Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Dec 25, 2004 10:00 pm Reply with quote

I used to have them banned outright too but there were a few people that really wanted access, so, I decided to try to ride the storm. We'll see....
 
View user's profile Send private message
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sat Dec 25, 2004 10:06 pm Reply with quote

If they want in, I allow on a IP basis only. It's just reverse thinking... instead of allowing all and denying individual IP's, I deny their entire range and allow individual IP's. If they're on dynamic IP networks, too bad... they can take it up with their government about shutting down the sites that attack us. I have enough problems... they are one less problem and have been for awhile now. Apparently they will remain not a problem for quite awhile longer Wink

PHrEEk

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Sun Dec 26, 2004 12:32 am Reply with quote

PHrEEkie wrote:
Ok, now I understand exactly why I haven't had even one attack across an entire server...

The latest Santy variant has been attacking my site.

LoL! You wouldn't believe which module it's going after - an old Shawn Archer (Nukestyles.com) proggie called 'Website Legal Docs V1.0'.

Go figure... ROTFL

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
VinDSL
PostPosted: Sun Dec 26, 2004 3:48 am Reply with quote

Okay...

I've been working on this most of the night. I poured over a 295MB log file for hours. I examined 100's of Santy worm attacks against my web site, including ones coming from sites at my own web host, yada, yada...

Basically, I've been hit by three variants. Some contain a common UA. Some contain a common URI. Many share a common string. And, various combinations of all three. So, for now, I'm using this quick 'n' dirty solution. It's basically Raven's solution with one addition.

I've added the following directives to .htaccess

Code:
#Check for Santy Worms and redirect them to a fake page

#Variant #1
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple             [OR]
#Variant #2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant #3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC]
RewriteRule ^.*$ emailsforyou.php [L]

I've been running exploits against myself. Between Nuke and .htaccess it's catching them all.

Of course, this isn't the end-all answer. It'll have to be tweaked as new Santy variants are spawned, but it's a start.

Good job, Raven!
 
Raven
PostPosted: Sun Dec 26, 2004 8:14 am Reply with quote

Thanks VinDSL for the addition!
 
beetraham
Regular
Regular


Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)

PostPosted: Sun Dec 26, 2004 8:19 am Reply with quote

For those of whom might be interested in general description of the "common" variants (B & C)

Quote:

Santy.b - phpBB <= 2.0.10 Bot Install (Using AOL/Yahoo Search)
Date : 25/12/2004

Solution : Upgrade to phpBB version 2.0.11

More information on variant : Only registered users can see links on this board! Get registered or login!



Quote:

Santy.c - PHP Scripts Automated Arbitrary File Inclusion
Date : 25/12/2004

--- Note from K-OTik Security ---
This script uses Google/Yahoo to find *.php pages vulnerable to a file inclusion (programming) flaw
[These flaws are independent from the server's PHP version, they result from common coding mistakes]

More information on variant : Only registered users can see links on this board! Get registered or login!



About the common PHP coding mistakes: Only registered users can see links on this board! Get registered or login!

-beetraham

_________________
- Let there be no windows at your home - 
View user's profile Send private message
PHrEEkie
PostPosted: Sun Dec 26, 2004 2:15 pm Reply with quote

Great page on security beetraham! Thanks!

PHrEEk
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©