Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
User avatar
Knuckles10
Registered User
Posts: 31
Joined: Fri Oct 11, 2002 4:52 am

Post by Knuckles10 » Thu Feb 03, 2005 2:00 am

caped_crusader wrote:
Dr Vas! wrote:It seems to work :D

I had some minutes ago something like 25 pages visited by 66.249.66.203 ( googlebot.com ). If it's not the Worm ... what is it ?

And my board looks quite well at this time.
Thanks rcardona

PS : I have banned that IP for security.


Ive got googlebot LOGGING IN. How is that possible??? Everyday I get a bunch of 'guests' who all turn out to be googlebot. Now Im watching on the Admin panel, they logged and are now in the forum. Is that possilbe? Im getting nervous now. I understand googlebot is just spidering the forum, but how can they log in???


Im pretty sure this is normal users that are logging in, that have the Google toolbar installed. So Googlebot follows along and goes whereever they go.

User avatar
Jaffery
Registered User
Posts: 238
Joined: Sat Oct 18, 2003 2:55 pm
Location: Yaar !!
Contact:

Post by Jaffery » Fri Mar 25, 2005 6:22 pm

Is this thing still alive ?
Free fast Image Hosting at www.ImageTor.com | Linux Forum <--- LinuxSolved.com
Bodybuilding <--- Bodybuilding.name Forums
Shayari <---- Poetry Forum at Yoindia.com
Linux webhosting <---- Linux Webhosting at MGCyber.net

Mr. Sharkey
Registered User
Posts: 635
Joined: Sun Mar 28, 2004 5:42 pm

Post by Mr. Sharkey » Fri Mar 25, 2005 8:25 pm

espicom, in another thread wrote: SANTY still lives on the net... I log daily attempts to use that exploit from all over the world.

Lord Raiden
Registered User
Posts: 391
Joined: Sat Jun 26, 2004 11:24 pm
Contact:

Post by Lord Raiden » Fri Mar 25, 2005 11:46 pm

I honestly haven't seen any attempts in a while. I had a brief hit which required me to use the rewrite htaccess patch to fix, but I haven't seen it since.
Steve Lake
-Owner/Admin/Author of:
-Raiden's Realm - Bringing Linux to the World

User avatar
Jaffery
Registered User
Posts: 238
Joined: Sat Oct 18, 2003 2:55 pm
Location: Yaar !!
Contact:

Post by Jaffery » Sat Mar 26, 2005 9:57 am

So can anyone tell me again.. if phpBB 2.0.13 is vulneable agains this sanity thing ?
Free fast Image Hosting at www.ImageTor.com | Linux Forum <--- LinuxSolved.com
Bodybuilding <--- Bodybuilding.name Forums
Shayari <---- Poetry Forum at Yoindia.com
Linux webhosting <---- Linux Webhosting at MGCyber.net

zzap64
Registered User
Posts: 3
Joined: Thu Dec 09, 2004 2:34 pm
Location: Dublin, Ireland
Contact:

Post by zzap64 » Sun Mar 27, 2005 11:19 pm

I have the latest phpBB installed and the worm doesn't do anything, apart from use up lots of my bandwidth.

One of my servers was getting hits every 5 seconds from about 10 different locations of the worm :(

Just lots of "access forbidden" in my log files now instead of lots of bandwidth wastage since I editted my .htaccess file :)

korge
Registered User
Posts: 15
Joined: Fri Jul 08, 2005 4:46 pm

Post by korge » Fri Jul 08, 2005 5:54 pm

I opened the HTAcces but dont know the format or where to put it... And do I copy both Green texts in or just the top/bottom one?

Lord Raiden
Registered User
Posts: 391
Joined: Sat Jun 26, 2004 11:24 pm
Contact:

Post by Lord Raiden » Fri Jul 08, 2005 8:26 pm

I had sanity flood bomb my site for a while, then I put the rule in and the flood bombing went away and never came back, even after I removed the rule. lol. Crazy.
Steve Lake
-Owner/Admin/Author of:
-Raiden's Realm - Bringing Linux to the World

fluxweed
Registered User
Posts: 12
Joined: Wed Aug 31, 2005 4:10 pm

Post by fluxweed » Mon Sep 05, 2005 4:10 pm

couldn't believe that now in september i still got hit by these worms 5 times a minute. putting the rules in .htaccess really helps.

