Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Sun Dec 26, 2004 6:47 pm Reply with quote

Savent wrote:
Is the santy worm gone now? I haven't heard anything in the news about it, in like a week.

There are three documented (and easily accessible) Santy Worms in the wild right now:
  • Santy.a
  • Santy.b
  • Santy.c
...and more coming every day. The newest variants are using not only Google, but Yahoo/AOL for lookups, and they are attacking ALL .PHP scripts now, not just phpBB. I don't think the Santy Worm, et al, is going away any time soon.

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
VinDSL
PostPosted: Sun Dec 26, 2004 7:07 pm Reply with quote

Raven wrote:
We have so many good threads on this, I thought I'd recap...

Good idea!

Here are the directives I'm using now (slight tweak)...
Code:
#Check for Santy Worms and redirect them to a phantom site

#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]


I'm redirecting worms away from my site now, to a phantom URI. My 'emailsforyou' page is 10K, and it's getting hammered 'big time'. My thinking is, "Why waste any resources on these worms?" Wink
 
VinDSL
PostPosted: Sun Dec 26, 2004 10:01 pm Reply with quote

It's been determined that Santy.c does not have enough similarities with Santy, thus it was renamed from Santy.c/e to PhpInclude.Worm.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sun Dec 26, 2004 10:03 pm Reply with quote

Great! I can't wait for the next one; can you?
 
View user's profile Send private message
VinDSL
PostPosted: Sun Dec 26, 2004 10:09 pm Reply with quote

It's been kinda fun, so far! Mr. Green
 
Raven
PostPosted: Sun Dec 26, 2004 10:25 pm Reply with quote

Himmel wrote:
Hehehe.. noproblem .. im the 1 who doesnt understand php Wink
So, did this fix your problem?
 
VinDSL
PostPosted: Mon Dec 27, 2004 12:01 am Reply with quote

You know, I've been playing around with 'this thing' all day, reading the boards, looking at the exploit[s], studying my logs, yada, yada... I had several ideas at the start, but none of them panned out, except for one.

For the life of me, I cannot see any reason to allow 'wget' command strings on my site. The only 'wget' entries in my logs (for the last month) were from Santy worms, and hackers trying to bust into Coppermine Photo Gallery.

I added a 'wget' string directive and ran several exploits against it. It caught them all and redirected.

Code:


#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
#Variant-4
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]



With these Santy worms, the 'wget' process is used to download helper apps such as an IRC client and additional copies of the worm itself to 'own' additional servers. The IRC client meets up with other 'zombie' servers, in a dedicated IRC channel, waiting for orders from the worm's author.

With this in mind, and anticipating additional variants, I didn't see any good reason to allow 'wget' command strings to be run against my Nuke site.

Then again, maybe I'm missing something... Cool
 
Raven
PostPosted: Mon Dec 27, 2004 5:00 am Reply with quote

Try using the file_get_contents() function with and without it. I know there are some backend procedures that use it, at least on my servers.
 
VinDSL
PostPosted: Mon Dec 27, 2004 6:50 am Reply with quote

Yep, 'file_get_contents' works just fine. I was looking around your site for something to use for a working example, when I ran across this:
    Cheers Only registered users can see links on this board! Get registered or login!Cheers

...I decided to have a 'Rolling Rock' instead...
 
manunkind
Client


Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Mon Dec 27, 2004 9:56 am Reply with quote

I saw PcKiller mentioned and I remembered what it is/was. Is it not part of Sentinel anymore?
 
View user's profile Send private message Visit poster's website
Himmel
Regular
Regular


Joined: May 08, 2004
Posts: 77

PostPosted: Mon Dec 27, 2004 10:20 am Reply with quote

Raven wrote:
Himmel wrote:
Hehehe.. noproblem .. im the 1 who doesnt understand php Wink
So, did this fix your problem?


Yep.. did receive only 2 mails after the fix... much better

Thx Wink
 
View user's profile Send private message
Raven
PostPosted: Mon Dec 27, 2004 10:39 am Reply with quote

manunkind wrote:
I saw PcKiller mentioned and I remembered what it is/was. Is it not part of Sentinel anymore?
We decided to make it an 'add-on', if you will. That way you can point to whatever response you want. You can still get it from Ganja's site, although nothing has changed.
 
CodyG
Life Cycles Becoming CPU Cycles


Joined: Jan 02, 2003
Posts: 712
Location: Vancouver Island

PostPosted: Mon Dec 27, 2004 11:46 am Reply with quote

Just wondering ... this applies to the .htaccess in the root nuke directory? ... or should it be applied to the .htaccess in the modules/Forums directory ??

