Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
rcardona
Registered User
Posts: 41
Joined: Fri Mar 26, 2004 3:57 am
Location: Austin, TX, USA

Apache forbidden rule for Santy.A worm

Post by rcardona » Wed Dec 22, 2004 12:09 am

Earlier today I asked if there was a mod_rewrite rule I could add to Apache's config to stop generating PHP for the Santy.A worm bots hitting my server. I did some research and came up with these directives. They are implemented and working on my server.

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$	-	[F,L]
Edited by author on 2004.12.23 : Adding a new condition to block PHP <= 4.3.9 PoC exploit:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$	-	[F,L]
This works even PHPbb is not patched, but it should not be a substitute for patching!
Last edited by rcardona on Thu Dec 23, 2004 12:46 pm, edited 1 time in total.

omega13a
Registered User
Posts: 88
Joined: Wed Feb 20, 2002 11:53 pm
Location: SF Bay Area
Contact:

Post by omega13a » Wed Dec 22, 2004 1:07 am

For those who don't know, just copy those rules and put them on a file called .htaccess on your website. It only works if the server your site is on is running apache. Even if it does, there's no garantee it will work. The server your board is on must be able to support rewrite conditions. There's no way to find out other then doing what has been said in this topic. If the server doesn't support them, you'll get an error message when you go to view your site.
A fish without a bicycle cannot contemplate his navel.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Wed Dec 22, 2004 1:57 am

If the server doesn't support them, you'll get an error message when you go to view your site.


Your server might support them, but have the disabled. For security purposes, a lot of .htaccess overrides are disabled by default. For example, requiring a http password dialog to enter a directory requires that the directory have "AllowOverride AuthConfig" set somewhere in the Apache configuration (I usually put it in the Vhosts.conf file).

Unfortunately, I can't seem to find the minimum AllowOverride setting to enable the rewrite engine in .htaccess ... Guess it would have to be set to "All", which grants a bit too much freedom on a shared server...

hydra1979
Registered User
Posts: 27
Joined: Thu May 27, 2004 7:27 pm

Post by hydra1979 » Wed Dec 22, 2004 3:24 am

omega13a wrote: For those who don't know, just copy those rules and put them on a file called .htaccess on your website. It only works if the server your site is on is running apache. Even if it does, there's no garantee it will work. The server your board is on must be able to support rewrite conditions. There's no way to find out other then doing what has been said in this topic. If the server doesn't support them, you'll get an error message when you go to view your site.


mysite has benn attak last night

all php files modify like

Code: Select all

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 14.</b></ADDRESS>
</BODY></HTML>
is that what you say can stop it?
put the file .htaccess to where?
html document? or else please tell me

thank you

cdllt
Registered User
Posts: 42
Joined: Wed Dec 22, 2004 3:01 am

Post by cdllt » Wed Dec 22, 2004 3:42 am

yes, all my site is php files not only in the forum so where we going to put this files ???

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3303
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Post by thecoalman » Wed Dec 22, 2004 4:03 am

It's an apache server file, your server has to support it.

Short and quick directions: Copy the code and paste it in notepad. Save it as htacess.txt (not sure if windows supports long file extensions). Anyway... ftp it to your server and rename it .htaccess

Here's a link for more in depth info: http://wsabstract.com/howto/htaccess.shtml

Funny enough you can see it in action in the second post, the one with the image that says it's hot-linked. Another thing you can prevent with .htaccess

My first post here and I answered something..... YAY :D

cdllt
Registered User
Posts: 42
Joined: Wed Dec 22, 2004 3:01 am

Post by cdllt » Wed Dec 22, 2004 4:06 am

that's mean we has to put it whereever store .php file; right ?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3303
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Post by thecoalman » Wed Dec 22, 2004 4:11 am

You can put it anywhere really as long as it's in the phpbb folder or above. The higher a htaccess file is in the hiearchy the more files and folders it affects. See the link I posted.

hydra1979
Registered User
Posts: 27
Joined: Thu May 27, 2004 7:27 pm

Post by hydra1979 » Wed Dec 22, 2004 4:32 am

thecoalman wrote: You can put it anywhere really as long as it's in the phpbb folder or above. The higher a htaccess file is in the hiearchy the more files and folders it affects. See the link I posted.


:D Thanks a lot

I have edit it with vi

and put it in the html documents

I wanna it really work

let me never been attaked with this worm...

by the way ^_^ happy new year~~

User avatar
-jm-
Former Team Member
Posts: 2024
Joined: Fri Jul 16, 2004 10:56 am
Location: Inside the mind of the machine
Contact:

Post by -jm- » Wed Dec 22, 2004 11:15 am

thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot
-jm- (a.k.a. juanm) - *NO* private support
Hacked?
With so many beautiful colors in the world it’s a shame to make everything black and white - Dennis R. Little
my links: tips&stuff :: stuff only

cdllt
Registered User
Posts: 42
Joined: Wed Dec 22, 2004 3:01 am

Post by cdllt » Wed Dec 22, 2004 12:20 pm

is it okie to modify as it said on this thread ?

http://www.phpbbstyles.com/viewtopic.php?t=1903

and this one

http://www.phpbbstyles.com/viewtopic.php?t=1904

:roll: :roll:

Darrena
Registered User
Posts: 29
Joined: Thu Jun 10, 2004 3:02 pm

Post by Darrena » Wed Dec 22, 2004 1:34 pm

cdllt wrote: is it okie to modify as it said on this thread ?

http://www.phpbbstyles.com/viewtopic.php?t=1903

and this one

http://www.phpbbstyles.com/viewtopic.php?t=1904

:roll: :roll:


I used this fix the other day while waiting for a php update from fedoralegacy and it seemed to work fine for me and the concept of what he did seems valid to me (But I am the worst php programmer that ever existed so that may not be a good judgement ;) ). I would suspect that you will want to change it back once you update php to avoid forking too far from the normal phpbb install.

hydra1979
Registered User
Posts: 27
Joined: Thu May 27, 2004 7:27 pm

Post by hydra1979 » Wed Dec 22, 2004 1:35 pm

i have add .htaccess file....

but still been hacked again....

how can i do.....

cdllt
Registered User
Posts: 42
Joined: Wed Dec 22, 2004 3:01 am

Post by cdllt » Wed Dec 22, 2004 2:06 pm

read this ...

http://www.phpbb.com/phpBB/viewtopic.ph ... 1&start=80

It's not phpBB ... it's the php software on your server need upgrade along with phpBB board

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Re: Apache forbidden rule for Santy.A worm

Post by tanrek » Wed Dec 22, 2004 3:44 pm

rcardona wrote:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$	-	[F,L]


Good work, but don't rely on it. If hackers or the next worm masks for example highlight as h%69ghlight it fails.

Locked

Return to “2.0.x Support Forum”