Um, santy is back?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Um, santy is back?

Post by Hynee » Mon Jan 24, 2005 10:35 pm

About an hour ago a user on my forum pointed out that their were 130 guests on our board, and sure enough, they were the usual:

/forum/viewtopic.php?t=546&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(

The user agent is always a simple "Mozilla/4.0", not your typical real browser string of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)", and not the user agent the Christmas santy used (LWP::Simple or lwp-trivial). They've obviously changed this, because that made it easy to catch.

They're coming from all sorts of hosts. Anyway, is it back?

fumbalah
Registered User
Posts: 2000
Joined: Sat Jan 24, 2004 3:02 pm
Location: Lexington, Kentucky
Contact:

Post by fumbalah » Mon Jan 24, 2005 11:53 pm

What version of phpBB are you running. The worm is still going around somewhat, trying to exploit forums, as long as you are patched, you should be fine.

Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee » Tue Jan 25, 2005 12:56 am

We're fine, we're at v2.0.11. Just a lot of hits, hasn't slowed us really.

tristatesportbikes
Registered User
Posts: 14
Joined: Tue Jun 15, 2004 12:54 am

hits

Post by tristatesportbikes » Tue Jan 25, 2005 1:21 am

We were hit with over 500 guests and it didn't slow it down at all. The patches seem to be working fine. put the patch in the config.php file and guests dropped down to normal.

We are at a heavily modded board that is at 2.0.6 with all of the security patches from then to 2.0.11

G.A. Heath
Registered User
Posts: 2
Joined: Tue Jan 25, 2005 2:32 am

Post by G.A. Heath » Tue Jan 25, 2005 2:37 am

I have to agree that this is a new flavor of sanity. My site is small, but we have noticed the activity and my logs are similar to what Hynee has mentioned.

mdecatur
Registered User
Posts: 2
Joined: Fri Dec 24, 2004 9:56 pm

Post by mdecatur » Tue Jan 25, 2005 2:40 am

We're getting slaughtered, hundreds of guests and our board is crawling. We're at 2.0.11 though, so security is a nonissue. Is there a way to ban the hosts that try to execute this specific URL string automatically?

User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher
Contact:

Post by AdamR » Tue Jan 25, 2005 3:13 am

You can block the attacks at the "server" level before it even gets to the phpBB files. See this link for information:
http://www.phpbb.com/phpBB/viewtopic.php?t=249010

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton

Locked

Return to “2.0.x Discussion”