Apache forbidden rule for Santy.A worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Psychotic_Carp
Registered User
Posts: 556
Joined: Fri Dec 03, 2004 1:45 pm

Post by Psychotic_Carp » Sun Jan 23, 2005 3:08 am

-=ORC_The_Dude=- wrote:
-jm- wrote:
thecoalman wrote: htacess.txt (not sure if windows supports long file extensions)


win98se supports *.htaccess extension. It doesn't allow me renaming a file as .htaccess without anything before the dot



but no one answers the question...

is it possible to get one file in a zip containing .htaccess file it self. ...???


try this

there is already a .htaccess file in your phpbb folder (cache folder)

download it to your desktop make notpad open it or get the html kit (google it) paste in the code and save it, then upload it where you want it


what i want to know is what is the best code to currently use? and what folders are the best to use? (replace the one in the cache folder? and can i place the file in multiple locations?

damiel
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 3:35 pm
Location: Frontios

Post by damiel » Mon Jan 24, 2005 6:05 pm

whit wrote: You could probably get away with:

Code: Select all

RewriteEngine On 
RewriteBase / 

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$        -       [F,L]   
The highlight line catches I think all the variants of Santy I've logged. The next catches all the attempts to at custom hacks from Perl I've seen so far (everything starting with LWP or lwp - the "NC" means "no case"). You can at the very least get rid of all the LWP and lwp lines but that one.


I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel

damiel
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 3:35 pm
Location: Frontios

Post by damiel » Mon Jan 24, 2005 6:31 pm

BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

damiel
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 3:35 pm
Location: Frontios

Post by damiel » Mon Jan 24, 2005 6:33 pm

BTW, in case anyone cares, I write .htaccess scripts in Windows by uploading the file as htaccess.txt (or, really, any extension doesn't make a difference). Then, while in FTP, I rename the file as .htaccess.

It's really simple.

Damiel

jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

Post by jsundqui » Mon Jan 24, 2005 7:53 pm

damiel wrote: I realized today that my forum was being hit by these stupid worms (far too many "guests" than usual, and then looking at the "latest visitors" stats in CPanel, I realized that they were all trying to use the "highlight" exploit). I wasn't worried about getting trashed anymore, because I had upgraded to phpBB 2.0.11 a month ago and PHP was upgraded to 4.3.10 by the host. However, I was worried about the bandwidth usage, and I just wanted to say that this .htaccess script worked like a charm. Very soon after I added it, the "guests" went away.

Damiel


It seems the worms kicked it up a notch today at my site as well. I did the modrewrite changes to .htaccess a while ago so they all get 403'd, but I was only getting worm attempts every few minutes or so, and from what seemed to be hijacked cable/DSL home lusers. But today it has cranked up to every 10 seconds or so, and seem to be coming from hosting outfits. This all based on unscientific sampling of IPs to lookup. But the hit rate is definitely a huge spike today.

BTW, I've been getting some users registering from Russia that seem intent on breaking in. They got in a while ago, probably by reading config.php before I upgraded to 2.0.11 (and I had the same password for the db as the site - since changed) (curiously, site was not defaced as was done with other santy attacks, although my portal page was eventually hacked, no other files deleted, though). But it is curious that they needed to sign up as users to do this. Is there another crack out there not yet discovered or reported?

liluli
Registered User
Posts: 6
Joined: Tue Feb 03, 2004 5:23 pm

Post by liluli » Mon Jan 24, 2005 8:22 pm

I have created a .htaccess file with the following code (there no other lines in the file)

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.

Any ideas why it won't work?

Psychotic_Carp
Registered User
Posts: 556
Joined: Fri Dec 03, 2004 1:45 pm

Post by Psychotic_Carp » Mon Jan 24, 2005 10:05 pm

liluli wrote: I have created a .htaccess file with the following code (there no other lines in the file)

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$   -   [F,L]
And have tried uploading it via my FTP and wherever I put it and then go to my site I get an internal server error 500 page, and then when I remove the .htaccess file the site loads again.

Any ideas why it won't work?



have you checked to see if you have any viruses?

Captain Jim
Registered User
Posts: 32
Joined: Thu Aug 19, 2004 11:58 pm
Contact:

Post by Captain Jim » Mon Jan 24, 2005 10:06 pm

Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!

liluli
Registered User
Posts: 6
Joined: Tue Feb 03, 2004 5:23 pm

Post by liluli » Mon Jan 24, 2005 10:17 pm

Psychotic_Carp wrote: have you checked to see if you have any viruses?


Sorry to be a newbie to this. I have searched for strange/unusual files across all my folders through my ftp and found nothing. Is that what you mean?

My site today is constantly being hit and have disabled the board for the time being, however obviously they are still there on the forum index.

Could .htaccess not be working due to my server's configuration? Do I need to ask for it to be enabled to work or something? Thanks

Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee » Mon Jan 24, 2005 11:15 pm

Captain Jim wrote: Okay, I've been reading about this for a little bit and I'm really confused. I have identified two files on my site that are the .htaccess file, one is in my main directory and the other in the phpbb cache directory. What should I add to these files which will not cause any further harm? I see lots and lots of options being posted and can't make heads or tails out of this stuff......I need something plain and simple. THANKS in advance.....this work sucks!!!


