Getting URL hits like (%20AND%205800=CONVERT(INT,(SELECT%20CHAR(113)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)CHAR(120)+CHAR(113)))download/12410/6133/26427/ HTTP/1.1" 404 696)

shantanusingh · October 30, 2024, 9:57am

OJS-3.4.0.5

We are currently receiving repeated hits as shown below. Although I have blocked the relevant IPs, the Access Log continues to display similar activity.

I have tested the IP blocking, and it appears to be working as expected. However, the log entries indicate that these hits are still being registered.

Could you please advise on any additional measures we might take to prevent these entries from appearing?

92.255.57.151 - - [30/Oct/2024:15:01:00 +0530] "GET /index.php/MR/%22)%20AND%202522=2522%20AND%20(%22FPIb%22=%22FPIbarticle/view/78662/ HTTP/1.1" 403 288
92.255.57.151 - - [30/Oct/2024:15:01:00 +0530] "GET /index.php/IJAgS/-1091')%20OR%204353=(SELECT%20(CASE%20WHEN%20(4353=4353)%20THEN%204353%20ELSE%20(SELECT%201816%20UNION%20SELECT%204281)%20END))--%20BWNzarticle/download/68751/29300/172568/ HTTP/1.1" 403 360
92.255.57.151 - - [30/Oct/2024:15:01:01 +0530] "GET /ejournal/index.php/%22%20AND%201868=5586%20AND%20%22LmFn%22=%22LmFnIJF/article/download/30444/17819/ HTTP/1.1" 403 306
92.255.57.151 - - [30/Oct/2024:15:01:01 +0530] "GET /index.php/%25'%20AND%207692=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)%7c%7cCHR(98)%7c%7cCHR(120)%7c%7cCHR(98)%7c%7cCHR(113)%7c%7c(SELECT%20(CASE%20WHEN%20(7692=7692)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7c%7cCHR(113)%7c%7cCHR(107)%7c%7cCHR(106)%7c%7cCHR(122)%7c%7cCHR(113))%20AND%20'wOxg%25'='wOxgIJAnS/issue/view/2811/ HTTP/1.1" 403 451
92.255.57.151 - - [30/Oct/2024:15:01:01 +0530] "GET /index.php/%25';DECLARE%20@vktR%20NVARCHAR(4000);SET%20@vktR=(SELECT%20'qppjq'+(SELECT%20(CASE%20WHEN%20(1610=1610)%20THEN%20'1'%20ELSE%20'0'%20END))+'qxjqq');EXEC%20@vktR--PotatoJ/article/download/127181/49482/356656/ HTTP/1.1" 403 391
92.255.57.151 - - [30/Oct/2024:15:01:01 +0530] "GET /index.php/-3022%25'%20OR%202532=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)%7c%7cCHR(120)%7c%7cCHR(118)%7c%7cCHR(107)%7c%7cCHR(113)%7c%7c(SELECT%20(CASE%20WHEN%20(2532=2532)%20THEN%201%20ELSE%200%20END)%20FROM%20DUAL)%7c%7cCHR(113)%7c%7cCHR(98)%7c%7cCHR(120)%7c%7cCHR(106)%7c%7cCHR(113))%20AND%20'CCmE%25'='CCmEIndHort/article/download/87716/35764/224824/ HTTP/1.1" 403 478
92.255.57.151 - - [30/Oct/2024:15:01:01 +0530] "GET /index.php/%22;SELECT%20DBMS_PIPE.RECEIVE_MESSAGE(CHR(119)%7c%7cCHR(119)%7c%7cCHR(80)%7c%7cCHR(107),32)%20FROM%20DUAL--IJF/article/download/11845/5661/25111/ HTTP/1.1" 403 343
92.255.57.151 - - [30/Oct/2024:15:01:02 +0530] "GET /index.php/IJAgS/-2042')%20OR%209919=(SELECT%20(CASE%20WHEN%20(9919=7855)%20THEN%209919%20ELSE%20(SELECT%207855%20UNION%20SELECT%208106)%20END))--%20ZcQzarticle/download/68751/29300/172568/ HTTP/1.1" 403 360



176.113.115.216 - - [29/Oct/2024:11:28:32 +0530] "GET /index.php/TJRP/article/')%20RLIKE%20(SELECT%20(CASE%20WHEN%20(5361=5361)%20THEN%20''%20ELSE%200x28%20END))%20AND%20('LWDy'='LWDyview/67882/ HTTP/1.1" 404 696
176.113.115.216 - - [29/Oct/2024:11:28:32 +0530] "GET /index.php/IJVA/article/-8792%25'%20OR%206802=(SELECT%20(CASE%20WHEN%20(6802=8242)%20THEN%206802%20ELSE%20(SELECT%208242%20UNION%20SELECT%205857)%20END))--%20frUZview/41350/ HTTP/1.1" 404 696
176.113.115.216 - - [29/Oct/2024:11:28:32 +0530] "GET /index.php/%22%20AND%208108=(SELECT%20(CASE%20WHEN%20(8108=8108)%20THEN%208108%20ELSE%20(SELECT%207109%20UNION%20SELECT%209476)%20END))--%20sOelIJAnS/article/download/48591/20864/385973/ HTTP/1.1" 404 1270
176.113.115.216 - - [29/Oct/2024:11:28:33 +0530] "GET /index.php/IJF/article/%25';DECLARE%20@tVEk%20NVARCHAR(4000);SET%20@tVEk=(SELECT%20'qqqvq'+(SELECT%20(CASE%20WHEN%20(6673=6673)%20THEN%20'1'%20ELSE%20'0'%20END))+'qpvxq');EXEC%20@tVEk--download/12410/6133/26427/ HTTP/1.1" 404 696

mpbraendle · October 30, 2024, 10:35am

Hi,

blocking just means that Apache will send back a 403 Status Code, but the request will not be processed any further by the OJS application (@asmecher, keep me corrected). Normally, this suffices.

If you need more security, you must block the IPs on the servers (or hosters) firewall.

You may use tools such as fail2ban, apachebot include files, and AbuseIPDB to ban and find out about those nasty guys or script kiddies.

shantanusingh · October 30, 2024, 10:45am

Thank you for your reply.

We have implemented IP blocking using the .htaccess file, as shown below.

Order Allow,Deny
Deny from 176.113.115.216/32
Deny from 92.255.57.151/32
Allow from all

mpbraendle · October 30, 2024, 11:42am

We have implemented along the following line:

        # UZH CHANGE for bad bots
        Include /usr/local/hope/apache/apachebots.conf
  
       (...)

       <Location "">
                Order allow,deny
                Allow from all
                #UZH CHANGE for bad bots
                Deny from env=bad_bot
                #END UZH CHANGE for bad bots
        </Location>

And the apachebots.conf file:

SetEnvIfNoCase user-Agent "^Sogou web spider" bad_bot
SetEnvIfNoCase user-Agent "Mozilla\/5\.0\+\(compatible;\+Robot" bad_bot
SetEnvIfNoCase user-Agent "MegaIndex\.ru" bad_bot
SetEnvIfNoCase user-Agent "ltx71" bad_bot
SetEnvIfNoCase user-Agent "MauiBot" bad_bot
(...)
SetEnvIfNoCase Remote_Addr "^3.113.248.13" bad_bot
SetEnvIfNoCase Remote_Addr "^5.9.108.254" bad_bot
SetEnvIfNoCase Remote_Addr "^5.62.59" bad_bot
(...)

This way, we have to edit one central bot list only and can include it in all the Apache configurations for all our journal domains.