Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Methods

Post by whit » Fri Dec 31, 2004 2:00 pm

Went through a long log of this morning's attempts, as blocked by the Mod Rewrite method, and noted that the worm gives up by about the 5th attempt from any particular IP if it's not being returned much of anything. However, in a couple of instances that happened while I had broken rules (trying variations) and the worm got fed a forum page once, that encouraged it to try maybe a dozen more times before giving up.

So if you can get the Mod Rewrite rules working on your system, that'll block more efficiently than the filter-and-ban scripts. And the list of banned IPs won't add much since the worm gives up so quickly from any one IP either - which also means not much would be accomplished by a script to add worm IPs to the firewall just as long as Mod Rewrite has worked.

liluli
Registered User
Posts: 6
Joined: Tue Feb 03, 2004 5:23 pm

Post by liluli » Fri Dec 31, 2004 2:10 pm

PaperShark wrote: When I add this code after the first line:

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
I get an internal server error 500. Any clue why my modifications are causing problems? When I remove the code all is fine.

Anybody know what I am doing wrong???

PaperShark


When I add the code/.htaccess file to my forum folder and try load my forum pages I get an internal server error 500 too.

traverlaw.com
Registered User
Posts: 44
Joined: Wed May 12, 2004 1:27 am
Location: Milwaukee, WI
Contact:

Error?

Post by traverlaw.com » Fri Dec 31, 2004 3:38 pm

NoahK wrote: Here's what I did... finally had the bot attack tonight.

Code: Select all

OPEN 
viewtopic.php

FIND
	$highlight = urlencode($HTTP_GET_VARS['highlight']);

ADD BELOW
	if ($userdata['user_id'] == ANONYMOUS) {
	    // viewtopic.php?t=282&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)
%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)
%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527
		$sql = "INSERT INTO phpbb_banlist (ban_ip)
			VALUES ('" . $user_ip . "')";
		if ( !$db->sql_query($sql) )
		{
			message_die(GENERAL_ERROR, "DEBUG: Your IP = $user_ip", "", __LINE__, __FILE__, $sql);
		}	
		$sql = "DELETE FROM phpbb_sessions
			WHERE session_ip = '" . $user_ip. "'";
		if ( !$db->sql_query($sql) )
		{
			message_die(GENERAL_ERROR, "Couldn't delete banned sessions from database. USER_IP = $user_ip", "", __LINE__, __FILE__, $sql);
		}		
        message_die(GENERAL_ERROR, "Warning: Your IP has just been banned. ($user_ip). You have been suspected of using a PHP Exploit on this website. If you feel this banning is in error please contact Support@FFTRealm.com. Good day.");			   
    } 

EoF
What it does, is if someone is not logged in (like the bots) and attempts to HIGHLIGHT something in a post (like the exploit bots do), it just auto-bans them. Deletes their sessions and says goodbye forever :)

I might try that htaccess trick posted above too though.

[Edited by Draegonis: Added linebreaks in highlight string to avoid broken page formatting. Please remove these linebreaks before using this code. ]


When I used this, I got this error when I tried to look at any message on the board:

Code: Select all

Parse error: parse error, unexpected '=' in /var/www/domains/x.traverlaw.com/docs/viewtopic.php on line 69
There may be a line wrap error in how it was posted. Was the intended code really designed to comment out the "252..." information, as follows?

Code: Select all

if ($userdata['user_id'] == ANONYMOUS) {
	    // //viewtopic.php?t=282&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)
//%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)
//%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527


minstrel
Registered User
Posts: 93
Joined: Fri Mar 26, 2004 5:47 am
Location: Ottawa, Canada
Contact:

Post by minstrel » Fri Dec 31, 2004 3:42 pm

vinah.com wrote: anyone has any idea why i can't upload .htaccess file into my server?

Are you certain that you can't?

Many servers are configured to hide certain "system" files by default. If so, when you upload .htacess it will seem to disappear.

