| Author |
Message |
spcdata
Regular
Joined: Jan 24, 2004
Posts: 81
Location: Sweden
|
 Posted:
Tue Jun 01, 2004 11:02 am |
|
Hello  i don't know if I can post this question here but since there are so many experts here I will do it.
I got this in my Apache log file and it comes about 4-5 times/day now and at one attemt the person almost got throw he/she got in to my databas but could not change anything at that time....but who knows when he/she will....?
from logfile:
Code:213.89.8.73 - - [01/Jun/2004:18:30:20 +0100] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02..[LOTS CUT]..\xb1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90..[LOTS CUT]..\x90HTTP/1.0" 414 341
|
I know that it has to do with PHP and make a buffer overflow thing but I do not know how to stop it is there any one that knows? I would be very grateful for a solution.
[Admin: edited for brevity sake] |
_________________
/spcdata |
|
  
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Jun 01, 2004 11:19 am |
|
I would add a match check for something like "\x90\x02\xb1" in .htaccess and just return a 403 Forbidden page when found. |
| |
|
|
|
|
spcdata
|
| Posted:
Tue Jun 01, 2004 11:31 am |
|
Thank You Raven for Your quick answer !!
I don't know much about adding things to the .htaccess if You know the lines that i should put in there i would be very |
| |
|
|
|
|
spcdata
|
| Posted:
Tue Jun 01, 2004 2:21 pm |
|
I really need help Please!!
I have searched the apache documentation online on how to set up my .htaccess file but can't find the answer it's like a djungel....
and that hacker is getting closer now heres the latest from my log file:
Code:..[LOTS CUT]x90\x90\x90\"\") || (thearray[i] == null))\n\t\t\treturn i;\n\t\t}\n\treturn thearray.length;\n}\n\n// Replacement for arrayname.push(value) not implemented in IE until version 5.5\n// Appends element to the array\nfunction arraypush(thearray,value) {\n\tthearray[ getarraysize(thearray) ] = value;\n}\n\n// Replacement for arrayname.pop() not implemented in IE until version 5.5\n// Removes and returns the last element of an array\nfunction arraypop(thearray) {\n\tthearraysize = getarraysize(thearray);\n\tretval = thearray[thearraysize - 1];\n\tdelete thearray[thearraysize - 1];\n\treturn retval;\n}\n\n\nfunction checkForm() {\n\n\tformErrors = false;\n\n\tif (document.post.message.value.length < 2) {\n\t\tformErrors = \"Du m\xe5ste skriva ett meddelande n\xe4r du postar.\";\n\t}\n\n\tif (formErrors) {\n\t\talert(formErrors);\n\t\treturn false;\n\t} else {\n\t\tbbstyle(-1);\n\t\t//formObj.preview.disabled = true;\n\t\t//formObj.submit.disabled = true;\n\t\treturn true;\n\t}\n}\n\nfunction emoticon(text) {\n\tvar txtarea = document.post.message;\n\ttext = ' ' + text + ' ';\n\tif (txtarea.createTextRange && txtarea.caretPos) {\n\t\tvar caretPos = txtarea.caretPos;\n\t\tcaretPos.text = caretPos.text.charAt(caretPos.text.length - 1) == ' ' ? caretPos.text + text + ' ' : caretPos.text + text;\n\t\ttxtarea.focus();\n\t} else {\n\t\ttxtarea.value += text;\n\t\ttxtarea.focus();\n\t}\n}\n\nfunction bbfontstyle(bbopen, bbclose) {\n\tvar txtarea = document.post.message;\n\n\tif ((clientVer >= 4) && is_ie && is_win) {\n\t\ttheSelection = document.selection.createRange().text;HTTP/1.0" 414 341
I don't know what all this means.... but I really want this to stop.
|
|
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Tue Jun 01, 2004 2:57 pm |
|
Could try this I doubt that xb1 is very common in a query string?
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*xb1 [NC]
RewriteRule ^.* - [F,L] |
Last edited by sixonetonoffun on Tue Jun 01, 2004 3:52 pm; edited 1 time in total |
|
|
|
|
spcdata
|
| Posted:
Tue Jun 01, 2004 3:13 pm |
|
I will try it and see what happens (at the moment i write this it was a new attemt..)
I know this topic does not belong in here sorry for this !! but I got a little desperate and did not know what to do.
