Page 11 of 16

Posted: Sun Jan 23, 2005 3:08 am
by Psychotic_Carp
-=ORC_The_Dude=- wrote:
-jm- wrote:
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot



but no one answers the question...

is it possible to get one file in a zip containing .htaccess file it self. ...???


try this

there is already a .htaccess file in your phpbb folder (cache folder)

download it to your desktop make notpad open it or get the html kit (google it) paste in the code and save it, then upload it where you want it


what i want to know is what is the best code to currently use? and what folders are the best to use? (replace the one in the cache folder? and can i place the file in multiple locations?

Posted: Mon Jan 24, 2005 6:05 pm
by damiel
whit wrote: You could probably get away with:

Code: Select all

RewriteEngine On 
RewriteBase / 

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   
The highlight line catches I think all the variants of Santy I've logged. The next catches all the attempts to at custom hacks from Perl I've seen so far (everything starting with LWP or lwp - the "NC" means "no case"). You can at the very least get rid of all the LWP and lwp lines but that one.


I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel

Posted: Mon Jan 24, 2005 6:31 pm
by damiel
BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

Posted: Mon Jan 24, 2005 6:33 pm
by damiel
BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

Posted: Mon Jan 24, 2005 7:53 pm
by jsundqui
damiel wrote: I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel


It seems the worms kicked it up a notch today at my site as well. I did the modrewrite changes to .htaccess a while ago so they all get 403'd, but I was only getting worm attempts every few minutes or so, and from what seemed to be hijacked cable/DSL home lusers. But today it has cranked up to every 10 seconds or so, and seem to be coming from hosting outfits. This all based on unscientific sampling of IPs to lookup. But the hit rate is definitely a huge spike today.

BTW, I've been getting some users registering from Russia that seem intent on breaking in. They got in a while ago, probably by reading config.php before I upgraded to 2.0.11 (and I had the same password for the db as the site - since changed) (curiously, site was not defaced as was done with other santy attacks, although my portal page was eventually hacked, no other files deleted, though). But it is curious that they needed to sign up as users to do this. Is there another crack out there not yet discovered or reported?

Posted: Mon Jan 24, 2005 8:22 pm
by liluli
I have created a .htaccess file with the following code (there no other lines in the file)

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.

Any ideas why it won't work?

Posted: Mon Jan 24, 2005 10:05 pm
by Psychotic_Carp
liluli wrote: I have created a .htaccess file with the following code (there no other lines in the file)

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.

Any ideas why it won't work?



have you checked to see if you have any viruses?

Posted: Mon Jan 24, 2005 10:06 pm
by Captain Jim
Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!

Posted: Mon Jan 24, 2005 10:17 pm
by liluli
Psychotic_Carp wrote: have you checked to see if you have any viruses?


Sorry to be a newbie to this. I have searched for strange/unusual files across all my folders through my ftp and found nothing. Is that what you mean?

My site today is constantly being hit and have disabled the board for the time being, however obviously they are still there on the forum index.

Could .htaccess not be working due to my server's configuration? Do I need to ask for it to be enabled to work or something? Thanks

Posted: Mon Jan 24, 2005 11:15 pm
by Hynee
Captain Jim wrote: Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!


The .htaccess in the cache directory should be left alone--it just prevents people from snooping, nobody will normally try to go there, and Santy does't.

As for the .htaccess prevention, firstly I believe there is a new santy out there that is significantly different--it uses user agent "Mozilla 4.0", so checks will have to be modified.

Something like

Code: Select all

RewriteCond %{HTTP_USER_AGENT} ^Mozilla\ 4\.0$
should catch it, and not other browsers, plus checks for multiple 'chr(xxx)' in the query string, as was the case.

I've code my santy overload-protection into common.php, which is apparently more wasteful of server resources, but I know it to works:

In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  die();
}

//END Worm protection
I haven't updated the UA check, but the check for chr(xxx) gets it anyway.

Probably changing

Code: Select all

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
to

Code: Select all

$UA_Match = (preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent) || preg_match('#^Mozilla\s4\.0$#i',$user_agent) );
will catch the user agent too.

Sorry for straying into PHP protection, but its what I know.

Posted: Mon Jan 24, 2005 11:17 pm
by -=ORC_The_Dude=-
oke my board works fine ....
i was hacked but i geinstalled the server...
installed 2.0.11 fresh and mysql server.
at first we wanted to use PHP 5.0.3
but it did not connect to mysql...
so we are back at 4.X.X .... something...

the problem is i want to beat them and not reinstall it...


if i put this line in my viewtopic.php just after the

<?php :
if(stristr($QUERY_STRING,'%2527')) {
die();
}


i get the page but with te following error statements...
Notice: Undefined variable: QUERY_STRING in MYLOCALPATH\viewtopic.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 305

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 306

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\viewtopic.php on line 563

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATHincludes\page_header.php on line 471

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\forum2\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 477

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 478


and the insert i do at line 2..... in viewtopic.php

this does not work ...

please advise ????

im lost....

i'v contacted the person who posted it .. but he does not know it ...

Posted: Mon Jan 24, 2005 11:32 pm
by jsundqui
Belive it or not, I think this may be due to putting a hard return at line 2 or somewhere.

Remove a blank line, resave and see if it works.

Posted: Tue Jan 25, 2005 12:30 am
by frankoamiricano
I am using this htaccess code

Code: Select all

RewriteEngine On 

 # prevent access from santy webworm a-e 
 RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

 # prevent pre php 4.3.10 bug 
 RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

 # prevent perl user agent (most often used by santy) 
 RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC] 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L]
I think it is working, but how can I apache to send matches to this code to a separate log, and get it out of my main access_log, I have no way to test the effectiveness of this, and it is also making a nice mess of my logs.

Posted: Tue Jan 25, 2005 1:22 am
by SillySprout
Hynee wrote: In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  die();
}

//END Worm protection


Thank you! This worm was taking around 300meg per hour of bandwidth for 8 hour constant. A little cut & paste has solved it. You're an angel! :D

Posted: Tue Jan 25, 2005 1:46 am
by kwag
Thank you Hynee :D
This was driving me mad too 8O
I applied the patch, and the forum seems to be getting back to normal.
We had a guest count of over 900 (worm) users today 8O

Cheers,
-kwag