You can check this by enabling "view hidden files" in your FTP program. try add -latr to the end of your ftp command.

traverlaw.com
Registered User
Posts: 44
Joined: Wed May 12, 2004 1:27 am
Location: Milwaukee, WI
Contact:

Follow up.

Post by traverlaw.com » Fri Dec 31, 2004 3:47 pm

Also, referencing my posting above, it does not add anything to the banned file.

This suggests there might be an error in this line of code?

Code: Select all

 if ($userdata['user_id'] == ANONYMOUS) {
       
      $sql = "INSERT INTO phpbb_banlist (ban_ip)
         VALUES ('" . $user_ip . "')";
      if ( !$db->sql_query($sql) )
      {
         message_die(GENERAL_ERROR, "DEBUG: Your IP = $user_ip", "", __LINE__, __FILE__, $sql);
      }  

kevspar
Registered User
Posts: 10
Joined: Fri Nov 01, 2002 5:12 pm

Post by kevspar » Fri Dec 31, 2004 5:01 pm

I added the four lines of code from the first post in this thread into
an .htaccess file and all of my 80 "guests" disappeared almost
immediately. thank you.

I also made the forums on my board "registered [hidden]" so that guests
cannot view, post or reply without logging in. I don't know if that helps
with this exploit or not, but it seemed like a good idea at the time.

User avatar
NoahK
Registered User
Posts: 217
Joined: Wed Nov 12, 2003 4:49 am
Location: Atlanta, GA
Contact:

Post by NoahK » Fri Dec 31, 2004 5:43 pm

I took out that commented code. It was un-nessicary. Make sure that the prefix is correct for banlist as well. I use "phpbb_". To see if the code works yourself, comment out the SQL query line, and the brackets below it to leave just the message_die part. Go to any topic, add &highlight=123 to the end of the URL and see if you get the debug message. Gotta make sure you're logged out though.

So far 2180 IPs have been captured so far, and banned. Oh one more thing I just thought of. If you don't allow the guest to actually "view" the forum, like if you it set up for "registered" only, etc, then the code will never be issued. You just see all the guests on your board, which is what I was trying to fix.
Come play Final Fantasy Tactics: Online!
Features:
- Pick one of 351 class combinations. Battle 150 different monsters. Find over 2,200 weapons, armor, and items. Fight in tournaments or play the Gil Slots. Anything goes!

kevspar
Registered User
Posts: 10
Joined: Fri Nov 01, 2002 5:12 pm

Post by kevspar » Fri Dec 31, 2004 6:13 pm

NoahK wrote: Oh one more thing I just thought of. If you don't allow the guest to actually "view" the forum, like if you it set up for "registered" only, etc, then the code will never be issued. You just see all the guests on your board, which is what I was trying to fix.

that's sort of what I was thinking in the post immediately preceding
yours, but it's good to have a learned person confirm things.

server-matrix
Registered User
Posts: 392
Joined: Sun Jul 04, 2004 11:11 am

Post by server-matrix » Fri Dec 31, 2004 7:31 pm

This isn't going to be much help, but I was going through my site's web logs, looking for certain strings or referrals, and I noticed the site had been found many times using the string

"allinurl:viewforum.php_ -overlooks"
Google has since banned this string.

However, I am incontrollably being horded with guests.

I have banned at least 100 IP addresses, and am now starting to ban IP ranges.

Is there no way of finding the source of the worm?

I have run several IP Traces on the guests, and they come from different sites.

whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Post by whit » Fri Dec 31, 2004 8:35 pm

server-matrix wrote: I have banned at least 100 IP addresses, and am now starting to ban IP ranges.

Is there no way of finding the source of the worm?


Problem is, probably all of the systems hitting us are not the primary source of the worm, but rather systems it has taken over - which can be anywhere. Banning by range may make sense though with certain hosting providers who've lost entire warehouses full of boxen because they hadn't updated them in a timely way - and can't just yank them all offline now without really pissing off thousands of essentially innocent customers and maybe having to refund a lot of fees (if their staff even realizes they've got a problem yet - picture two or three hard-drinking guys and two hundred boxes in some of the cut-rate webhost shops).

