Page 14 of 16

Posted: Tue Jan 25, 2005 7:54 pm
by caped_crusader
Dr Vas! wrote: It seems to work :D

I had some minutes ago something like 25 pages visited by 66.249.66.203 ( googlebot.com ). If it's not the Worm ... what is it ?

And my board looks quite well at this time.
Thanks rcardona

PS : I have banned that IP for security.


Ive got googlebot LOGGING IN. How is that possible??? Everyday I get a bunch of 'guests' who all turn out to be googlebot. Now Im watching on the Admin panel, they logged and are now in the forum. Is that possilbe? Im getting nervous now. I understand googlebot is just spidering the forum, but how can they log in???

Posted: Tue Jan 25, 2005 7:58 pm
by caped_crusader
caped_crusader wrote: Ive got googlebot LOGGING IN. How is that possible??? Everyday I get a bunch of 'guests' who all turn out to be googlebot. Now Im watching on the Admin panel, they logged and are now in the forum. Is that possilbe? Im getting nervous now. I understand googlebot is just spidering the forum, but how can they log in???


Now Ive got FIVE googlebots. Is that right? Viewing FAQ, Forum Index. SHOULD I do something to stop this? Or is this just normal spidering? Thanks.

Posted: Tue Jan 25, 2005 9:50 pm
by Subsim
I want to warn you, there can be serious consequences when trying the .htaccess method unless you are very comfortable and you know what you are doing. I never paid attention to this file before last night and with my forum loading up with worm guests, I found the first thread here are gave it a try. Down 12 hours and my server tech support doesn't have a clue.

Posted: Wed Jan 26, 2005 12:21 am
by Psychotic_Carp
if you want to give me access to your site ill try to find it and get rid of it, if you want to chance it

Posted: Wed Jan 26, 2005 12:24 am
by Subsim
Thanks, mate, much appreciated. I've contracted EasyServerManagement.com to have a look. They specialize in troubleshooting unmanaged servers run by people like me (who know only enough to cause trouble). Hopefully they can come up with something.

Posted: Wed Jan 26, 2005 9:54 am
by pieman666
My forums are back online, and I have patched the common.php so I shouldn't get any more trouble should I?

My most ever users online is now 315 timed about 1 hour before my ISP pulled the plug, as I normaly have only around 10 online at once 300+ bots all trying the same exploit numerouis times in a short space of time it's no wonder they pulled the plug...

I am just downloading the logs for the past few days to try and get an idea of how long the attacks have been going on as typicaly I had been ill when all this happened....

Posted: Wed Jan 26, 2005 11:01 am
by exegeses
jedi-mind-trick wrote:
tanrek wrote:** Run the following query to list all admins:

Code: Select all

SELECT * FROM phpbb_users WHERE user_level = 1;


*wince*

[newbie alert] I apologize for my ignorance, for I do not understand exactly what this means: how exactly do I run a query and where? [/newbie alert]




should you have available on your server a phpMyAdmin aplication, you should access it, click on your forum database and then in SQL.
next, in the text area write:

Code: Select all

SELECT *
FROM `phpbb_users`
WHERE user_level = 1
then hit GO (button). this would run the query and let you know about all the users with Admin privileges.
finally delete the ones that should not be there

Posted: Wed Jan 26, 2005 5:13 pm
by phamenoth
Hi guys,

Though I updated to phpBB 2.0.11 quite awhile ago (when it first was released), I have just realized that seeing 800-900 guests in my forum at a time was because of this exploit.

Yesterday, my server admin applied a rewritecond for the entire server, and when you try to go to a URL as the exploit does, it gives a 406 error. I figured this would stop the number of guests, but it hasn't. This either means the rewritecond was unsuccessful for some reason (maybe it's not extensive enough?), or that something is up with the forum.

I've read a lot of the pages here (but not all) and it seems that even if the rewrite works, you still see the guests for some reason? Not sure why (so if someone can explain, I'd be appreciative), but I tried to add some code to common.php anyways.

I first tried Dark Matter's route (posted originally on page 3), but I get tons of blazing phpbb_sessions errors (something is outputting info to the header, it seems). I did put the code in the exact right place, and I know PHP quite well... I just didn't want to troubleshoot for awhile because I don't know how all the files interact in phpbb super well.

Then I tried adding Hynee's code (posted on page 9)

Code: Select all

//Worm prevention 
$user_agent = $_SERVER["HTTP_USER_AGENT"]; 
$query_string = $_SERVER["QUERY_STRING"]; 

//echo $query_string; 

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent); 
$QueryMatch = ( 
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits 
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS 
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10) 
); 

if ($UA_Match || $QueryMatch) { 
  die(); 
} 

//END Worm protection
added this, no errors... but I still have 7-900 guests per hour.

Does anyone have any ideas of further things to do? Or could perhaps explain why these guests are showing up even after the server supposedly is protecting against the queries? This is destroying my bandwidth... my site (http://www.anime-planet.com/forum/ , for the forum) gets around 5,000 unique users a day and having 20,000 guests PER DAY show up is insane! Any help would be greatly appreciated ^_^

Posted: Thu Jan 27, 2005 3:04 pm
by phamenoth
Err... anyone? I even tried adding rewrite code to my local htaccess file and am still getting ~900 guests per hour...

