Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
caped_crusader
Registered User
Posts: 41
Joined: Fri Jul 16, 2004 6:13 pm

Post by caped_crusader » Tue Jan 25, 2005 7:54 pm

Dr Vas! wrote: It seems to work :D

I had some minutes ago something like 25 pages visited by 66.249.66.203 ( googlebot.com ). If it's not the Worm ... what is it ?

And my board looks quite well at this time.
Thanks rcardona

PS : I have banned that IP for security.


Ive got googlebot LOGGING IN. How is that possible??? Everyday I get a bunch of 'guests' who all turn out to be googlebot. Now Im watching on the Admin panel, they logged and are now in the forum. Is that possilbe? Im getting nervous now. I understand googlebot is just spidering the forum, but how can they log in???

caped_crusader
Registered User
Posts: 41
Joined: Fri Jul 16, 2004 6:13 pm

Post by caped_crusader » Tue Jan 25, 2005 7:58 pm

caped_crusader wrote: Ive got googlebot LOGGING IN. How is that possible??? Everyday I get a bunch of 'guests' who all turn out to be googlebot. Now Im watching on the Admin panel, they logged and are now in the forum. Is that possilbe? Im getting nervous now. I understand googlebot is just spidering the forum, but how can they log in???


Now Ive got FIVE googlebots. Is that right? Viewing FAQ, Forum Index. SHOULD I do something to stop this? Or is this just normal spidering? Thanks.

Subsim
Registered User
Posts: 173
Joined: Mon Apr 08, 2002 5:12 pm

Post by Subsim » Tue Jan 25, 2005 9:50 pm

I want to warn you, there can be serious consequences when trying the .htaccess method unless you are very comfortable and you know what you are doing. I never paid attention to this file before last night and with my forum loading up with worm guests, I found the first thread here are gave it a try. Down 12 hours and my server tech support doesn't have a clue.

Psychotic_Carp
Registered User
Posts: 556
Joined: Fri Dec 03, 2004 1:45 pm

Post by Psychotic_Carp » Wed Jan 26, 2005 12:21 am

if you want to give me access to your site ill try to find it and get rid of it, if you want to chance it

Subsim
Registered User
Posts: 173
Joined: Mon Apr 08, 2002 5:12 pm

Post by Subsim » Wed Jan 26, 2005 12:24 am

Thanks, mate, much appreciated. I've contracted EasyServerManagement.com to have a look. They specialize in troubleshooting unmanaged servers run by people like me (who know only enough to cause trouble). Hopefully they can come up with something.

pieman666
Registered User
Posts: 11
Joined: Tue Nov 30, 2004 11:45 am

Post by pieman666 » Wed Jan 26, 2005 9:54 am

My forums are back online, and I have patched the common.php so I shouldn't get any more trouble should I?

My most ever users online is now 315 timed about 1 hour before my ISP pulled the plug, as I normaly have only around 10 online at once 300+ bots all trying the same exploit numerouis times in a short space of time it's no wonder they pulled the plug...

I am just downloading the logs for the past few days to try and get an idea of how long the attacks have been going on as typicaly I had been ill when all this happened....

exegeses
Registered User
Posts: 23
Joined: Wed Jan 21, 2004 1:24 pm
Contact:

Post by exegeses » Wed Jan 26, 2005 11:01 am

jedi-mind-trick wrote:
tanrek wrote:** Run the following query to list all admins:

Code: Select all

SELECT * FROM phpbb_users WHERE user_level = 1;


*wince*

[newbie alert] I apologize for my ignorance, for I do not understand exactly what this means: how exactly do I run a query and where? [/newbie alert]




should you have available on your server a phpMyAdmin aplication, you should access it, click on your forum database and then in SQL.
next, in the text area write:

Code: Select all

SELECT *
FROM `phpbb_users`
WHERE user_level = 1
then hit GO (button). this would run the query and let you know about all the users with Admin privileges.
finally delete the ones that should not be there

phamenoth
Registered User
Posts: 37
Joined: Thu Jun 12, 2003 1:02 am

Post by phamenoth » Wed Jan 26, 2005 5:13 pm

Hi guys,

Though I updated to phpBB 2.0.11 quite awhile ago (when it first was released), I have just realized that seeing 800-900 guests in my forum at a time was because of this exploit.

