1

I have an older Typo3 (v4.5.x) site and since a while my server is under attack by a script kiddie. He sends quite some PHP requests of URLs which do not exists on my server. I got so many PHP 500 errors back and after a while the number of parallel php processes are exceeding the limit and my site is down and unreachable for a while.

Any idea what I can do? How can I avoid that such non-existent URLs get not processed?

If I looking at these requests and google around there are all about some vulnerabilites of wordpress or joomla. Does anybody know if there exists some lists of such kind of requests which can be added to a filter/blocking lists on apache level? i.e.

  • templates/atomic/system.php
  • wp-content/languages/system.php
  • wp-admin/images/system.php
  • plugins/captcha/jproicaptcha.php
  • modules/cgi.php
  • modules/mod_articless/func.php
  • tmp/install.css.php
  • ...
megloff
  • 373
  • 3
  • 10

2 Answers2

0

You have a number of options:

  • If the requests are from a single IP just block this IP in your firewall
  • Return a 403 or 404 response code for those requests. You can do this in your .htaccess file or directly in Apache config files (see LocationMatch directive http://httpd.apache.org/docs/2.4/mod/core.html#locationmatch)
  • Use an application level firewall. mod_security would be a wise choice.
Vikelidis Kostas
  • 927
  • 1
  • 6
  • 15
  • Thanks, yes there are different client IPs, so firewall is not an option. Is "locationmatch" supported to be used in .htaccess files? I don't have access to httpd configuration. Any more information about "mod_security" would be nice eg. a link to a good tutorial how this can solve my problem or at least I can tell my host service provider what to activate – megloff Nov 21 '16 at 23:45
  • 1
    it looks like that locationmatch is not supported by .htaccess file, but as alternate solution a rewrite rule to 404 `RewriteRule ^/?page\.html$ - [R=404]` should do the job, so I will give a try – megloff Nov 21 '16 at 23:52
0

This is not really a TYPO3 specific question. It is a question of how to avoid/block DOS (denial of service) attacks or rather in this case hacking attempts.

The sooner you can block / divert the attacker, the better because you do not want him hogging your resources and creating unnecessary traffic. So if you can block the IP(s) you might want to do that (keep in mind though that IPs may be dynamically assigned by a provider so this is a bit brutal and should not be done permanently).

Once the attacker does reach your webserver and generates HTTP requests, you want him to allocate as little resources as possible. So, instead of serving an error page in TYPO3 (or diverting to the start page), make sure that you block the page entirely or serve a minimal 404 page for these known URLs (e.g. a static html page where no access to the DB or running of PHP scripts is necessary).

Example: Apache webserver

RewriteRule ^/?(wordpress/wp-admin/|wp-login|wp-admin|test/wp-admin/|wp-admins|phpmyadmin|test.php|cacti|hack.php|tomcat.php|db.init.php|db_session.init.php|shell.php|mysql/|admin/index.php|dbadmin/|xampp|myadmin/|typo3/phpmyadmin|templates|wp-content|plugins|modules|tmp) - [L,F,NC]
Sybille Peters
  • 206
  • 2
  • 12