Posted: Fri Jan 28, 2005 3:35 am
by asinshesq
I'm pretty confused, but here goes:

I'm running phpbb2.0.11 on a winXP (SP2) pc with apache 2.0.52, mysql4.1.9 and php5.0.3. My board is set up so that no guests can post or read any posts. I have noticed absolutely no unusual traffic (though I have disabled teh guest count on the index page since I don't allow guests to read posts and for that reason I suppose their existence could escape my attention since I don't go to the admin pages too often). My apache log files are monstrously long, but they don't look odd (although I frankly wouldn't know what to look for in figuring out whether I'm being hit).

Anyway, given that I am running the latest versions of everything and that I do not allow guests to read posts, am I safe or should I be doing something with my httpd.conf file or my common.php file? If so, what shoud I do (there seems to be a lot of different approaches being discussed in this thread).

Thanks for any advice on this!

Posted: Fri Jan 28, 2005 4:46 pm
by David Palmer
Phamenoth:

Are you using this, or similar, in your .htaccess (from the first few pages of this thread):

Code: Select all

RewriteEngine On 

# prevent access from santy webworm a-e 
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
RewriteRule ^.*$   -   [F,L]  
Almost all of the server hits I'm seeing (3500/day) are of the highlight=%2527 or rush=%6563 variety, and the above .htaccess script stops them cold (they all get a 403 Forbidden response and don't waste any forum bandwidth).

Dave

Posted: Fri Jan 28, 2005 5:29 pm
by phamenoth
Thanks for the response, David,

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 
RewriteRule ^.*$   -   [F,L] 
this is what I have at the moment. I've tried other things too, though... like:

Code: Select all

 # phpBB exploit worm attempt 
SecFilterSelective ARG_highlight %27 

# phpBB another try
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)"	"deny,log"
Here's the interesting part. I checked out my raw logs, and no longer see the 2527 crap that showed up ALL THE TIME a few days ago. However, I still see ~900-1000 guests per hour, which doesn't make any sense. For example, yesterday, the hour rolled over and suddenly the regged/guest count was back down to only a few for that hour. The guests logged in that I could see, at the time, were around 5. No less than 5 minutes later I went back, and noticed the guest count was back up to 800 something. Still, only 5-6 guests were showing up as actually being there. (So, to clarify, the "you have 15 registered users, 4 guests" was low, but the overall stats that you get when you install niels' huge split topics/etc mod says 900 for the last hour).

I don't get this. The entire hour I can see there are only 5 guests at a time, and that number should be closer to 30 for the entire hour. I don't see the worm getting to the forum anymore, but I don't know any other reason this would be happening. The site is big, but not THAT big so I know it's not normal bandwidth... maybe the code bits I put in only stop it partially, and the guest count is still affected somehow? :/


I will go fix my htaccess right now with your code, to see if it helps.

Posted: Mon Jan 31, 2005 5:08 pm
by phamenoth
*bump*

I still get 900 guests per hour... anyone have ideas?

I might just make my own thread since those seem to get answers more often...

Posted: Mon Jan 31, 2005 8:50 pm
by Joe User
The most effective way to stop santy (and others) are the following rewriterules:

Code: Select all

<IfModule mod_rewrite.c>
    RewriteLog "/var/log/apache2/rewrite.log"
    RewriteLogLevel 0
    RewriteEngine On

    # prevent payloads via wget
    RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [NC]
    RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

    # prevent access from santy webworm
    RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)rush=echo [NC]
    RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

    # prevent pre php 4.3.10 bug
    RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b [NC]
    RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
</IfModule>

Posted: Wed Feb 02, 2005 11:06 am
by Hynee
phamenoth wrote: Then I tried adding Hynee's code (posted on page 9)

Code: Select all

//Worm prevention 
$user_agent = $_SERVER["HTTP_USER_AGENT"]; 
$query_string = $_SERVER["QUERY_STRING"]; 

//echo $query_string; 

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent); 
$QueryMatch = ( 
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits 
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS 
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10) 
); 

if ($UA_Match || $QueryMatch) { 
  die(); 
} 

//END Worm protection
added this, no errors... but I still have 7-900 guests per hour.


I updated the code a few posts later..., see this post on page 9. The old code only prevented the original December 25 Santy, this one prevents both Dec and Jan.

You can easily pull (delete) the old mod, as it is surrounded by //Worm prevention and //END Worm prevention.

As user The Master has pointed out, This is just 'flood' prevention, all boards should be updated to v2.0.11, and this will prevent infection. Mods in this topic (should) help prevent board overload from infected boards trying to infect others. Most (including this one) will also prevent infection as a side effect, but if a new variant comes out, they may not.

Also, if your board still feels the strain after installing this mod, you should try one of the .htaccess based mods (Apache server only), as it should be more efficient. If you're only trying to prevent wacky users online counts, this should be fine.