Thank You very much for taking time to help me with this one |
| |
|
|
|
|
Raven
|
| Posted:
Tue Jun 01, 2004 3:52 pm |
|
Been in an offsite meeting all afternoon - just got home. Post back after you try Six's suggestion. |
| |
|
|
|
|
spcdata
|
| Posted:
Wed Jun 02, 2004 7:49 am |
|
I just got home from work and found this in my logfile:
I removed alot from it because it is the same as the above posts.
Code:\x90\x90\x90\x90\x90rs_list'];\r\n}\r\n\r\n//\r\n// set the page title and include the page header\r\n//\r\n$page_title = $lang['Ranks'];\r\ninclude ($phpbb_root_path . 'includes/page_header.'.$phpEx);\r\n//\r\n// template setting\r\n//\r\n$template->set_filenames(array(\r\n\t'body' => 'ranks_body.tpl')\r\n);\r\n\r\n// constants\r\n$template->assign_vars(array(\r\n\t'L_SPECIAL_RANKS' => $lang['Special_ranks'],\r\n\t'L_USERS_LIST' => $lang['Memberlist'],\r\n\t'L_RANKS' => $lang['Ranks'],\r\n\t'L_MINI' => $lang['Rank_minimum'],\r\n\t'L_TOTAL_USERS' => $lang['Total_users'],\r\n\t'SPAN_USERLIST_STD' => ($std_rank_max_users != 0) ? 2 : 1,\r\n\t'S_HIDDEN_FIELDS' => '',\r\n\t)\r\n);\r\n\r\n// standard ranks\r\nif ($std_rank_max_users != 0)\r\n{\r\n\t$template->assign_block_vars('std_userlist', array());\r\n}\r\nelse $template->assign_block_vars('no_std_userlist', array());\r\n\r\nfor ($i=0; $i < count($ranks); $i++)\r\n{\r\n\t$template->assign_block_vars('ranks', array(\r\n\t\t'RANK_TITLE' => get_rank_title($ranks[$i]['rank_title']),\r\n\t\t'RANK_IMAGE' => ($ranks[$i]['rank_image'] == '') ? '' : '<img src=\"' . $ranks[$i]['rank_image'] . '\" border=0 align=\"center\">',\r\n\t\t'RANK_MINI' => $ranks[$i]['rank_min'],\r\n\t\t'RANK_TOTAL' => $ranks[$i]['user_number'],\r\n\t\t)\r\n\t);\r\n\tif ($std_rank_max_users != 0)\r\n\t{\r\n\t\t$template->assign_block_vars('ranks.userlist', array(\r\n\t\t\t'USER" 414 341
|
I use PHP Version 4.3.4 does it help if i upgrade to version 5.0 ? |
| |
|
|
|
|
Raven
|
| Posted:
Wed Jun 02, 2004 7:54 am |
|
No. This is not a PHP issue. It is a server (port 80) issue. The answer lies in the .htaccess file. I am leaving for a 2 hour meeting. If noone fixes this by the time I get back I will work it out for you and send it. |
| |
|
|
|
|
spcdata
|
| Posted:
Wed Jun 02, 2004 8:33 am |
|
I know You ALL here have alot of things to work with  so I'm very greatful for every help i can get to solve this one |
| |
|
|
|
|
spcdata
|
| Posted:
Thu Jun 03, 2004 4:15 am |
|
I found this in my apache error logfile :
Code:[Thu Jun 03 01:52:50 2004] [error] [client 213.67.210.30] request failed: URI too long (longer than 8190)
|
it looks like it wont get longer than 8190 then it should be stopped, but as I noticed earlier it seems to do it anyway sometimes...
And about Sentinelâ„¢ I have only good thing to say I don't get so many hack attempts (yet) but I tested it on my own and it stopped everything 
I'm VERY IMPRESSED by Your security system Sentinelâ„¢ what a FABULOUS work You have done |
| |
|
|
|
|
Raven
|
| Posted:
Thu Jun 03, 2004 11:29 am |
|
Can you just post, say the first 200 bytes or so from your log, including the url? I should have left that in the one I cut, but ...
Thanks. |
| |
|
|
|
|
spcdata
|
| Posted:
Thu Jun 03, 2004 11:36 am |
|
213.140.237.14 - - [03/Jun/2004:12:33:07 +0100] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
 I don't have that one anymore but this is how they all look like at the beginning. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