Yesterday, my server admin applied a rewritecond for the entire server, and when you try to go to a URL as the exploit does, it gives a 406 error. I figured this would stop the number of guests, but it hasn't. This either means the rewritecond was unsuccessful for some reason (maybe it's not extensive enough?), or that something is up with the forum.

I've read a lot of the pages here (but not all) and it seems that even if the rewrite works, you still see the guests for some reason? Not sure why (so if someone can explain, I'd be appreciative), but I tried to add some code to common.php anyways.

I first tried Dark Matter's route (posted originally on page 3), but I get tons of blazing phpbb_sessions errors (something is outputting info to the header, it seems). I did put the code in the exact right place, and I know PHP quite well... I just didn't want to troubleshoot for awhile because I don't know how all the files interact in phpbb super well.

Then I tried adding Hynee's code (posted on page 9)

Code: Select all

//Worm prevention 
$user_agent = $_SERVER["HTTP_USER_AGENT"]; 
$query_string = $_SERVER["QUERY_STRING"]; 

//echo $query_string; 

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent); 
$QueryMatch = ( 
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits 
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS 
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10) 
); 

if ($UA_Match || $QueryMatch) { 
  die(); 
} 

//END Worm protection
added this, no errors... but I still have 7-900 guests per hour.

Does anyone have any ideas of further things to do? Or could perhaps explain why these guests are showing up even after the server supposedly is protecting against the queries? This is destroying my bandwidth... my site (http://www.anime-planet.com/forum/ , for the forum) gets around 5,000 unique users a day and having 20,000 guests PER DAY show up is insane! Any help would be greatly appreciated ^_^

phamenoth
Registered User
Posts: 37
Joined: Thu Jun 12, 2003 1:02 am

Post by phamenoth » Thu Jan 27, 2005 3:04 pm

Err... anyone? I even tried adding rewrite code to my local htaccess file and am still getting ~900 guests per hour...

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq » Fri Jan 28, 2005 3:35 am

I'm pretty confused, but here goes:

I'm running phpbb2.0.11 on a winXP (SP2) pc with apache 2.0.52, mysql4.1.9 and php5.0.3. My board is set up so that no guests can post or read any posts. I have noticed absolutely no unusual traffic (though I have disabled teh guest count on the index page since I don't allow guests to read posts and for that reason I suppose their existence could escape my attention since I don't go to the admin pages too often). My apache log files are monstrously long, but they don't look odd (although I frankly wouldn't know what to look for in figuring out whether I'm being hit).

Anyway, given that I am running the latest versions of everything and that I do not allow guests to read posts, am I safe or should I be doing something with my httpd.conf file or my common.php file? If so, what shoud I do (there seems to be a lot of different approaches being discussed in this thread).

Thanks for any advice on this!

David Palmer
Registered User
Posts: 319
Joined: Tue Nov 23, 2004 5:25 pm

Post by David Palmer » Fri Jan 28, 2005 4:46 pm

Phamenoth:

Are you using this, or similar, in your .htaccess (from the first few pages of this thread):

Code: Select all

RewriteEngine On 

# prevent access from santy webworm a-e 
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
RewriteRule ^.*$   -   [F,L]  
Almost all of the server hits I'm seeing (3500/day) are of the highlight=%2527 or rush=%6563 variety, and the above .htaccess script stops them cold (they all get a 403 Forbidden response and don't waste any forum bandwidth).