User avatar
NoahK
Registered User
Posts: 217
Joined: Wed Nov 12, 2003 4:49 am
Location: Atlanta, GA
Contact:

Post by NoahK » Sat Jan 01, 2005 6:16 am

server-matrix wrote: This isn't going to be much help, but I was going through my site's web logs, looking for certain strings or referrals, and I noticed the site had been found many times using the string

"allinurl:viewforum.php_ -overlooks"
Google has since banned this string.

However, I am incontrollably being horded with guests.

I have banned at least 100 IP addresses, and am now starting to ban IP ranges.

Is there no way of finding the source of the worm?

I have run several IP Traces on the guests, and they come from different sites.


If you are manually banning, just apply the code above (like if you don't have access to your htaccess file), and it will auto ban any anon bot that tries the highlight bug. Then in a few days you can run a simple query to remove all the new bans. (Like when the spamming stops).
Come play Final Fantasy Tactics: Online!
Features:
- Pick one of 351 class combinations. Battle 150 different monsters. Find over 2,200 weapons, armor, and items. Fight in tournaments or play the Gil Slots. Anything goes!

traverlaw.com
Registered User
Posts: 44
Joined: Wed May 12, 2004 1:27 am
Location: Milwaukee, WI
Contact:

.htaccess code issues

Post by traverlaw.com » Sat Jan 01, 2005 4:44 pm

tanrek wrote:
pengrus wrote:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
I am trying to implement this to our system. But could someone explain what the above codes do?


That code does nothing because it's not complete. The complete code could be (filters all worm attacks on my system at this moment = ca. 150000 per day!):

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ - [F]
If your system allows this rewrite directive your Apache will answer all URLs contaning 'highlight=%2527' and all user agents beginning with 'lwp' or 'LWP' with 410 errors, what can save a lot a bandwidth.

This is not meant to be a protection of your system because hackers or new worms might bypass this trick. It only helps to lower traffic. Also keep in mind that the Rewrite Engine might open new security issues and it should be shut down a soon as possible when these attacks are over.


I received permission from my service provider to use an .htaccess file. When I used the code suggested above, I got this message:
Forbidden
You don't have permission to access / on this server.


Are there parameters to this code that I should fiddle with?

whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Re: .htaccess code issues

Post by whit » Sat Jan 01, 2005 7:01 pm

traverlaw.com wrote: I received permission from my service provider to use an .htaccess file. When I used the code suggested above, I got this message:
Forbidden
You don't have permission to access / on this server.


Are there parameters to this code that I should fiddle with?


What precisely is in your .htaccess file? I'd first look for a typo in your code transcription. The "Forbidden" response is the proper one if you are the worm, but since you're not....

minstrel
Registered User
Posts: 93
Joined: Fri Mar 26, 2004 5:47 am
Location: Ottawa, Canada
Contact:

Post by minstrel » Sat Jan 01, 2005 7:25 pm

That happens tome too (it forbids access to me on my own server).

Other .htaccess commands work fine. I assumed it was because my server wasn't allowing rewrites but now that I think about it if that were true it shouldn't have made any difference -- i.e., it shouldn't have banned me or the worms if rewrites weren't enabled.

So now I'm wondering what would cause that. It wasn't a typo or anything because i double checked it and even did a copy/paste from versions others said were working.

traverlaw.com
Registered User
Posts: 44
Joined: Wed May 12, 2004 1:27 am
Location: Milwaukee, WI
Contact:

Re: .htaccess code issues

Post by traverlaw.com » Sat Jan 01, 2005 9:19 pm

whit wrote:
traverlaw.com wrote: I received permission from my service provider to use an .htaccess file. When I used the code suggested above, I got this message:
Forbidden
You don't have permission to access / on this server.


Are there parameters to this code that I should fiddle with?


What precisely is in your .htaccess file? I'd first look for a typo in your code transcription. The "Forbidden" response is the proper one if you are the worm, but since you're not....


This is what I tried to use:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ - [F] 

Locked

Return to “2.0.x Support Forum”