Page 1 of 1

Um, santy is back?

Posted: Mon Jan 24, 2005 10:35 pm
by Hynee
About an hour ago a user on my forum pointed out that their were 130 guests on our board, and sure enough, they were the usual:

/forum/viewtopic.php?t=546&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(

The user agent is always a simple "Mozilla/4.0", not your typical real browser string of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)", and not the user agent the Christmas santy used (LWP::Simple or lwp-trivial). They've obviously changed this, because that made it easy to catch.

They're coming from all sorts of hosts. Anyway, is it back?

Posted: Mon Jan 24, 2005 11:53 pm
by fumbalah
What version of phpBB are you running. The worm is still going around somewhat, trying to exploit forums, as long as you are patched, you should be fine.

Posted: Tue Jan 25, 2005 12:56 am
by Hynee
We're fine, we're at v2.0.11. Just a lot of hits, hasn't slowed us really.

hits

Posted: Tue Jan 25, 2005 1:21 am
by tristatesportbikes
We were hit with over 500 guests and it didn't slow it down at all. The patches seem to be working fine. put the patch in the config.php file and guests dropped down to normal.

We are at a heavily modded board that is at 2.0.6 with all of the security patches from then to 2.0.11

Posted: Tue Jan 25, 2005 2:37 am
by G.A. Heath
I have to agree that this is a new flavor of sanity. My site is small, but we have noticed the activity and my logs are similar to what Hynee has mentioned.

Posted: Tue Jan 25, 2005 2:40 am
by mdecatur
We're getting slaughtered, hundreds of guests and our board is crawling. We're at 2.0.11 though, so security is a nonissue. Is there a way to ban the hosts that try to execute this specific URL string automatically?

Posted: Tue Jan 25, 2005 3:13 am
by AdamR
You can block the attacks at the "server" level before it even gets to the phpBB files. See this link for information:
http://www.phpbb.com/phpBB/viewtopic.php?t=249010

- Adam