Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
liluli
Registered User
Posts: 6
Joined: Tue Feb 03, 2004 5:23 pm

Post by liluli »

I have created a .htaccess file with the following code (there no other lines in the file)

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.

Any ideas why it won't work?
Psychotic_Carp
Registered User
Posts: 556
Joined: Fri Dec 03, 2004 1:45 pm

Post by Psychotic_Carp »

liluli wrote: I have created a .htaccess file with the following code (there no other lines in the file)

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.

Any ideas why it won't work?



have you checked to see if you have any viruses?
Captain Jim
Registered User
Posts: 32
Joined: Thu Aug 19, 2004 11:58 pm
Contact:

Post by Captain Jim »

Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!
liluli
Registered User
Posts: 6
Joined: Tue Feb 03, 2004 5:23 pm

Post by liluli »

Psychotic_Carp wrote: have you checked to see if you have any viruses?


Sorry to be a newbie to this. I have searched for strange/unusual files across all my folders through my ftp and found nothing. Is that what you mean?

My site today is constantly being hit and have disabled the board for the time being, however obviously they are still there on the forum index.

Could .htaccess not be working due to my server's configuration? Do I need to ask for it to be enabled to work or something? Thanks
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee »

Captain Jim wrote: Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!


The .htaccess in the cache directory should be left alone--it just prevents people from snooping, nobody will normally try to go there, and Santy does't.

As for the .htaccess prevention, firstly I believe there is a new santy out there that is significantly different--it uses user agent "Mozilla 4.0", so checks will have to be modified.

Something like

Code: Select all

RewriteCond %{HTTP_USER_AGENT} ^Mozilla\ 4\.0$
should catch it, and not other browsers, plus checks for multiple 'chr(xxx)' in the query string, as was the case.

I've code my santy overload-protection into common.php, which is apparently more wasteful of server resources, but I know it to works:

In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  die();
}

//END Worm protection
I haven't updated the UA check, but the check for chr(xxx) gets it anyway.

Probably changing

Code: Select all

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
to

Code: Select all

$UA_Match = (preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent) || preg_match('#^Mozilla\s4\.0$#i',$user_agent) );
will catch the user agent too.

Sorry for straying into PHP protection, but its what I know.
-=ORC_The_Dude=-
Registered User
Posts: 40
Joined: Mon Oct 18, 2004 5:09 pm

Post by -=ORC_The_Dude=- »

oke my board works fine ....
i was hacked but i geinstalled the server...
installed 2.0.11 fresh and mysql server.
at first we wanted to use PHP 5.0.3
but it did not connect to mysql...
so we are back at 4.X.X .... something...

the problem is i want to beat them and not reinstall it...


if i put this line in my viewtopic.php just after the

<?php :
if(stristr($QUERY_STRING,'%2527')) {
die();
}


i get the page but with te following error statements...
Notice: Undefined variable: QUERY_STRING in MYLOCALPATH\viewtopic.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 305

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 306

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\viewtopic.php on line 563

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATHincludes\page_header.php on line 471

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\forum2\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 477

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 478


and the insert i do at line 2..... in viewtopic.php

this does not work ...

please advise ????

im lost....

i'v contacted the person who posted it .. but he does not know it ...
have you READ this topic...http://www.phpbb.com/phpBB/viewtopic.php?t=128123
Babe, you're acting like I have cheated on you, and I have never cheated on you. Except for that one time, with myself, and you caught me.
jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

Post by jsundqui »

Belive it or not, I think this may be due to putting a hard return at line 2 or somewhere.

Remove a blank line, resave and see if it works.
frankoamiricano
Registered User
Posts: 73
Joined: Thu Apr 11, 2002 3:24 am

Post by frankoamiricano »

I am using this htaccess code

Code: Select all

RewriteEngine On 

 # prevent access from santy webworm a-e 
 RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

 # prevent pre php 4.3.10 bug 
 RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

 # prevent perl user agent (most often used by santy) 
 RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC] 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L]
I think it is working, but how can I apache to send matches to this code to a separate log, and get it out of my main access_log, I have no way to test the effectiveness of this, and it is also making a nice mess of my logs.
SillySprout
Registered User
Posts: 18
Joined: Sat Sep 11, 2004 7:31 pm

Post by SillySprout »

Hynee wrote: In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  die();
}

//END Worm protection


Thank you! This worm was taking around 300meg per hour of bandwidth for 8 hour constant. A little cut & paste has solved it. You're an angel! :D
Weeee. I am an outrageous vegetable!
kwag
Registered User
Posts: 3
Joined: Tue Jan 25, 2005 1:42 am

Post by kwag »

Thank you Hynee :D
This was driving me mad too 8O
I applied the patch, and the forum seems to be getting back to normal.
We had a guest count of over 900 (worm) users today 8O

Cheers,
-kwag
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee »

OK, lets try to get this definitive and tested.