The .htaccess in the cache directory should be left alone--it just prevents people from snooping, nobody will normally try to go there, and Santy does't.

As for the .htaccess prevention, firstly I believe there is a new santy out there that is significantly different--it uses user agent "Mozilla 4.0", so checks will have to be modified.

Something like

Code: Select all

RewriteCond %{HTTP_USER_AGENT} ^Mozilla\ 4\.0$
should catch it, and not other browsers, plus checks for multiple 'chr(xxx)' in the query string, as was the case.

I've code my santy overload-protection into common.php, which is apparently more wasteful of server resources, but I know it to works:

In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  die();
}

//END Worm protection
I haven't updated the UA check, but the check for chr(xxx) gets it anyway.

Probably changing

Code: Select all

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
to

Code: Select all

$UA_Match = (preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent) || preg_match('#^Mozilla\s4\.0$#i',$user_agent) );
will catch the user agent too.

Sorry for straying into PHP protection, but its what I know.

-=ORC_The_Dude=-
Registered User
Posts: 40
Joined: Mon Oct 18, 2004 5:09 pm

Post by -=ORC_The_Dude=- » Mon Jan 24, 2005 11:17 pm

oke my board works fine ....
i was hacked but i geinstalled the server...
installed 2.0.11 fresh and mysql server.
at first we wanted to use PHP 5.0.3
but it did not connect to mysql...
so we are back at 4.X.X .... something...

the problem is i want to beat them and not reinstall it...


if i put this line in my viewtopic.php just after the

<?php :
if(stristr($QUERY_STRING,'%2527')) {
die();
}


i get the page but with te following error statements...
Notice: Undefined variable: QUERY_STRING in MYLOCALPATH\viewtopic.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 305

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\sessions.php on line 306

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\viewtopic.php on line 563

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATHincludes\page_header.php on line 471

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\forum2\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 477

Warning: Cannot modify header information - headers already sent by (output started at MYLOCALPATH\viewtopic.php:2) in MYLOCALPATH\includes\page_header.php on line 478


and the insert i do at line 2..... in viewtopic.php

this does not work ...

please advise ????

im lost....

i'v contacted the person who posted it .. but he does not know it ...
have you READ this topic...http://www.phpbb.com/phpBB/viewtopic.php?t=128123
Babe, you're acting like I have cheated on you, and I have never cheated on you. Except for that one time, with myself, and you caught me.

jsundqui
Registered User
Posts: 40
Joined: Thu Apr 29, 2004 2:25 am

Post by jsundqui » Mon Jan 24, 2005 11:32 pm

Belive it or not, I think this may be due to putting a hard return at line 2 or somewhere.

Remove a blank line, resave and see if it works.

frankoamiricano
Registered User
Posts: 73
Joined: Thu Apr 11, 2002 3:24 am

Post by frankoamiricano » Tue Jan 25, 2005 12:30 am

I am using this htaccess code

Code: Select all

RewriteEngine On 

 # prevent access from santy webworm a-e 
 RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 
 RewriteCond %{QUERY_STRING} ^(.*)wget\%20 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

 # prevent pre php 4.3.10 bug 
 RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L] 

 # prevent perl user agent (most often used by santy) 
 RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC] 
 RewriteRule ^.*$ http://127.0.0.1/ [R,L]
I think it is working, but how can I apache to send matches to this code to a separate log, and get it out of my main access_log, I have no way to test the effectiveness of this, and it is also making a nice mess of my logs.

SillySprout
Registered User
Posts: 18
Joined: Sat Sep 11, 2004 7:31 pm

Post by SillySprout » Tue Jan 25, 2005 1:22 am

Hynee wrote: In common.php

Find

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}
After, insert

Code: Select all

//Worm prevention
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$query_string = $_SERVER["QUERY_STRING"];

//echo $query_string;

$UA_Match = preg_match('#LWP(\:\:Simple|\-trivial)\/\d\.\d+#i',$user_agent);
$QueryMatch = (
  (preg_match_all('#chr\%28\d+\%29#U',$query_string,$matches)>10) || //chr(xxx) where xxx is digits
   strpos($query_string,'%24HTTP_GET_VARS') || //$HTTP_GET_VARS
   (preg_match_all('#chr\(\d+\)#U',$query_string,$matches)>10)
);

if ($UA_Match || $QueryMatch) {
  die();
}

//END Worm protection


Thank you! This worm was taking around 300meg per hour of bandwidth for 8 hour constant. A little cut & paste has solved it. You're an angel! :D
Weeee. I am an outrageous vegetable!

kwag
Registered User
Posts: 3
Joined: Tue Jan 25, 2005 1:42 am

Post by kwag » Tue Jan 25, 2005 1:46 am

Thank you Hynee :D
This was driving me mad too 8O
I applied the patch, and the forum seems to be getting back to normal.
We had a guest count of over 900 (worm) users today 8O

Cheers,
-kwag

Locked

Return to “2.0.x Support Forum”