Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Re: .htaccess code issues

Post by whit » Sun Jan 02, 2005 2:14 am

traverlaw.com wrote: This is what I tried to use:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ - [F] 


Hmm, here's what I'm currently using with no problem:

Code: Select all

    RewriteEngine on
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)rush=\% [NC,OR]
    RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
    RewriteRule ^.*$        -       [F,L] 
Maybe the regular expression is happier with the parens around the ".*"? Because I don't see much other difference. The OR means "or", the NC means "no case" and is most useful here for the lwp match - but doesn't hurt the on the others. If going to "(.*)" doesn't fix it for you you might try removing one then the other of the RewriteCond lines (and removing that OR then too) to see if that lets you in. That would tell you what line was problematic. Or test to see if your system chokes on even an empty .htaccess file if that doesn't work. I take it there's nothing in your .htaccess but these lines?

whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Post by whit » Sun Jan 02, 2005 2:18 am

If having trouble with Mod Rewrite, enabling RewriteLog and setting the RewriteLogLevel high can show you just how the rewrite is being processed, which can be a big help in debugging. Just go to apache.org or google RewriteLog to find a copy of the manual on these.

sellis
Registered User
Posts: 32
Joined: Fri Jan 16, 2004 12:46 am

IIS

Post by sellis » Sun Jan 02, 2005 3:19 am

Anyone know how to apply this same sort of fix for IIS?

(I know, I know... you can flame me all you want, but that's what I'm running :-)

Thanks,
Scott

Cogbox
Registered User
Posts: 6
Joined: Thu Dec 30, 2004 10:17 pm

Post by Cogbox » Sun Jan 02, 2005 11:10 am

This is the fix for IIS.

Insert this code into anywhere in the common.php file (make sure its programatically placed correctly). This will sort it out for you.

Code: Select all

$browser = isset($_SERVER['QUERY_STRING']) ? trim($_SERVER['QUERY_STRING']) : ''; 
if(strpos(strtolower($browser), 'highlight=%2527')) 
  { 
     die('This request is banned on this server.'); 
  } 
Cheers

Jae

CrazyTool
Registered User
Posts: 20
Joined: Sat Dec 25, 2004 2:13 am

Re: IIS

Post by CrazyTool » Sun Jan 02, 2005 11:18 am

sellis wrote: Anyone know how to apply this same sort of fix for IIS?

(I know, I know... you can flame me all you want, but that's what I'm running :-)

Thanks,
Scott


Hi Scott,

Yes, I cooked something up for IIS - for details on downloading the required application, check here, while the latest contents for httpd.ini can be found here. You need both ISAPI Rewrite (link via the first post) and the additions to httpd.ini (second post) for this to work.

This assumes you have a dedicated server or at least that you are the admin of the server and can install applications.

Cheers,

Matt

sellis
Registered User
Posts: 32
Joined: Fri Jan 16, 2004 12:46 am

Post by sellis » Sun Jan 02, 2005 7:20 pm

Thanks so much, Matt! This is very helpful, and a much better solution than running Privacyware's Threat Sentry, which seemed like overkill for one small website (plus it's $99)...
-Scott

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic » Mon Jan 03, 2005 2:50 pm

For those who want to prevent apache from logging access attempts made by santy (to save space or CPU time, etc), then apply this in your httpd.conf:

Code: Select all

SetEnvIf QUERY_STRING "highlight=%2527" NOLOG
Then, at the part that reads:

Code: Select all

CustomLog logs/access.log combined
Change it to:

Code: Select all

CustomLog logs/access.log combined env=!NOLOG

That should work. :)

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

Grinch
Registered User
Posts: 400
Joined: Mon Apr 22, 2002 5:44 pm
Location: Toronto, Canada

Post by Grinch » Tue Jan 04, 2005 12:18 am

I inserted the following code as suggested a couple pages ago, and the speed of my sight took a pretty big hit. I'm running phpbb 2.0.11 and PHP 4.3.10 already, so I'm not as vulnerable as others. But is it still a good idea to incorporate some of the stuff below? What should I keep and what can I discard?