_________________
"We want to see if life is ubiquitous." D.Goldin 
View user's profile Send private message
Raven
PostPosted: Mon Dec 27, 2004 11:47 am Reply with quote

VinDSL wrote:
Yep, 'file_get_contents' works just fine. I was looking around your site for something to use for a working example, when I ran across this:
    Cheers Only registered users can see links on this board! Get registered or login!Cheers

...I decided to have a 'Rolling Rock' instead...
wget is used for things like updates to Fantastico and other cPanel things.
 
Raven
PostPosted: Mon Dec 27, 2004 11:49 am Reply with quote

CodyG wrote:
Just wondering ... this applies to the .htaccess in the root nuke directory? ... or should it be applied to the .htaccess in the modules/Forums directory ??
As long as it is in the root, it stops it before it goes anywhere else, unless you override it.
 
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Mon Dec 27, 2004 4:16 pm Reply with quote

If the variants are now going after any php script on a server, can we put this rewrite code in the htaccess file in our root folder (if nuke is in a sub folder) and do we need to change permissions on the htaccess in this case to 666 or leave as is 644?

I already have this in my public_html root htaccess file tho, so do I replace this with the new code or what?

Quote:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.myotherdomain.co.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.myotherdomain.co.uk$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ Only registered users can see links on this board! Get registered or login! [R,NC]


Or put the code maybe in any php root application folder htaccess file?

My nuke sites not in my root folder, but I have the code in my nuke root folder so I'm not getting any problems with it from there.

_________________
Classic Mini rules the bends & bends the rules!
[img] 
View user's profile Send private message
VinDSL
PostPosted: Mon Dec 27, 2004 6:28 pm Reply with quote

Raven wrote:
wget is used for things like updates to Fantastico and other cPanel things.

Agreed! Wink

Now that the immediacy of the situation is over, I think it's time to start with the caveats...

Code:
#Place these directives at the TOP of your .htaccess file!

#Check for Santy Worms and redirect them to a PHANTOM site.
#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]
#Redirect - Send worms packing, but NOT to a real web site!
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]
 
Raven
PostPosted: Mon Dec 27, 2004 7:26 pm Reply with quote

I chose another way ..... renamed wget.
 
VinDSL
PostPosted: Mon Dec 27, 2004 8:49 pm Reply with quote

Raven wrote:
I chose another way ..... renamed wget.

Yeah, this is all kinda ify'. Mileage may vary, depending on conditions. That's the nature of these things!

I think most Nuke sites are on shared servers, and ppl simply want to keep the worms away. CRON isn't in their vocabulary, and cPanel is updated by their web host.

I run my production site on a shared server because that's where the 'rubber meets the road', so to speak. I run 'personal' web sites, out of my living room, on a Slackware box that hasn't been touched in 2 years. I've run BSD, WiNNT IIS, and Redhat in the past. I'm currently embroiled in a VPS beta program that gives users root control over WHM/cPanel/Fedora. It shows great promise!

All of these situations would allow and even require different solutions, but I truly feel that the quick 'n' dirty fix, listed above, will work fine for most ppl in a shared server environment.

I wouldn't recommend something like this unless I was running it on my own production site, but then again, it probably isn't for everybody. That's certainly a given... Wink
 
Raven
PostPosted: Mon Dec 27, 2004 10:08 pm Reply with quote

I'm afraid it's getting to the point where our solutions will start limiting our exposure to both good and evil. It will be interesting to see what 2005 will bring in as far as viruses and exploits. But, y'all can rest assurred that we will be vigilant and hopefully, timely!
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon Dec 27, 2004 10:20 pm Reply with quote

2005 the year of the WoRm? Well the examples are out there and they are ridiculously simple. Its going to be business as usual around here I think...

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
TheosEleos
Life Cycles Becoming CPU Cycles


Joined: Sep 18, 2003
Posts: 960
Location: Missouri

PostPosted: Tue Dec 28, 2004 10:54 pm Reply with quote

Here is what I have in my .htaccess...

Code:
#Check for Santy Worms and redirect them to a fake page

#Variant -1
RewriteCond %{HTTP_USER_AGENT} ^LWP             [NC,OR]
#Variant -2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant -3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]


I'm a little lost though because I am looking at my error logs and there are a bunch that say this...
Quote:

[Tue Dec 28 16:00:02 2004] [error] [client 65.254.38.234] File does not exist: /home/blablabla/public_html/phenylshouse/www.uglypeople.com

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address ICQ Number
Raven
PostPosted: Tue Dec 28, 2004 10:56 pm Reply with quote

You need Only registered users can see links on this board! Get registered or login!
 
TheosEleos
PostPosted: Tue Dec 28, 2004 11:11 pm Reply with quote

Ahhh, thank you.

I must have done this thing just in time. My log is full of these errors. Probably 40 or so. I never got one ban from Sentinel. I guess I set up htaccess right before the attacks started on my site.
 
TheosEleos
PostPosted: Tue Dec 28, 2004 11:17 pm Reply with quote

I don't know what I am talking about. because samspade says that ip is my dns or something...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©