Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Wed Dec 22, 2004 3:51 pm

hydra1979 wrote: i have add .htaccess file....

but still been hacked again....

how can i do.....


If you have many mods installed I recommend

- rename your /phpbb/ folder to /backup_of_phpbb/
- install a new phpBB 2.0.11
- check your old config.php for plausibility *, if ok:
- copy your old config data to the new config.php
- update php to 4.3.10
- check your entire webspace for installed backdoors (suspicious files)
- eliminate all unauthorized admins **
- change all passwords
- reinstall your mods from /backup_of_phpbb/

otherwise

- update phpBB to 2.0.11
- check your config.php for plausibility *
- update php to 4.3.10
- check your entire webspace for installed backdoors (suspicious files)
- eliminate all unauthorized admins **
- change all passwords

If you leave out one of these steps your server might remain unsafe.


* http://www.phpbb.com/kb/article.php?article_id=48
** Run the following query to list all admins:

Code: Select all

SELECT * FROM phpbb_users WHERE user_level = 1;
Last edited by tanrek on Wed Dec 22, 2004 6:54 pm, edited 1 time in total.

microski
Registered User
Posts: 103
Joined: Mon Apr 26, 2004 7:44 am
Location: cardboard box under the bridge
Contact:

Post by microski » Wed Dec 22, 2004 5:15 pm


fumbalah
Registered User
Posts: 2000
Joined: Sat Jan 24, 2004 3:02 pm
Location: Lexington, Kentucky
Contact:

Post by fumbalah » Wed Dec 22, 2004 6:07 pm

microski wrote: here's an article on the worm: http://news.bbc.co.uk/1/hi/technology/4117711.stm


We know :). If you run a webhosting company, you will most likely want to implement this or something similar. If you are hosted, drop a note to the server staff, linking them to this topic, that way the news gets spread

User avatar
-jm-
Former Team Member
Posts: 2024
Joined: Fri Jul 16, 2004 10:56 am
Location: Inside the mind of the machine
Contact:

Re: Apache forbidden rule for Santy.A worm

Post by -jm- » Wed Dec 22, 2004 7:58 pm

rcardona wrote: Earlier today I asked if there was a mod_rewrite rule I could add to Apache's config to stop generating PHP for the Santy.A worm bots hitting my server. I did some research and came up with these directives. They are implemented and working on my server.

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$	-	[F,L]


403 error on all my site (tripod uk) until I removed it. Thanks anyway
-jm- (a.k.a. juanm) - *NO* private support
Hacked?
With so many beautiful colors in the world it’s a shame to make everything black and white - Dennis R. Little
my links: tips&stuff :: stuff only

jedi-mind-trick
Registered User
Posts: 9
Joined: Tue Dec 21, 2004 3:29 pm

Post by jedi-mind-trick » Wed Dec 22, 2004 8:04 pm

tanrek wrote: ** Run the following query to list all admins:

Code: Select all

SELECT * FROM phpbb_users WHERE user_level = 1;


*wince*

[newbie alert] I apologize for my ignorance, for I do not understand exactly what this means: how exactly do I run a query and where? [/newbie alert]

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Wed Dec 22, 2004 8:12 pm

jedi-mind-trick wrote:
tanrek wrote:** Run the following query to list all admins:

Code: Select all

SELECT * FROM phpbb_users WHERE user_level = 1;


how exactly do I run a query and where?


You need a database administration software (like MySqlAdmin) for such a query.

Dr Vas!
Registered User
Posts: 3
Joined: Tue Dec 21, 2004 5:30 pm
Contact:

Post by Dr Vas! » Thu Dec 23, 2004 5:56 pm

It seems to work :D

I had some minutes ago something like 25 pages visited by 66.249.66.203 ( googlebot.com ). If it's not the Worm ... what is it ?

And my board looks quite well at this time.
Thanks rcardona

PS : I have banned that IP for security.

rcardona
Registered User
Posts: 41
Joined: Fri Mar 26, 2004 3:57 am
Location: Austin, TX, USA

Post by rcardona » Thu Dec 23, 2004 6:20 pm

Googlebot is the google crawler. You should not ban its IP unless you don't want Google crawling your site. For controlling infobots, robots.txt is more effective than banning. Did googlebot generate 403 errors? It's possible that googlebot is following a referral from a discussion or vulnerability thread. I checked my logs and I have not returned any 403's to googlebot or msnbot.

Richard (rcardona)

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Thu Dec 23, 2004 8:58 pm

Dr Vas! wrote: I had some minutes ago something like 25 pages visited by 66.249.66.203 ( googlebot.com ). If it's not the Worm ... what is it ?

PS : I have banned that IP for security.