Shanana
Registered User
Posts: 368
Joined: Sat Aug 28, 2004 4:03 am
Location: USA [from London, England]

Post by Shanana » Mon Sep 05, 2005 10:23 pm

You got hit? What version are you using?

khopesh
Registered User
Posts: 3
Joined: Tue May 02, 2006 5:39 pm

Santy still out there in May 2006

Post by khopesh » Tue May 02, 2006 6:17 pm

Santy attacks have taken down a site of mine twice in the past few weeks ... it's not breaking in, but it overwhelms the server; Apache panics and shuts off, needing a manual restart.

The apache rewrite fix does not appear to be working, though it could be because I implemented it after another rewrite rule (or in the wrong virtualhost, this site's httpd.conf is the messiest I've ever seen), as follows:

Code: Select all

<IfModule mod_rewrite.c>
    RewriteEngine  on
    RewriteCond    %{REQUEST_FILENAME}  -d
    RewriteRule    ^(.+[^/])$           $1/  [R]

    # an attempt at preventing DoS attacks on phpBB forums with Santy Worm
    # imported from http://www.phpbb.com/phpBB/viewtopic.php?t=249010
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
    RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
    RewriteRule ^.*$   -   [F,L]
</IfModule>
This is a very old system, and my company has no webmaster at the moment (and I (unix sysadmin) don't want to do the needed upgrading unless absolutely necessary). Apache 1.3.33 on FreeBSD 4.7-RELEASE-p28 (jailed) with PHP 5.0.4 and 4.3.10, MySQL 4.0.16, phpBB 2.0.11.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Wed May 03, 2006 2:02 am

If the PHPBB version truly is 2.0.11, you should take the site off-line until it is upgraded. You may not want to do it, but 2.0.11 has more than just SANTY to worry about.

The following rewrite rules have been working for deflecting the worm load for me:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)\.printf\( [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=' [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

khopesh
Registered User
Posts: 3
Joined: Tue May 02, 2006 5:39 pm

Post by khopesh » Wed May 03, 2006 7:29 pm

espicom wrote: If the PHPBB version truly is 2.0.11, you should take the site off-line until it is upgraded. You may not want to do it, but 2.0.11 has more than just SANTY to worry about.


Yeah, but I don't want the import to break and get stuck. I'm not a PHP or MySQL guy, nor am I the company's webmaster. The whole server is cruft and needs a replacement anyway. We'll get a new webmaster eventually.

I put your recommended code in the .htaccess for the forum main directory, and it appears to give me a nice "forbidden" page when I test with an exploiting URL string.
Last edited by khopesh on Wed May 03, 2006 8:00 pm, edited 1 time in total.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Wed May 03, 2006 7:44 pm

Yes, if you did not get redirected to 127.0.0.1, the mod_rewrite rules are not being read. I put them in the apache virtual server settings for each site, because I was having problems with doing it in the .htaccess file.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

khopesh
Registered User
Posts: 3
Joined: Tue May 02, 2006 5:39 pm

Do fully updated systems still get slammed by this?

Post by khopesh » Wed May 03, 2006 8:18 pm

Do fully updated systems still get slammed by this? My server seems immune, but the 241 unique IP addresses that keep trying to crack me successfully DoS me every time. I died twice today.
espicom wrote: Yes, if you did not get redirected to 127.0.0.1, the mod_rewrite rules are not being read. I put them in the apache virtual server settings for each site, because I was having problems with doing it in the .htaccess file.

It seems to work in either .htaccess or httpd.conf, showing a "forbidden" page if any of the queries match. There is no redirection to 127.0.0.1, but this seems significantly better than before, though still not enough to save my box from the DoS effect of an attack.

edit: solved that, I had your rewrite code in a place that apparently got ignored, and another implementation (which would forbid the content instead of redirect it) was elsewhere. Putting your code in that second place made the redirects work. Hopefully, the next onslaught will be deterred by this fix (see also the first paragraph of this post).

Locked

Return to “2.0.x Support Forum”