://wantedhacker.vilabol.uol.com.br/c99.txt?] in /home/olivierl/public_html/blog/skins/_dispatch.inc.php at line 28

which definitly does not look good. It is certainly signs of abuse of my website and I would like to close this door but I would need some help as I am not very familiar with the .htaccess file format and what I should put in it to stop the abuse but at the same time, I would not want to make it too restrictive to the point of breaking the blog app.

Thank you,

Back to top

2 Jul 28, 2007 10:11

Nice but Apache logs are much more useful..

those are all just php include attacks..

mod_security takes care of just about every permutation of php include attacks there is, if you have it available.

Back to top

3 Jul 28, 2007 21:20

I should add also that nearly 99.9999% of those attempts are going to be scripted. Consequently, you can block them by NOT allowing anything with the user-agent libwww-perl to access your site (anywhere).

Theres NO reason why anyone should be access a web site that isn't theirs using any sort of perl script.

I do it using mod_rewrite, but it can be handled via mod_access also.

Here is the mod_rewrite way:


RewriteCond %{HTTP_USER_AGENT} SiteSucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} LWP::Simple [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^.*$ - [F]

I block a whole host of potential includes using mod_security, even though I also block libwww-perl - mainly because someone that is serious, and not just a script kiddy can and probably would provide a different user-agent.

Back to top


Form is loading...