It will work as-is, but has a couple of config options, the first to display a message. I've tested this particular version on my local server only, but it should work on a live server, where you should see a rapid decrease in guest users visiting over 5 minutes.

It should catch December's Santy and this new santy, by looking for multiple instances of "chr(xxx)" (where xxx is a number), Perl LWP user agents (used by the first santy), and the plain user agent string "Mozilla/4.0" (used by this new one).

In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
   die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention

//Config
$SantyMessage = ''; //Message to be displayed.
$SantyWaitTime = 0;  //Time (in seconds) to hang onto connex before letting go. May not be effective,
                  //may be dangerous, don't go above 20 seconds without knowing what you're doing.

//Don't edit after this line

$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

$UA_Match = ( preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent) || preg_match('#^Mozilla\/4\.0$#i',trim($user_agent)) );
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  echo $SantyMessage;
  flush();
  sleep($SantyWaitTime);
  die();
}

//END Worm protection
kwag
Registered User
Posts: 3
Joined: Tue Jan 25, 2005 1:42 am

Post by kwag »

I think the worm has screwed up our database :cry:

Look what I'm getting every time I do a search for any text:

Code: Select all

Could not delete old search id sessions

DEBUG MODE

SQL Error : 1153 Got a packet bigger than 'max_allowed_packet'

DELETE FROM phpbb_search_results WHERE session_id NOT IN ('f81d5450661f7bc1a1ee8d5b42b8eb4d', 'e948f7ada08cb605202b4f696eb45253', 'e4c2625ef4cd3f49db76ecff4eb302c9', '8057fa459240ab8ab76596fa26d76f4d', 'fc0a5fd0b8d1d9db8c2de82191d5fc55', 'eafa23d0746fcb5e87abd8e0763b4b17', '1868663104b34f4321a396b99b38bb8d', '90ffe85dfa321ccda9b6b6e89e6844ee', '69d69457766202bd490d5204f69a51eb', '9f2aec461478e3d2d08600df4089f98e', 'dff2872bb1c11a79c4f80c5b830ed294', '7390343de73a87ef6fa99e695de0cb43', '61affa755a993945fdaaf12db64543f0', '2ed0344c8217c5dbaf79365c48f26134', '3112ff24f33373545d10d376f2036ebb', '5f821850fd8b49eaed1bea0e39eb43ad', '1d324bf285b45ff13a20b9755541d3a2', 'c796d525c6b04524b20e1330803192ac', '504095dd4e8ef0a812d7020f31780c2b', 'c0571f9ef15cce6940d19675fef87f76', '1c8d2786a96fe44051cf5de195edcaab', '03af0f7570591cae961b7af96dd9dd40', '45860763ac57624de19e5b47de7a8475', '80cb1ece03ba28ffd02d75813283af13', 'd120eb5d1ade5f175c41be75e4dce026', '5574cf8f39ccce7d6b8d5953ab2f7afe', '027f74827307b8c94eae25a705d7a0eb', 'cf4c23f06745a9c4faaa57b7328381a8', '2380aa545afe290a3c874f4606ee5f28', 'fe76e988beaed01edd14445b1ecc30d6', 'ffc621b4953ed3d0f4f41151295df5f2', '015614cf4d2ff3cd86627ddfd1c18422', 'cd07e3ac737fa5a9bf7c78086e254fb1', 'b50c489ec721c90ee8ab5c9cf1d01372', '41c14cf84fc55e12bc45ac6815b69d4c', '2e03b5a141cfeb9852f0e0a75b8a7322', 'd238f4c5aa9f59b2665d97e9f1d7b03d', '4e53946eac571eb9e03e03ff8a8e6bd6', '1ef597b94b5e519f5a377362a232367a', '8fe9c351a0f95b255cc88265e16007b5', 'bee1c0c3c626c20db007cb175d1a8d81', 'c49e707db7c4fe01660073edda188e04', '2e367a5abb235f5f8b7a286584f471d6', '56ba70f6c6612f5d475d386342c08279', 'c7626cb228ab58934760697596641b4b', '512b83f90adcfa2319e284ff02a14ff7', '3b50786a3f63ae2ec876c8f75a144b69', '2239ed25dcfe23c6d4e86ddff0bbe1b2', '89ae558ade19fd64f4fad89b038b41bb', 'bb0e46a8c5a3cb3d9956acc4a1e0ed85', 'fac33b2772c74b0d469f26b8ea0f0f41', '294d6335b53b81a4c1a2403110ad3ac7', 'a96ee8264bee6fbab4912095e580c4b2', 'b601a14fbc91135ff240bedf86e7866e', 'fbd22482030dc082a61b87c922bfdaf7', 'ebbbbd80c7ddb712d50822c00b407dd9', '2c6fe803dd29c74edce326b002f34cf8', '119e6e7f0cf5cbfe60b5a7d6f98afa2e', '91ab2321cfb0c672695659dd9e4363bc', '77ff4d746bb87761d55e8bbe53e6d085', '5642d10bcd31b7bdd91c0050e577a054', '5fc89b7a7d48a3219db310cdcab59e40', '931acc9cc4879e39ff6c89b9f8887da0', '4ce4433267be31e1006a0f1f16cbaf56', '563c37b33aae553cd50a6cdaec7fbd1d', '652a2ae72b98513bbc34401b2dc09055', '3a060fe5b1cef3257d8ec2e9d97bbbfb', '19ad1fb33cef6a74bded018cd9bf1450', '8000022c9967c30e006efe54aebaaacc', 'dc16e0611bc1bf4cb58e673d83660ce3', 'f0c0b7126556d7d1a37ab5e346a64201',
That's just a small piece, because the list is huge :(

