phpBB • Creating Communities Worldwide

[neilbombd]

I hope someone can help me with this, it's rather worrying. Let me just say that I am updated with all the latest phpbb patches because we recently had idiots trying to take advantage of the high-profile phpbb vulnerabilities. I have also checked the front page of phpbb and can see no mention of a new threat/patch.

My board hovers around the 70 users mark, but about 20 minutes ago someone pointed out that we were up in the 200's, around 225 or so. This has brought on the dreaded white screen connection errors, and so I have pulled the forum until I can study the logs and fix this.

Upon looking at the logs I have found a lot of seriously odd-looking requests using the highlight function. The odd thing is the IP's all seem to be different, or perhaps they are using a number of different puters? Here is a sample of what I'm talking about:

65.75.189.190 - - [24/Jan/2005:18:18:49 +0000] "GET /forums/viewtopic.php?t=1029&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 596 "-" "Mozilla/4.0"
216.127.94.75 - - [24/Jan/2005:18:18:50 +0000] "GET /forums/viewtopic.php?t=5531&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 596 "-" "Mozilla/4.0"
69.73.175.16 - - [24/Jan/2005:18:18:50 +0000] "GET /forums/viewtopic.php?t=2568&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 596 "-" "Mozilla/4.0"


Can anyone tell me how to fix this please? What do all those character codes actually translate as? Thank you in advance for any help you can give, as I say, this is extremely worrying.

[fearless_fred]

It's all attempts by the Santy worm. It shouldn't be able to get in as long as all your files are up to date. Check this thread for stuff you can do to keep the worm from creating too much traffic:
http://www.phpbb.com/phpBB/viewtopic.php?t=249010

Hope that helps!

S

[sr123]

I'm under attack as well. I'm also totally patched up to the latest patches for both phpbb and php. The latest round of attacks look like that Santy BS from a while back, only the browser shows as "Mozilla/4.0" for all of them instead of some variant starting with lwp. The number of guests in the forum are WAY above normal and I keep getting the following types of entries in my apache log:

66.98.152.61 - - [24/Jan/2005:10:54:07 -0800] "GET /forums/viewtopic.php?p=911&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)
%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)
%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)
%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 38987 "-" "Mozilla/4.0"

These are coming in by the hundreds!

I am currently managing to block the lwp type attacks via the following in my viewtopic.php file:

function blocker()
{
if (preg_match('#' . preg_quote('system(chr(99)') . '¦' . preg_quote('wget') . '#', $_SERVER['REQUEST_URI'])) {
$check = 1;
}

if (preg_match('#' . preg_quote('lwp-trivial') . '¦' . preg_quote('LWP::Simple') . '#', getenv('HTTP_USER_AGENT'))) {
$check = 1;
}

if (isset($check)) {
header('HTTP/1.0 403 Forbidden', true);
header('Location: http://' . $_SERVER['REMOTE_HOST'] . $_SERVER['REQUEST_URI']);
exit;
}
}

And the following in my apache config file:

SetEnvIfNoCase User-Agent "^LWP::Simple" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.46" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.45" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.44" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.43" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.42" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.41" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.40" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.39" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.38" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.37" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.36" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.35" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.34" bad_bot
SetEnvIfNoCase User-Agent "^lwp-trivial/1.33" bad_bot

<Directory "/">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Directory>

I know these are not the best ways to block necessarily, but I don't know what else to do. We need to be able to block these kinds of attacks based on all the excess crap with the 252E in them. Any help would be GREATLY appreciated.

[neilbombd]

It's all attempts by the Santy worm. It shouldn't be able to get in as long as all your files are up to date. Check this thread for stuff you can do to keep the worm from creating too much traffic:
http://www.phpbb.com/phpBB/viewtopic.php?t=249010

Hope that helps!

S

Thank you very much for yout speedy reply fred, I shall read that thread now.

sr123: Seems to be the same with the browser for me as well! Is this a new flare-up of santy perhaps?

[sr123]

nielbombd,

I think it is a variant that someone has written to bypass the filters people have put in place for lwp-trivial and LWP::Simple strings.

I have managed to keep those from overwhelming my board, however these new ones are coming in like crazy. It's like a concentrated denial-of-service attack.

I think this is probably a flare-up for sure. I'm wondering how isolated it is. In your own case, are you getting way more of these than you did of the original Santy variants?

[sr123]

Thanks fearless_fred. I added the rewrite rule in the first post in that thread you provided and now I'm seeing the request get 403 forbidden responses.... I'll have to read the rest of the thread to see if its possible to block these attacks from even getting to the http server in the first place... Perhaps one can setup a daemon on the server that immediately adds and iptables block for these as they come in based on some common characteristic of the requests.