66.249.66.203 - host name: crawl-66-249-66-203.googlebot.com

If you ban googlebots your forum will be delisted from Google. So normally these bots are highly appreciated. If you want to 'help' those kind of 'stupid' bots to spider your forum and thus decrease traffic add robot.txt to your root directory:

User-agent: *
Disallow: /phpbb/admin/
Disallow: /phpbb/cache/
Disallow: /phpbb/db/
Disallow: /phpbb/docs/
Disallow: /phpbb/images/
Disallow: /phpbb/includes/
Disallow: /phpbb/language/
Disallow: /phpbb/templates/
Disallow: /phpbb/common.php
Disallow: /phpbb/config.php
Disallow: /phpbb/faq.php
Disallow: /phpbb/groupcp.php
Disallow: /phpbb/login.php
Disallow: /phpbb/memberlist.php
Disallow: /phpbb/modcp.php
Disallow: /phpbb/posting.php
Disallow: /phpbb/privmsg.php
Disallow: /phpbb/profile.php
Disallow: /phpbb/search.php
Disallow: /phpbb/viewonline.php



You cannot 'see' the worm (except for reading your logfiles).

If the real worm 'comes' it will call twice something like viewtopic.php?t=xxx&highlight=%2527...

If your forum is updated already nothing happens at all. The worm will look to you as a normal guest with an absolutely non meaningful IP (IP of the last hacked server or fake IP) and it will 'leave' your forum immediately after its two calls (actually it will 'die' at once).

If your forum is not updated you also will not be able to 'see' the worm because your forum we be destroyed immediately.

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Fri Dec 24, 2004 2:08 pm

If your forum is not updated you also will not be able to 'see' the worm because your forum we be destroyed immediately.


Not true. I'm not sure what it's looking for before it gets in, but it doesn't necessarily happen instantly. I had one hit that flooded mysql to the point it could no longer deliver content because of too many connections, and it still didn't break it.

My forum has it's own subdomain so I could do this in the robot.txt file.

Code: Select all

User-agent: *
Disallow: / 
That stops honest spiders from crawling the forum, but the remainder of the server is unaffected.

Also, I added this to htaccess

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Googlebot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial 
RewriteRule .* - [F] 
The second one was prominently displayed in the logs.

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Fri Dec 24, 2004 2:32 pm

Phineus1 wrote:
If your forum is not updated you also will not be able to 'see' the worm because your forum we be destroyed immediately.


Not true. I'm not sure what it's looking for before it gets in, but it doesn't necessarily happen instantly. I had one hit that flooded mysql to the point it could no longer deliver content because of too many connections, and it still didn't break it.


The worm goes (according to my access_log) directly after the viewtopic.php instantly trying to hack the board, so it's not looking for anything else previously. What might have flooded your board is the (lately) very active google- or msn-bot, don't confuse them with the worm.

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Fri Dec 24, 2004 2:56 pm

I believe there is a MOD that limits Googlebot to one predefined session. The MOD can be located in the knowledge base somewhere. It may be a good idea to do one for the MSN-bot as well.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Fri Dec 24, 2004 3:25 pm

Phineus1 wrote: Not true. I'm not sure what it's looking for before it gets in, but it doesn't necessarily happen instantly. I had one hit that flooded mysql to the point it could no longer deliver content because of too many connections, and it still didn't break it.


In spite of their names those worms are no living beings and they cannot sneak about looking for good opportunities. In fact they consist of only one batch of commands which either fails or works. They have no further intelligence or flexibility. You can look at the souce code of Santy.A here: http://www.k-otik.com/exploits/20041222 ... orm.pl.php

Lord Raiden
Registered User
Posts: 391
Joined: Sat Jun 26, 2004 11:24 pm
Contact:

Post by Lord Raiden » Fri Dec 24, 2004 6:17 pm

Hey, rcardona thanks for the htaccess mod. It's really helped a lot in fixing this problem. I freaked out when I came to my forums this morning and saw how many guests there were and yet nobody logged in which is odd. The mod proved that I was seeing an attack by that blasted sanity worm. But that's solved now. :)
Steve Lake
-Owner/Admin/Author of:
-Raiden's Realm - Bringing Linux to the World

rcardona
Registered User
Posts: 41
Joined: Fri Mar 26, 2004 3:57 am
Location: Austin, TX, USA

Post by rcardona » Sat Dec 25, 2004 12:13 am

You're welcome Lord Raiden. I thought 2000 requests per day was high during the first wave of Santy.A. That dropped to 50 requests yesterday. Today my site denied 40,000 requests to the latest Santy variant! Does anyone know how this one is spreading? Did it get re-tooled to sidestep Google?

I'm seeing this user-agent in my logs: lwp-trivial/1.41
What is this?

Locked

Return to “2.0.x Support Forum”