Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
ForMod
Registered User
Posts: 79
Joined: Wed Jul 30, 2003 8:02 pm
Contact:

Post by ForMod » Sun Dec 26, 2004 7:31 pm

I want to publicly thank the author of this thread, rcardona. His .htaccess code is working. My site had 297 users online sometime in the last 24 hours and 100 at the present time. Adding the code dropped it down the normal levels!!!

I was patched for 2.0.11 prior.

THANK YOU!!!!

BZebra
Registered User
Posts: 20
Joined: Thu Nov 27, 2003 1:13 am
Location: Germany
Contact:

Post by BZebra » Sun Dec 26, 2004 7:41 pm

I am using this Rewrite-Code

Code: Select all

RewriteEngine On 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com [NC] 
RewriteCond %{REQUEST_FILENAME} /viewtopic.php  
RewriteCond %{QUERY_STRING} ^.*\% 
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
It blocks every URL with an %-sign in connection with viewtopic.php, so this should work for all sorts of santy-viruses and user agents.

As far as I know %-signs only occur in serch links with special characters in the the highlight-part (e.g. http://www.phpbb.com/phpBB/viewtopic.ph ... man#744944)

To make sure that all search result links work, even though a special character was used, I changed the following part of search.php.

search.php

Code: Select all

#
#----[ FIND ]------
#

			$topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id'] . "&highlight=$highlight_active");
			$post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id'] . "&highlight=$highlight_active") . '#' .

#
#----[ REPLACE WITH ]------
#

			$topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id']);
			$post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id']) . '#' . $searchset[$i]['post_id'];
This removes the highlight-part in the links of the search result.

It is not a vey elegant solution and also the highlight-funktion won't be available in the search results any more, but at least you don't have to worry about changing virus-urls and user agents. :roll:

BZebra
Last edited by BZebra on Sun Jan 02, 2005 1:11 am, edited 4 times in total.

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Sun Dec 26, 2004 8:14 pm

BZebra wrote: RewriteCond %{QUERY_STRING} ^(.*)%

It blocks every URL with an %-sign in it and sends it to the 304 error-page, so this should work for all sorts of santy-viruses and every bot.


If you want to block %-signs use:
RewriteCond %{QUERY_STRING} ^.*\%

BZebra wrote: As far as I know %-signs only occur in serch links with special characters in the the highlight-part


If you look up all posts of the user 'Jim+Jane' the URL is
search.php?search_author=Jim%2BJane


My opinion: Not categorically advisable!

BZebra
Registered User
Posts: 20
Joined: Thu Nov 27, 2003 1:13 am
Location: Germany
Contact:

Post by BZebra » Sun Dec 26, 2004 9:39 pm

tanrek wrote: If you look up all posts of the user 'Jim+Jane' the URL is
search.php?search_author=Jim%2BJane


Aaahhh, you're right. There it doesn't work. Usernames wirth special chars. Then you've got to use this code:

Code: Select all

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} /viewtopic.php
RewriteCond %{QUERY_STRING} ^.*\%
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
I changed the code above.
Last edited by BZebra on Mon Dec 27, 2004 1:13 pm, edited 2 times in total.

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Mon Dec 27, 2004 2:34 am

Changed my code above, it should now get any common attempt to use the highlight exploit.

Mr. Sharkey
Registered User
Posts: 635
Joined: Sun Mar 28, 2004 5:42 pm

Post by Mr. Sharkey » Mon Dec 27, 2004 6:31 am

Well, this might seem really lame to some of you, but in addition to the.htaccess, robots.txt, v2.0.11 upgrade and the rest of the precautions detailed here, I went ahead and found any and all references to "viewtopic" in my fora and renamed them all, each and every instance and filename. Everything is up and running as usual, but no "viewtopic.php?=txxx" for the bots to list.

Of course, this will make future upgrades a real PITA, but now when the bots come calling at the request of the worm, they simply aren't going to find any recognizable forum pages to list for exploit. Whole thing took me like 10 minutes to accomplish.

Watching the access log, I've been seeing lots of visits by the MSN bot, and have also seen the worm come calling, with its hundreds of lines of highlight overflow. So far so good.

Best of the season to all of you helping to keep our fora safe from this scourge.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Mon Dec 27, 2004 6:41 am

but now when the bots come calling at the request of the worm, they simply aren't going to find any recognizable forum pages to list for exploit.


