Page 1 of 16

Apache forbidden rule for Santy.A worm

Posted: Wed Dec 22, 2004 12:09 am
by rcardona
Earlier today I asked if there was a mod_rewrite rule I could add to Apache's config to stop generating PHP for the Santy.A worm bots hitting my server. I did some research and came up with these directives. They are implemented and working on my server.

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$	-	[F,L]
Edited by author on 2004.12.23 : Adding a new condition to block PHP <= 4.3.9 PoC exploit:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$	-	[F,L]
This works even PHPbb is not patched, but it should not be a substitute for patching!

Posted: Wed Dec 22, 2004 1:07 am
by omega13a
For those who don't know, just copy those rules and put them on a file called .htaccess on your website. It only works if the server your site is on is running apache. Even if it does, there's no garantee it will work. The server your board is on must be able to support rewrite conditions. There's no way to find out other then doing what has been said in this topic. If the server doesn't support them, you'll get an error message when you go to view your site.

Posted: Wed Dec 22, 2004 1:57 am
by espicom
If the server doesn't support them, you'll get an error message when you go to view your site.


Your server might support them, but have the disabled. For security purposes, a lot of .htaccess overrides are disabled by default. For example, requiring a http password dialog to enter a directory requires that the directory have "AllowOverride AuthConfig" set somewhere in the Apache configuration (I usually put it in the Vhosts.conf file).

Unfortunately, I can't seem to find the minimum AllowOverride setting to enable the rewrite engine in .htaccess ... Guess it would have to be set to "All", which grants a bit too much freedom on a shared server...

Posted: Wed Dec 22, 2004 3:24 am
by hydra1979
omega13a wrote: For those who don't know, just copy those rules and put them on a file called .htaccess on your website. It only works if the server your site is on is running apache. Even if it does, there's no garantee it will work. The server your board is on must be able to support rewrite conditions. There's no way to find out other then doing what has been said in this topic. If the server doesn't support them, you'll get an error message when you go to view your site.


mysite has benn attak last night

all php files modify like

Code: Select all

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 14.</b></ADDRESS>
</BODY></HTML>
is that what you say can stop it?
put the file .htaccess to where?
html document? or else please tell me

thank you

Posted: Wed Dec 22, 2004 3:42 am
by cdllt
yes, all my site is php files not only in the forum so where we going to put this files ???

Posted: Wed Dec 22, 2004 4:03 am
by thecoalman
It's an apache server file, your server has to support it.

Short and quick directions: Copy the code and paste it in notepad. Save it as htacess.txt (not sure if windows supports long file extensions). Anyway... ftp it to your server and rename it .htaccess

Here's a link for more in depth info: http://wsabstract.com/howto/htaccess.shtml

Funny enough you can see it in action in the second post, the one with the image that says it's hot-linked. Another thing you can prevent with .htaccess

My first post here and I answered something..... YAY :D

Posted: Wed Dec 22, 2004 4:06 am
by cdllt
that's mean we has to put it whereever store .php file; right ?

Posted: Wed Dec 22, 2004 4:11 am
by thecoalman
You can put it anywhere really as long as it's in the phpbb folder or above. The higher a htaccess file is in the hiearchy the more files and folders it affects. See the link I posted.

Posted: Wed Dec 22, 2004 4:32 am
by hydra1979
thecoalman wrote: You can put it anywhere really as long as it's in the phpbb folder or above. The higher a htaccess file is in the hiearchy the more files and folders it affects. See the link I posted.


:D Thanks a lot

I have edit it with vi

and put it in the html documents

I wanna it really work

let me never been attaked with this worm...

by the way ^_^ happy new year~~

Posted: Wed Dec 22, 2004 11:15 am
by -jm-
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot

Posted: Wed Dec 22, 2004 12:20 pm
by cdllt
is it okie to modify as it said on this thread ?

http://www.phpbbstyles.com/viewtopic.php?t=1903

and this one

http://www.phpbbstyles.com/viewtopic.php?t=1904

:roll: :roll:

Posted: Wed Dec 22, 2004 1:34 pm
by Darrena
cdllt wrote: is it okie to modify as it said on this thread ?

http://www.phpbbstyles.com/viewtopic.php?t=1903

and this one

http://www.phpbbstyles.com/viewtopic.php?t=1904

:roll: :roll:


I used this fix the other day while waiting for a php update from fedoralegacy and it seemed to work fine for me and the concept of what he did seems valid to me (But I am the worst php programmer that ever existed so that may not be a good judgement ;) ). I would suspect that you will want to change it back once you update php to avoid forking too far from the normal phpbb install.

Posted: Wed Dec 22, 2004 1:35 pm
by hydra1979
i have add .htaccess file....

but still been hacked again....

how can i do.....

Posted: Wed Dec 22, 2004 2:06 pm
by cdllt
read this ...

http://www.phpbb.com/phpBB/viewtopic.ph ... 1&start=80

It's not phpBB ... it's the php software on your server need upgrade along with phpBB board

Re: Apache forbidden rule for Santy.A worm

Posted: Wed Dec 22, 2004 3:44 pm
by tanrek
rcardona wrote:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$	-	[F,L]


Good work, but don't rely on it. If hackers or the next worm masks for example highlight as h%69ghlight it fails.