I wish to death that I would have renamed all the phpbb .php files and hid the fact that they were PHP from the get-go, but my board has been thoroughly crawled by the search engines and I don't want to lose all the referalls from them...

This is a bit off topic, but does anyone know how one can rename all the files, hide the fact that the scripts are php, and use rewrite rules (or some other mechanism) within apache to redirect requests to pages with the original filenames to pages with the new, camouflaged filenames? I'm sick of over half my traffic now being this stinking worm attacks...

[fearless_fred]

You guys are welcome. The .htaccess helped me, but I am getting a bit scared now seeing there's a new version. .... Haven't seen it on our board yet, but I guess it's just a matter of time.

*off to check raw logs*
Sandra

[DaveBaumann]

I think this is fairly widspread at the moment - we're current'y up to about 800 guests, up 8 fold from normal traffic and I know of another site hit with the same issue. Just trying to find the .htaaccess file now to make some mods.

[neilbombd]

I think this is probably a flare-up for sure. I'm wondering how isolated it is. In your own case, are you getting way more of these than you did of the original Santy variants?

I didn't actually see the normal santy variant, I think I patched for it just in time! If memory serves, then there was an attack a week or two beforehand which our webspace provider spotted and dealt with, and he told me to get on the case with updates. If this is what happened (very bad memory I'm afraid) then I'm wondering how this thing has now found us, and if it's searching for .11 installations now? It also found our backup board, which was a read-only seperate installation of phpbb which wasn't actually linked from anywhere, except maybe a couple of posts on the main board. That is worrying me as that readup board probably wasn't patched for santy!

[sr123]

Alright... Here's a crude hack to run from a bash shell if you use iptables to block bad IP's.

WARNING: Use this strictly at your OWN RISK!!! You can get yourself in trouble pretty quickly with iptables if you don't understand what you're doing. You may end up blocking legitimate IP's if you're not careful. Also, you need root access on the server to do this.

That said, the following quickie script will add all IP's in your apache httpd log files that have "hightligh=%2527" to your iptables list of dropped ip's. If you've got a very large httpd log file then this can take a long time to run. Also, I don't know what the performance hit will be if you have thousands of entries in your iptables, but I figure I'll take the performance hit (if any) for a while to see how things go. I'm taking a hit anyway with all the http requests coming in... Don't know what's more expensive at this point (any comments?):

for IP in `cat my_apache_httpd_log_file | grep 'highlight=%2527' | awk '{print $1}' | sort -u`; do /sbin/iptables -I INPUT -s $IP -j DROP; echo "${IP} dropped"; done

Obviously replace my_apache_httpd_log_file above, with the correct path and filename to your own apache log. Be very careful with quotations here as I am using several different types (for different reasons).


Here's what the script essentially does: it parses the log, looking for highlight=%2527 and then it grabs the ip's for each of these requests (that's the awk part of the script), then it drops each of these ip's in your iptables via a for loop.

Unless you're comfortable with UNIX I wouldn't recommend running this. Also, you can run the following before you actually run the above script to take a look at what requests will be blocked.

cat my_apache_httpd_log_file | grep 'highlight=%2527' | less

If you see legit requests, either modify the above script (if you know how) to prevent the legit stuff from being blocked, or don't run the script... I found that the script blocked only the worm for me... but I can't say that there are no legit requests that don't contain 'hightlight=%2527' out there somewhere. Anyway that string is the same string that someone wrote an apache rewrite rule for in this forum in the thead mentioned by fearless_fred, so it's "probably" safe.

Anyone think it's a bad (or good idea) to write a little daemon that watches the logs in real-time and adds the blocks as worm requests are identified? I'm thinking of doing this...

[nekonoko]

My site is being hammered right now as well. Fortunately I've been able to stem the tide through .htaccess, but my logs are just streaming with attempts - several a second. It's amazing to me that so many unpatched servers would suddenly unleash again after all the widespread publicity over the past months. This is getting ridiculous.

[Artic]

Same problems too...
I have Approx...700+ Guest...and my server is slow down...

Grghhhhh.....

[sr123]

nekonoko,

Since I ran the script to add the offending hosts to my iptables list of dropped IPs, I am seeing FAR less requests... like about 10 fold. If you're comfortable playing around with for loops to automatically add to you iptables drop list (gulp!) then you may want to give it a try.... Be VERY careful though.

Sam

[Allie Mae]

I am also under attack. But .htaccess seems to be working.

[jsundqui]

I am also under attack. But .htaccess seems to be working.

Same here. Must be a worldwide thing. My .htaccess is performing like a champ and my site is still fast; no "guests" shown logging in. My site is low traffic to begin with and the attacks aren't showing much of a blip in bandwidth usage. They are coming about once per 15 seconds.