Code: Select all

Options +FollowSymlinks 
RewriteEngine On 
RewriteBase / 

RewriteCond %{QUERY_STRING} 252echr 
RewriteRule .* - [F,L] 

RewriteCond %{QUERY_STRING} wget 
RewriteRule .* - [F,L] 

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b [OR] 
RewriteCond %{QUERY_STRING}% s:(.*)252echr [OR] 
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush= [OR] 
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) 
RewriteRule ^.*$   -   [F,L] 

RewriteCond %{QUERY_STRING}% s:(.*)wget 
RewriteRule ^.*$   -   [F,L] 

RewriteCond %{HTTP_USER_AGENT} libwww-perl 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "LWP::Simple/5.803" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "lwp-trivial/1.34" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "lwp-trivial/1.36" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "lwp-trivial/1.41" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "LWP::Simple/5.800" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "LWP::Simple/5.65" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "LWP::Simple/5.69" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "trivial" 
RewriteRule .* - [F,L] 

RewriteCond %{HTTP_USER_AGENT} "Simple" 
RewriteRule .* - [F,L] 

SetEnvIfNoCase HTTP_USER_AGENT "^EmailSiphon" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^EmailWolf" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^ExtractorPro" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^CherryPicker" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^NICErsPRO" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^Teleport" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^EmailCollector" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^LinkWalker" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^Zeus" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^LWP::Simple" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^lwp-trivial" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^StackRambler" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^Patwebbot" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^crawl" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^psbot" bad_bot 
SetEnvIfNoCase HTTP_USER_AGENT "^Simple/" bad_bot 

<Limit GET POST> 
order allow,deny 
allow from all 
deny from env=bad_bot 
</Limit> 

<Files 403.shtml> 
order allow,deny 
allow from all 
deny from env=bad_bot 
</Files> 

deny from env=bad_bot 
deny from 107.70.60.188 
deny from 12.10.130.114 
deny from 12.119.251.194 
deny from 12.164.84. 
deny from 12.170.99. 
deny from 12.175.0. 
deny from 12.200.10.232 
deny from 12.22.85.3 
deny from 12.46.236.114

whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Post by whit » Tue Jan 04, 2005 3:44 am

Grinch wrote: What should I keep and what can I discard?


You could probably get away with:

Code: Select all

RewriteEngine On 
RewriteBase / 

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   
The highlight line catches I think all the variants of Santy I've logged. The next catches all the attempts to at custom hacks from Perl I've seen so far (everything starting with LWP or lwp - the "NC" means "no case"). You can at the very least get rid of all the LWP and lwp lines but that one.

Also adding

Code: Select all

ErrorDocument 403 "
will cut your response to the worm to even more of a minimum. Only downside is if you think others who are "Forbidden" by your rules deserve a fuller explanation.

And some version of the no-log trick just above should work - haven't tested the suggestion there, not sure about the quotes and whether the % might need to be escaped by \ or not in that context.

Your FollowSymlinks option of course only depends on whether you have symlinks within your site. If you don't need 'em, it's more secure not to enable 'em.

Cogbox
Registered User
Posts: 6
Joined: Thu Dec 30, 2004 10:17 pm

Post by Cogbox » Tue Jan 04, 2005 9:04 am

ISSUE

Users who use Autologin are being logged in as someone else!

Ever since using the Die browser that resolves the Santy.A on IIS, we've had a couple of users who have suddenly been logged in as someone else. I can only guess that the Session IDs have duplicated through the sheer number of attempts by the Santy virus, and people who have used Auto Login for a long while have suddenly become logged in as someone else!

Anyone else experienced this???

IIS 5, Win2k, MySql, PHPB 2.0.11, PHP 4.3.10 with FastCGI tweaks

Jae

john_r
Registered User
Posts: 19
Joined: Thu Nov 18, 2004 8:11 pm

Post by john_r » Tue Jan 04, 2005 9:26 am

Hi,

First, know next to nothing about htaccess etc, only a copy paste and try.


Changed lines to

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp [NC,OR]
to catch all variants of libwww-perl and lwp

However see some were signing themselves "Mozilla/4.0"

Also even though had the line

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]

found one bot with "highlight" line still getting a "200" from the server.
Added extra line
RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [NC,OR]
There was no space between "=" and "%"

Do not know if this helped as made other changes

Line

RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
ineffective as Bot used "Echr", so changed the line to
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [NC,OR]

(In fact put "NC" on all lines)

and finally (from another forum) changed the last line to
RewriteRule ^.*$ http://127.0.0.1 [R,L]

All subsequent attacks got a "302" Redirected back to themselves (I think)

Have had no attack whatsoever for past 3 days

whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Post by whit » Tue Jan 04, 2005 5:00 pm

john_r wrote: However see some were signing themselves "Mozilla/4.0"


