PaperShark wrote: When I add this code after the first line:
I get an internal server error 500. Any clue why my modifications are causing problems? When I remove the code all is fine.Code: Select all
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b RewriteRule ^.*$ - [F,L]
Anybody know what I am doing wrong???
PaperShark
NoahK wrote: Here's what I did... finally had the bot attack tonight.
What it does, is if someone is not logged in (like the bots) and attempts to HIGHLIGHT something in a post (like the exploit bots do), it just auto-bans them. Deletes their sessions and says goodbye forever :)Code: Select all
OPEN viewtopic.php FIND $highlight = urlencode($HTTP_GET_VARS['highlight']); ADD BELOW if ($userdata['user_id'] == ANONYMOUS) { // viewtopic.php?t=282&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32) %252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106) %252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 $sql = "INSERT INTO phpbb_banlist (ban_ip) VALUES ('" . $user_ip . "')"; if ( !$db->sql_query($sql) ) { message_die(GENERAL_ERROR, "DEBUG: Your IP = $user_ip", "", __LINE__, __FILE__, $sql); } $sql = "DELETE FROM phpbb_sessions WHERE session_ip = '" . $user_ip. "'"; if ( !$db->sql_query($sql) ) { message_die(GENERAL_ERROR, "Couldn't delete banned sessions from database. USER_IP = $user_ip", "", __LINE__, __FILE__, $sql); } message_die(GENERAL_ERROR, "Warning: Your IP has just been banned. ($user_ip). You have been suspected of using a PHP Exploit on this website. If you feel this banning is in error please contact [email protected]. Good day."); } EoF
I might try that htaccess trick posted above too though.
[Edited by Draegonis: Added linebreaks in highlight string to avoid broken page formatting. Please remove these linebreaks before using this code. ]
Code: Select all
Parse error: parse error, unexpected '=' in /var/www/domains/x.traverlaw.com/docs/viewtopic.php on line 69
Code: Select all
if ($userdata['user_id'] == ANONYMOUS) {
// //viewtopic.php?t=282&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)
//%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)
//%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527
vinah.com wrote: anyone has any idea why i can't upload .htaccess file into my server?
Code: Select all
if ($userdata['user_id'] == ANONYMOUS) {
$sql = "INSERT INTO phpbb_banlist (ban_ip)
VALUES ('" . $user_ip . "')";
if ( !$db->sql_query($sql) )
{
message_die(GENERAL_ERROR, "DEBUG: Your IP = $user_ip", "", __LINE__, __FILE__, $sql);
}
NoahK wrote: Oh one more thing I just thought of. If you don't allow the guest to actually "view" the forum, like if you it set up for "registered" only, etc, then the code will never be issued. You just see all the guests on your board, which is what I was trying to fix.
server-matrix wrote: I have banned at least 100 IP addresses, and am now starting to ban IP ranges.
Is there no way of finding the source of the worm?
server-matrix wrote: This isn't going to be much help, but I was going through my site's web logs, looking for certain strings or referrals, and I noticed the site had been found many times using the string
"allinurl:viewforum.php_ -overlooks"
Google has since banned this string.
However, I am incontrollably being horded with guests.
I have banned at least 100 IP addresses, and am now starting to ban IP ranges.
Is there no way of finding the source of the worm?
I have run several IP Traces on the guests, and they come from different sites.
tanrek wrote:pengrus wrote:I am trying to implement this to our system. But could someone explain what the above codes do?Code: Select all
RewriteEngine On RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR] RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR] RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
That code does nothing because it's not complete. The complete code could be (filters all worm attacks on my system at this moment = ca. 150000 per day!):If your system allows this rewrite directive your Apache will answer all URLs contaning 'highlight=%2527' and all user agents beginning with 'lwp' or 'LWP' with 410 errors, what can save a lot a bandwidth.Code: Select all
RewriteEngine On RewriteCond %{QUERY_STRING} ^.*highlight=\%2527 [OR] RewriteCond %{HTTP_USER_AGENT} ^lwp [NC] RewriteRule ^.*$ - [F]
This is not meant to be a protection of your system because hackers or new worms might bypass this trick. It only helps to lower traffic. Also keep in mind that the Rewrite Engine might open new security issues and it should be shut down a soon as possible when these attacks are over.
Forbidden
You don't have permission to access / on this server.
traverlaw.com wrote: I received permission from my service provider to use an .htaccess file. When I used the code suggested above, I got this message:
Forbidden
You don't have permission to access / on this server.
Are there parameters to this code that I should fiddle with?
whit wrote:traverlaw.com wrote: I received permission from my service provider to use an .htaccess file. When I used the code suggested above, I got this message:
Forbidden
You don't have permission to access / on this server.
Are there parameters to this code that I should fiddle with?
What precisely is in your .htaccess file? I'd first look for a typo in your code transcription. The "Forbidden" response is the proper one if you are the worm, but since you're not....
Code: Select all
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ - [F]