Dave
Last edited by David Palmer on Sat Jan 29, 2005 7:08 am, edited 2 times in total.

phamenoth
Registered User
Posts: 37
Joined: Thu Jun 12, 2003 1:02 am

Post by phamenoth » Fri Jan 28, 2005 5:29 pm

Thanks for the response, David,

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 
RewriteRule ^.*$   -   [F,L] 
this is what I have at the moment. I've tried other things too, though... like:

Code: Select all

 # phpBB exploit worm attempt 
SecFilterSelective ARG_highlight %27 

# phpBB another try
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)"	"deny,log"
Here's the interesting part. I checked out my raw logs, and no longer see the 2527 crap that showed up ALL THE TIME a few days ago. However, I still see ~900-1000 guests per hour, which doesn't make any sense. For example, yesterday, the hour rolled over and suddenly the regged/guest count was back down to only a few for that hour. The guests logged in that I could see, at the time, were around 5. No less than 5 minutes later I went back, and noticed the guest count was back up to 800 something. Still, only 5-6 guests were showing up as actually being there. (So, to clarify, the "you have 15 registered users, 4 guests" was low, but the overall stats that you get when you install niels' huge split topics/etc mod says 900 for the last hour).

I don't get this. The entire hour I can see there are only 5 guests at a time, and that number should be closer to 30 for the entire hour. I don't see the worm getting to the forum anymore, but I don't know any other reason this would be happening. The site is big, but not THAT big so I know it's not normal bandwidth... maybe the code bits I put in only stop it partially, and the guest count is still affected somehow? :/


I will go fix my htaccess right now with your code, to see if it helps.

phamenoth
Registered User
Posts: 37
Joined: Thu Jun 12, 2003 1:02 am

Post by phamenoth » Mon Jan 31, 2005 5:08 pm

*bump*

I still get 900 guests per hour... anyone have ideas?

I might just make my own thread since those seem to get answers more often...

User avatar
Joe User
Registered User
Posts: 71
Joined: Mon Sep 13, 2004 9:56 am
Location: Germany
Name: Markus Kohlmeyer
Contact:

Post by Joe User » Mon Jan 31, 2005 8:50 pm

The most effective way to stop santy (and others) are the following rewriterules:

Code: Select all

<IfModule mod_rewrite.c>
    RewriteLog "/var/log/apache2/rewrite.log"
    RewriteLogLevel 0
    RewriteEngine On

    # prevent payloads via wget
    RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [NC]
    RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

    # prevent access from santy webworm
    RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)rush=echo [NC]
    RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

    # prevent pre php 4.3.10 bug
    RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b [NC]
    RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
</IfModule>
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee » Wed Feb 02, 2005 11:06 am

phamenoth wrote: Then I tried adding Hynee's code (posted on page 9)

Code: Select all

//Worm prevention 
$user_agent = $_SERVER["HTTP_USER_AGENT"]; 
$query_string = $_SERVER["QUERY_STRING"]; 

//echo $query_string; 

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent); 
$QueryMatch = ( 
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits 
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS 
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10) 
); 

if ($UA_Match || $QueryMatch) { 
  die(); 
} 

//END Worm protection
added this, no errors... but I still have 7-900 guests per hour.


I updated the code a few posts later..., see this post on page 9. The old code only prevented the original December 25 Santy, this one prevents both Dec and Jan.

You can easily pull (delete) the old mod, as it is surrounded by //Worm prevention and //END Worm prevention.

As user The Master has pointed out, This is just 'flood' prevention, all boards should be updated to v2.0.11, and this will prevent infection. Mods in this topic (should) help prevent board overload from infected boards trying to infect others. Most (including this one) will also prevent infection as a side effect, but if a new variant comes out, they may not.

Also, if your board still feels the strain after installing this mod, you should try one of the .htaccess based mods (Apache server only), as it should be more efficient. If you're only trying to prevent wacky users online counts, this should be fine.

Locked

Return to “2.0.x Support Forum”