Thread

Hi,

I’m posting here to see if anyone has had that problem. After seeing my website going down at some repeatable time. I investigate what happens and I saw it was getting hit with strange url. The regular ones with the name of the template group / template name / entry title and after that they add some characters like this:

&sa=U&ei=de9GT_m_C8Pq8QPyyZCSDg&ved=0CEYQFjAP&usg=AFQjCNFDZbSjh9i287S5U9pDPbYT6cBzlQ

so that gives for the url
/template_group/template/entry_url&sa=U&ei=de9GT_m_C8Pq8QPyyZCSDg&ved=0CEYQFjAP&usg=AFQjCNFDZbSjh9i287S5U9pDPbYT6cBzlQ

So those strange characters are url encoded variables, if we decode them we get:

&sa=U&ei=de9GT_m_C8Pq8QPyyZCSDg&ved=0CEYQFjAP&usg=AFQjCNFDZbSjh9i287S5U9pDPbYT6cBzlQ

From my researches it seems like a case of Http Parameter Pollution which tries to compromise my website. It doesn’t goes far security wise, but it slow down the website tremendously, even crashing it at some time.

As anyone seen that, has anyone a solution to detect that and redirect or block the access if such string is at the end of the url?

Edit well it seems when I submit my post here it decodes the characters I wrote on top of the post. Normally that string contains percents signs and so on, like in an url encoded string.

Thank you

Alex

Hi Gizmothecat,

Thank you for posting your question.

Can you tell me what you have in your htaccess file?

Are you behind a proxy or something that may be adding to the URL?

Please let me know.

Cheers,

Hi,

well no, I’m not behind a proxy or anything special.

Here is the content of my .htaccess file:

AddDefaultCharset UTF-8
<IfModule mod_rewrite.c>
RewriteEngine On
# Removes index.php
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
# If 404s, “No Input File” or every URL returns the same thing
# make it index.php?/$1 above (add the question mark)
</IfModule>
php_value memory_limit 64M

As I said it seems more like an attack to take down the website. I spend some time this weekend to scrutinize my apache access_log and found it’s always from the same bunch of ips. So I have decided to block those ip at three levels, 1) the blacklist module of EE, the .htaccess file and the iptables of the server. And it seems to hold (knock on wood) the server has been running fine for exactly 23h53 (as I’m writing) without troubles, which hasn’t been the case in the last three weeks. I’m monitoring it since a few days with apachetop and it always goes down when those weird url appear.

But the idea would be to automatize some kind of filtering at the start of the template if there is something added to the normal url, so it can automatically block it. Because maybe the attack will have other ip and so on in the future.

So any idea how we could do that?

Thank you

Alex

Hey there Gizmothecat,

I understand. I thought you were getting those appended to your url in real time. I agree, seems like you are getting hit by malicious sites or bots.

I think blocking those IP addresses is the way to go.

Unfortunately there is not a way to automatically block. I was thinking you could test for anything beyond segment_3, but at that point you are already getting a hit and if they are crashing your site by trying over and over again, there is no way around that. Blocking the IP is the best way to go. It’s going to just be something you have to stay on top of, you know?

You could subscribe to some blacklists and there are some third party sites like Spamhaus that are worth a look.

I wish I had a better answer for you.

Cheers,