Code: Select all
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ - [F,L]
Any ideas why it won't work?
Code: Select all
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ - [F,L]
liluli wrote: I have created a .htaccess file with the following code (there no other lines in the file)And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.Code: Select all
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b RewriteRule ^.*$ - [F,L]
Any ideas why it won't work?
Psychotic_Carp wrote: have you checked to see if you have any viruses?
Captain Jim wrote: Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!
Code: Select all
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\ 4\.0$
Code: Select all
if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}
Code: Select all
//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];
//echo $query_string;
$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
(preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
(preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);
if ($UA_Match || $QueryMatch) {
die();
}
//END Worm protection
Code: Select all
$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
Code: Select all
$UA_Match = (preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent) || preg_match('#^Mozilla\s4\.0$#i',$user_agent) );
if(stristr($QUERY_STRING,'%2527')) {
die();
}
Notice: Undefined variable: QUERY_STRING in MYLOCALPATH\viewtopic.php on line 2
Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 305
Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 306
Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\viewtopic.php on line 563
Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATHincludes\page_header.php on line 471
Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\forum2\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 477
Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 478
Code: Select all
RewriteEngine On
# prevent access from santy webworm a-e
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
# prevent pre php 4.3.10 bug
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
# prevent perl user agent (most often used by santy)
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
RewriteRule ^.*$ http://127.0.0.1/ [R,L]
Hynee wrote: In common.php
FindAfter, insertCode: Select all
if ( !defined('IN_PHPBB') ) { die("Hacking attempt"); }
Code: Select all
//Worm prevention $user_agent = $_SERVER["HTTP_USER_AGENT"]; $query_string = $_SERVER["QUERY_STRING"]; //echo $query_string; $UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent); $QueryMatch = ( (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10) ); if ($UA_Match || $QueryMatch) { die(); } //END Worm protection
Code: Select all
if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}
Code: Select all
//Worm prevention
//Config
$SantyMessage = ''; //Message to be displayed.
$SantyWaitTime = 0; //Time (in seconds) to hang onto connex before letting go. May not be effective,
//may be dangerous, don't go above 20 seconds without knowing what you're doing.
//Don't edit after this line
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];
$UA_Match = ( preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent) || preg_match('#^Mozilla\/4\.0$#i',trim($user_agent)) );
$QueryMatch = (
(preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
(preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);
if ($UA_Match || $QueryMatch) {
echo $SantyMessage;
flush();
sleep($SantyWaitTime);
die();
}
//END Worm protection
Code: Select all
Could not delete old search id sessions
DEBUG MODE
SQL Error : 1153 Got a packet bigger than 'max_allowed_packet'