Hate to tell you this, but... The latest version of the attack bot doesn't bother restricting itself to 'viewtopic.php'... It's hitting every file with a PHP extension that has ever been indexed by Google or whichever search engine they're using at the moment, plus trying 'viewtopic.php' in any directory ever indexed.

While none of my scripts are vulnerable to the exploit being used, I've set my auto_prepend file to stop executing any time it encounters a GET variable of 'rush' with a non-empty value. Sending "go away worm!" uses less bandwidth than the 404 page.

Mr. Sharkey
Registered User
Posts: 635
Joined: Sun Mar 28, 2004 5:42 pm

Post by Mr. Sharkey » Mon Dec 27, 2004 7:10 am

Hmmm, I guess that would explain why I've seen a bunch of MSNbot requests for things like "search.php" and "profile.php?mode=editprofile" (with an attached session ID!!!) in the last hour. However, my limited understanding is that the worm intrudes by overloading the highlight function in viewtopic.php, which my forum no longer has. It's now named "somethingelse.php" I've added password protection to things like search.php and memberlist.php, in fact about all an unregistered user can do is read posts and register!

Question: Once the MSNbot gets done finding the "somethingelse.php" file that replaced "viewtopic.php" and lists it, is the worm going to come back and try to overload that?

Wouldn't it be a lot simpler to just nuke the hightlight function?

OddDuckCarter
Registered User
Posts: 135
Joined: Wed Mar 06, 2002 12:30 am

Post by OddDuckCarter » Mon Dec 27, 2004 7:22 am

Hello. Is there a way to use the .htaccess file to limit URLs to 500 characters? Seems to me the hackers couldn't fit in any code if I limited it.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Mon Dec 27, 2004 7:32 am

Question: Once the MSNbot gets done finding the "somethingelse.php" file that replaced "viewtopic.php" and lists it, is the worm going to come back and try to overload that?


Not specifically. In my case, it seems that the bots are narrowing in on pages that MENTION viewtopic.php, because the majority of the access_log entries are for statistics pages that used to be accessible to outsiders. They've all been retracted, because we're moving to a version that restricts access by IP, with that IP being tied to the website owner's email usage. That is, if the website owner hasn't checked his/her email from the IP trying to access the web statistics within the past 30 minutes, a short "not found" page is returned instead.

But I have a lot of pages that reference topics in various phpBB boards, so it's been pretty wide-ranging on my server. And I've tracked the IP that's hosting the worm code... It's an SBCGlobal server, hosting a website for some organization that probably has no clue that they've been compromised. They don't even have phpBB running - their site was otherwise compromised to host the data, and the script kiddies are rotating a bunch of different domain names pointing at the 68.90.68.15 IP.

pengrus
Registered User
Posts: 566
Joined: Mon Dec 02, 2002 6:13 am
Contact:

Post by pengrus » Mon Dec 27, 2004 7:38 am

Joe User wrote: Here is another variant for mod_rewrite:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]

HTH


I am trying to implement this to our system. But could someone explain what the above codes do?

Thank you?

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Mon Dec 27, 2004 7:40 am

Is there a way to use the .htaccess file to limit URLs to 500 characters?


Possibly... I would think that something along these lines would work for the conditional, but haven't tested it:

RewriteCond %{QUERY_STRING} ^(.{500}).+

The condition is only true if the query string is at least 501 bytes long, and the parens allow you to "capture" the first 500 to put into your rewrite rule.

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Mon Dec 27, 2004 7:57 am

If you want to see who is hitting your server hard, you can run this at the command prompt

Code: Select all

netstat -n | awk '{print $5}' | sort | uniq -c | sort -nk1
Then cross reference that with your server logs and add the address to your iptables.

computersOC
Registered User
Posts: 2528
Joined: Thu Dec 04, 2003 6:21 am
Location: New York
Contact:

Post by computersOC » Mon Dec 27, 2004 8:21 am

Is there any way if a bot tries to exploit one's site, the server sends some code to the bot which locks it up or disables it?
http://www.computersOC.com - overclocking, P2P, broadband tweaks, ISP forums, more... Computer Building Help -- Overclocking Guide

Want us to install you a phpBB board or update your current one? Want mods/anti-spam mods installed? Moving to a new host? Check us out here.

protesto
Registered User
Posts: 16
Joined: Sun Mar 21, 2004 3:36 pm

Post by protesto » Mon Dec 27, 2004 9:36 am

Mates, this worm used 300+ mb of my bandwith in 2 days. Is this rewrite rule code prevent this bandwith usage?

Locked

Return to “2.0.x Support Forum”