Yeah, I see a lot of those, but the highlight line _should_ catch those. An alternative would be to have the line:

Code: Select all

{RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4.0$ [OR]
Because of the $ on the end that would only catch user agent id's which consisted of nothing but "Mozilla/4.0" - and Mozilla itself, from looking at my own logs and other lists of user agent strings, always or at least almost always presents a longer string than that, describing the OS and other factors of its build. So while a false positive _might_ be possible, it would be exceedingly rare, as long as that dollar sign is there to say that the string must end precisely at that point.
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]

found one bot with "highlight" line still getting a "200" from the server.
Added extra line
RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [NC,OR]
There was no space between "=" and "%"


Was the literal string in the bot getting through highlight=%2527, or were the numbers different? Taking out the "\" shouldn't have done anything useful, since what that does in this context is "quote" the "%" so that it's taken literally rather than with another meaning, as an operator.

neps
Registered User
Posts: 66
Joined: Thu Nov 21, 2002 12:38 pm

Post by neps » Tue Jan 04, 2005 5:38 pm

Hey, can someone look at my htaccess? I already have some redirect stuff to block people from hotlinking my images, and I don't want this code to conflict with that. Is it right to turn it on twice, doesn't seem so, but otherwise how does it know its a different rule?

Thanks!

Code: Select all

ErrorDocument 500 /index.php
ErrorDocument 404 http://www.knightrideronline.com/phpbb/index.php

# block hijackers 
RewriteEngine on 

RewriteCond %{HTTP_REFERER} !^$ 

# allow any referer your domain might be called: 
RewriteCond %{HTTP_REFERER} !^http://66.84.13.248/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://knightrideronline.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.knightrideronline.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://bb.knightrideronline.com/.*$ [NC]


# what you you want to serve them instead: 
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www.knightrideronline.com/nono.gif [NC,R,L]

RewriteEngine on 
RewriteBase /

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   

whit
Registered User
Posts: 43
Joined: Sun Nov 10, 2002 11:40 pm
Contact:

Post by whit » Tue Jan 04, 2005 9:07 pm

neps wrote:

Code: Select all

RewriteEngine on 

RewriteCond %{HTTP_REFERER} !^$ 

# allow any referer your domain might be called: 
RewriteCond %{HTTP_REFERER} !^http://66.84.13.248/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://knightrideronline.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.knightrideronline.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://bb.knightrideronline.com/.*$ [NC]


# what you you want to serve them instead: 
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www.knightrideronline.com/nono.gif [NC,R,L]

RewriteBase /

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   


You only need to turn it on once. RewriteRule applies to the immediately-previous RewriteCond, so your first RewriteRule as you have it set up only applies to the last RewriteCond before it. You can fix that by adding OR ("[NC,OR]") to the first three cases (but not the last). That's the way your second RewriteRule is set up - it applies to the first OR the second RewriteCond above it.

I suspect by the way there might be another problem with the attempt to prevent deep linking - the way you have it if they're coming to your pages from an outside site's link - even to your main page - they will at first see all of your own images replaced by "nono.gif". So you'll probably need a more complex ruleset to get the result you want without sometimes messing up your own site.

john_r
Registered User
Posts: 19
Joined: Thu Nov 18, 2004 8:11 pm

Post by john_r » Fri Jan 07, 2005 1:54 pm

Hi,

would someone please advise why Googlebot received a "302"
on following entries
66.249.71.69 - - [07/Jan/2005:06:33:14 -0700] "GET /phpbb/posting.php?mode=newtopic&f=12 HTTP/1.0" 302 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
66.249.71.67 - - [07/Jan/2005:06:24:45 -0700] "GET /phpbb/posting.php?mode=newtopic&f=17 HTTP/1.0" 302 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"


Other requests OK as

Code: Select all

66.249.71.61 - - [07/Jan/2005:06:25:39 -0700] "GET /phpbb/viewtopic.php?t=1 HTTP/1.0" 200 27140 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" 
Part of my .htaccess which set up to deal with highlight bug
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [NC,OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b [OR]
RewriteCond %{QUERY_STRING}% s:(.*)252echr [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)xiahello [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)rush= [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ http://127.0.0.1 [R,L]


Just realised did not have line
RewriteEngine On
at start Would that have caused it :?:

What line should I remove

Locked

Return to “2.0.x Support Forum”