Edit: Also happens when I click on the "View posts since last visit" link.


EDIT: Whatever happened, it's now gone :!:
The forum is now working correctly. I guess I just had to wait a little until the "worm" sessions expired.
Everything is fine and dandy now, so disregard this post :D


-kwag
Last edited by kwag on Tue Jan 25, 2005 3:56 am, edited 1 time in total.
- Advanced Video Conversion -
http://www.kvcd.net
User avatar
Triumph the Comic Dog
Registered User
Posts: 140
Joined: Fri Oct 24, 2003 4:33 am
Location: Neca Valley, Pennsyltucky

Post by Triumph the Comic Dog »

The_Master wrote: This is not meant to protect an insecure board, it will only filter some of the bot requests out.

And here is something for those of you who can't use mod_rewrite but want to cut down the amount of traffic/guests generated by the worm:

open common.php and search for:

Code: Select all

if (!isset($HTTP_POST_VARS) && isset($_POST))
{
	$HTTP_POST_VARS = $_POST;
	$HTTP_GET_VARS = $_GET;
	$HTTP_SERVER_VARS = $_SERVER;
	$HTTP_COOKIE_VARS = $_COOKIE;
	$HTTP_ENV_VARS = $_ENV;
	$HTTP_POST_FILES = $_FILES;

	// _SESSION is the only superglobal which is conditionally set
	if (isset($_SESSION))
	{
		$HTTP_SESSION_VARS = $_SESSION;
	}
}
add this directly after it:

Code: Select all

if ( strstr($HTTP_SERVER_VARS['HTTP_USER_AGENT'] ,'LWP') || strstr($HTTP_GET_VARS['highlight'], '%27')  )
{
	die("Hacking attempt");
}
Edit: Changed the code because there are LWP versions with a different user agent than the one I found in my apache access_log.

Edit2: This should now get every attempt to use the highlight exploit, hopefully without causing any other problems.

Edit3: Use this code instead, or change of strstr() to stristr() on the user-agent check, if you want to make it case insensitive:

Code: Select all

if ( stristr($HTTP_SERVER_VARS['HTTP_USER_AGENT'] ,'LWP') || strstr($HTTP_GET_VARS['highlight'], '%27')  )
{
	die("Hacking attempt");
}
Thanks to JKeats for informing me that the original check is case sensitive.

This is not meant to protect an insecure board, it will only filter some of the bot requests out.
I get
Parse error: parse error, unexpected T_STRING in /home/public_html/forum/common.php on line 51
:shrug:
Last edited by Triumph the Comic Dog on Tue Jan 25, 2005 3:55 am, edited 1 time in total.
singletrack
Registered User
Posts: 17
Joined: Thu Dec 05, 2002 4:00 am
Contact:

Post by singletrack »

Dang...I was getting hammered all day. Did a traceroute on a few and they were the Googlebot so I just figured something weird was going on and they all were search bots. Then checked these forums and realized they weren't. Added the code to common.php and within a few minutes things went back to normal. I'd like to edit my 'most ever online' back to the last known high level...anyone know how to quickly do this as I go off digging in the database :)
kwag
Registered User
Posts: 3
Joined: Tue Jan 25, 2005 1:42 am

Post by kwag »

singletrack wrote: ...anyone know how to quickly do this as I go off digging in the database :)

Quick off topic, but here it goes :)

Code: Select all

To change it to 15 minutes edit this line in language/lang_english/lang_main.php:

1. $lang['Online_explain'] = 'This data is based on users active over the past five minutes'; 

and change 300 to 900 in viewonline.php, admin/index.php, includes/page_header.php
-kwag
- Advanced Video Conversion -
http://www.kvcd.net
Locked

Return to “2.0.x Support Forum”