DELETE FROM phpbb_search_results WHERE session_id NOT IN ('f81d5450661f7bc1a1ee8d5b42b8eb4d', 'e948f7ada08cb605202b4f696eb45253', 'e4c2625ef4cd3f49db76ecff4eb302c9', '8057fa459240ab8ab76596fa26d76f4d', 'fc0a5fd0b8d1d9db8c2de82191d5fc55', 'eafa23d0746fcb5e87abd8e0763b4b17', '1868663104b34f4321a396b99b38bb8d', '90ffe85dfa321ccda9b6b6e89e6844ee', '69d69457766202bd490d5204f69a51eb', '9f2aec461478e3d2d08600df4089f98e', 'dff2872bb1c11a79c4f80c5b830ed294', '7390343de73a87ef6fa99e695de0cb43', '61affa755a993945fdaaf12db64543f0', '2ed0344c8217c5dbaf79365c48f26134', '3112ff24f33373545d10d376f2036ebb', '5f821850fd8b49eaed1bea0e39eb43ad', '1d324bf285b45ff13a20b9755541d3a2', 'c796d525c6b04524b20e1330803192ac', '504095dd4e8ef0a812d7020f31780c2b', 'c0571f9ef15cce6940d19675fef87f76', '1c8d2786a96fe44051cf5de195edcaab', '03af0f7570591cae961b7af96dd9dd40', '45860763ac57624de19e5b47de7a8475', '80cb1ece03ba28ffd02d75813283af13', 'd120eb5d1ade5f175c41be75e4dce026', '5574cf8f39ccce7d6b8d5953ab2f7afe', '027f74827307b8c94eae25a705d7a0eb', 'cf4c23f06745a9c4faaa57b7328381a8', '2380aa545afe290a3c874f4606ee5f28', 'fe76e988beaed01edd14445b1ecc30d6', 'ffc621b4953ed3d0f4f41151295df5f2', '015614cf4d2ff3cd86627ddfd1c18422', 'cd07e3ac737fa5a9bf7c78086e254fb1', 'b50c489ec721c90ee8ab5c9cf1d01372', '41c14cf84fc55e12bc45ac6815b69d4c', '2e03b5a141cfeb9852f0e0a75b8a7322', 'd238f4c5aa9f59b2665d97e9f1d7b03d', '4e53946eac571eb9e03e03ff8a8e6bd6', '1ef597b94b5e519f5a377362a232367a', '8fe9c351a0f95b255cc88265e16007b5', 'bee1c0c3c626c20db007cb175d1a8d81', 'c49e707db7c4fe01660073edda188e04', '2e367a5abb235f5f8b7a286584f471d6', '56ba70f6c6612f5d475d386342c08279', 'c7626cb228ab58934760697596641b4b', '512b83f90adcfa2319e284ff02a14ff7', '3b50786a3f63ae2ec876c8f75a144b69', '2239ed25dcfe23c6d4e86ddff0bbe1b2', '89ae558ade19fd64f4fad89b038b41bb', 'bb0e46a8c5a3cb3d9956acc4a1e0ed85', 'fac33b2772c74b0d469f26b8ea0f0f41', '294d6335b53b81a4c1a2403110ad3ac7', 'a96ee8264bee6fbab4912095e580c4b2', 'b601a14fbc91135ff240bedf86e7866e', 'fbd22482030dc082a61b87c922bfdaf7', 'ebbbbd80c7ddb712d50822c00b407dd9', '2c6fe803dd29c74edce326b002f34cf8', '119e6e7f0cf5cbfe60b5a7d6f98afa2e', '91ab2321cfb0c672695659dd9e4363bc', '77ff4d746bb87761d55e8bbe53e6d085', '5642d10bcd31b7bdd91c0050e577a054', '5fc89b7a7d48a3219db310cdcab59e40', '931acc9cc4879e39ff6c89b9f8887da0', '4ce4433267be31e1006a0f1f16cbaf56', '563c37b33aae553cd50a6cdaec7fbd1d', '652a2ae72b98513bbc34401b2dc09055', '3a060fe5b1cef3257d8ec2e9d97bbbfb', '19ad1fb33cef6a74bded018cd9bf1450', '8000022c9967c30e006efe54aebaaacc', 'dc16e0611bc1bf4cb58e673d83660ce3', 'f0c0b7126556d7d1a37ab5e346a64201',
I getThe_Master wrote: This is not meant to protect an insecure board, it will only filter some of the bot requests out.
And here is something for those of you who can't use mod_rewrite but want to cut down the amount of traffic/guests generated by the worm:
open common.php and search for:add this directly after it:Code: Select all
if (!isset($HTTP_POST_VARS) && isset($_POST)) { $HTTP_POST_VARS = $_POST; $HTTP_GET_VARS = $_GET; $HTTP_SERVER_VARS = $_SERVER; $HTTP_COOKIE_VARS = $_COOKIE; $HTTP_ENV_VARS = $_ENV; $HTTP_POST_FILES = $_FILES; // _SESSION is the only superglobal which is conditionally set if (isset($_SESSION)) { $HTTP_SESSION_VARS = $_SESSION; } }
Edit: Changed the code because there are LWP versions with a different user agent than the one I found in my apache access_log.Code: Select all
if ( strstr($HTTP_SERVER_VARS['HTTP_USER_AGENT'] ,'LWP') || strstr($HTTP_GET_VARS['highlight'], '%27') ) { die("Hacking attempt"); }
Edit2: This should now get every attempt to use the highlight exploit, hopefully without causing any other problems.
Edit3: Use this code instead, or change of strstr() to stristr() on the user-agent check, if you want to make it case insensitive:Thanks to JKeats for informing me that the original check is case sensitive.Code: Select all
if ( stristr($HTTP_SERVER_VARS['HTTP_USER_AGENT'] ,'LWP') || strstr($HTTP_GET_VARS['highlight'], '%27') ) { die("Hacking attempt"); }
This is not meant to protect an insecure board, it will only filter some of the bot requests out.
Parse error: parse error, unexpected T_STRING in /home/public_html/forum/common.php on line 51
singletrack wrote: ...anyone know how to quickly do this as I go off digging in the database
Code: Select all
To change it to 15 minutes edit this line in language/lang_english/lang_main.php:
1. $lang['Online_explain'] = 'This data is based on users active over the past five minutes';
and change 300 to 900 in viewonline.php, admin/index.php, includes/page_header.php