| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16986
Location: Kansas
|
 Posted:
Sat Dec 25, 2004 10:00 pm |
 
|
I used to have them banned outright too but there were a few people that really wanted access, so, I decided to try to ride the storm. We'll see.... |
|
|
   
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sat Dec 25, 2004 10:06 pm |
|
If they want in, I allow on a IP basis only. It's just reverse thinking... instead of allowing all and denying individual IP's, I deny their entire range and allow individual IP's. If they're on dynamic IP networks, too bad... they can take it up with their government about shutting down the sites that attack us. I have enough problems... they are one less problem and have been for awhile now. Apparently they will remain not a problem for quite awhile longer 
PHrEEk |
|
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 617
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Sun Dec 26, 2004 12:32 am |
|
| PHrEEkie wrote: | | Ok, now I understand exactly why I haven't had even one attack across an entire server... |
The latest Santy variant has been attacking my site.
LoL! You wouldn't believe which module it's going after - an old Shawn Archer (Nukestyles.com) proggie called 'Website Legal Docs V1.0'.
Go figure...  |
|
|
 |
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 617
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Sun Dec 26, 2004 3:48 am |
|
Okay...
I've been working on this most of the night. I poured over a 295MB log file for hours. I examined 100's of Santy worm attacks against my web site, including ones coming from sites at my own web host, yada, yada...
Basically, I've been hit by three variants. Some contain a common UA. Some contain a common URI. Many share a common string. And, various combinations of all three. So, for now, I'm using this quick 'n' dirty solution. It's basically Raven's solution with one addition.
I've added the following directives to .htaccess
| Code: | #Check for Santy Worms and redirect them to a fake page
#Variant #1
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple [OR]
#Variant #2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant #3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ emailsforyou.php [L]
|
I've been running exploits against myself. Between Nuke and .htaccess it's catching them all.
Of course, this isn't the end-all answer. It'll have to be tweaked as new Santy variants are spawned, but it's a start.
Good job, Raven! |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16986
Location: Kansas
|
| Posted:
Sun Dec 26, 2004 8:14 am |
|
Thanks VinDSL for the addition! |
|
|
|
|
|
beetraham
Regular
Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)
|
| Posted:
Sun Dec 26, 2004 8:19 am |
|
For those of whom might be interested in general description of the "common" variants (B & C)
| Quote: |
Santy.b - phpBB <= 2.0.10 Bot Install (Using AOL/Yahoo Search)
Date : 25/12/2004
Solution : Upgrade to phpBB version 2.0.11
More information on variant :
|
| Quote: |
Santy.c - PHP Scripts Automated Arbitrary File Inclusion
Date : 25/12/2004
--- Note from K-OTik Security ---
This script uses Google/Yahoo to find *.php pages vulnerable to a file inclusion (programming) flaw
[These flaws are independent from the server's PHP version, they result from common coding mistakes]
More information on variant :
|
About the common PHP coding mistakes:
-beetraham |
|
|
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sun Dec 26, 2004 2:15 pm |
|
Great page on security beetraham! Thanks!
PHrEEk |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
