27 February 2017

Azure and MySql in App for PHP connections


Microsoft Azure will provide an instance of MySql with a web application without the need to use ClearDB nor a dedicated MySql server. It's one database instance that is not really meant for high production needs.

This is great for using it with Joomla or WordPress. It's also good for developing or deploying PHP-based applications that utilize MySql.

The issue is with setting your PHP application to connect to the database. You do not create a database when using this option, you use the database that is provided and you have to connect to that database.

Here is some code to establish that database connection:

<?php

// Azure MySql Connection Strings

$connectstr_dbhost = '';
$connectstr_dbname = '';
$connectstr_dbusername = '';
$connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
    if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
        continue;
    }
   
    $connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
    $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
    $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
    $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);
}

// DB connection info
$host = $connectstr_dbhost;
$user = $connectstr_dbusername;
$pwd = $connectstr_dbpassword;
$db = $connectstr_dbname;

....

?>

If you are configuring WordPress, you would setup like this:

define('DB_NAME', $connectstr_dbname);
define('DB_USER', $connectstr_dbusername);
define('DB_PASSWORD', $connectstr_dbpassword);
define('DB_HOST', $connectstr_dbhost);


You run the first part of the code to define the connection strings for the db_host, database, username, and password. You then use those variables to assign them to the variables of your PHP code, or use them directly.

You can alter this to define the variables with the names that your PHP code uses and use them in the for foreach statement, eliminating the 'DB Connection' section of this code.


16 February 2017

Firefox 40.1 and WordPress attacks


There are many attempts to brute force the WordPress login page against websites that are not running WordPress.

Looking at an Apache access log, there seem to be many of these entries:

187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET /wp-login.php HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"


All of these probes to find the WordPress login page share the same thing in common: they all indicate Firefox 40.1 as the User Agent.

This makes them an easy target for blocking in an .htaccess file.

Here is an example of an .htaccess file to block many of these tools and robots:


## No directory listings
IndexIgnore *

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
Options -Indexes

## Mod_rewrite in use.
RewriteEngine On
RewriteBase /


## Block Hacking Tools and Miscreant bots by User-Agent
SetEnvIfNoCase User-Agent "^-?$" scum
# wp-login User-Agent
SetEnvIfNoCase User-Agent "Firefox/40.1" tool
# ZED User-Agent (39.0) and others

# All versions of Firefox prior to 40.0 are blocked
SetEnvIfNoCase User-Agent Firefox\/[1-3]?[0-9]\.[0-9] tool
# BurpSuite spider User-Agent
SetEnvIfNoCase User-Agent "Trident/5.0" tool
SetEnvIfNoCase User-Agent "Arachni" tool
# Ruby-based web scraper
SetEnvIfNoCase User-Agent "Mechanize" tool
SetEnvIfNoCase User-Agent "Nikto" tool
SetEnvIfNoCase User-Agent "scrapy-redis" tool
SetEnvIfNoCase User-Agent "SQLmap" tool
SetEnvIfNoCase User-Agent "Vega" tool
SetEnvIfNoCase User-Agent "Wget" tool
SetEnvIfNoCase User-Agent "wpscan" tool

SetEnvIfNoCase User-Agent "360Spider" scum
SetEnvIfNoCase User-Agent "AhrefsBot" scum
SetEnvIfNoCase User-Agent "ADmantX" scum
SetEnvIfNoCase User-Agent "Blexbot" scum
SetEnvIfNoCase User-Agent "Buzzbot" scum
SetEnvIfNoCase User-Agent "CRAZYWEBCRAWLER" scum
SetEnvIfNoCase User-Agent "DomainCrawler" scum
SetEnvIfNoCase User-Agent "Ezooms" scum
SetEnvIfNoCase User-Agent "GetIntent" scum
SetEnvIfNoCase User-Agent "GrapeshotCrawler" scum
SetEnvIfNoCase User-Agent "ias_crawler" scum
SetEnvIfNoCase User-Agent "James Bot" scum
SetEnvIfNoCase User-Agent "linkdexbot" scum
SetEnvIfNoCase User-Agent "ltx71" scum
SetEnvIfNoCase User-Agent "MaxPointCrawler" scum
SetEnvIfNoCase User-Agent "MJ12bot" scum
SetEnvIfNoCase User-Agent "proximic" scum
SetEnvIfNoCase User-Agent "Qwantify" scum
SetEnvIfNoCase User-Agent "RU_Bot" scum
SetEnvIfNoCase User-Agent "SEOkicks" scum
SetEnvIfNoCase User-Agent "SemrushBot" scum
SetEnvIfNoCase User-Agent "seoscanner" scum
SetEnvIfNoCase User-Agent "SiteExplorer" scum
SetEnvIfNoCase User-Agent "SISTRIX" scum
SetEnvIfNoCase User-Agent "SurdotlyBot" scum
SetEnvIfNoCase User-Agent "TestiTest1" scum
SetEnvIfNoCase User-Agent "UptimeRobot" scum
SetEnvIfNoCase User-Agent "XoviBot" scum
SetEnvIfNoCase User-Agent "YFF35" scum

Deny from env=tool
Deny from env=scum
## End - Hacking and Miscreant block



Update 9 Mar 2017:
Further research indicates that these machines are all part of a botnet and that is why they all share the same characteristics. Firefox 40.1 has never existed.