Santy Worm attach prevention - RECAP

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

We have so many good threads on this, I thought I'd recap Wink

Through added contributions by VinDSL and Mds, this is a synopsis. Not that this only applies if you are using Apache as a module and not CGI.

.htaccess only applies to Apache
mod_rewrite must be compiled in Apache
The lines to add at the top of .htaccess are (SOME-OTHER-PAGE needs to be replaced with a real redirect page)

Code:

#Check for Santy Worms and redirect them to a fake page 


#Variant -1 


RewriteCond %{HTTP_USER_AGENT} ^LWP             [NC,OR] 


#Variant -2 


RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR] 


#Variant -3 


RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC] 


RewriteRule ^.*$ SOME-OTHER-PAGE.php [L]

This assumes that the user-agent does begin with LWP. If yours is different then make the needed adjustments.

Posted: Sun Dec 26, 2004 11:05 am

Raven, what does LWP stand for? I am using Firefox, would I enter mozilla for my agent? Thanks, Steve

Posted: Sun Dec 26, 2004 12:10 pm

No. lwp is the start of many of the user agent's nem, like LWP::Simple and several others. So, ^LWP {NC} means any user agent beginning with LWP. The [NC] makes it case insensitive.

Posted: Sun Dec 26, 2004 12:13 pm

Thank you.

Posted: Sun Dec 26, 2004 12:14 pm

Raven, pardon the brain cramp, (I'm severely hung-over and it looks like my friends have raided the liquor cabinet again as they have started making another batch of "Christmas Punch" so there's not much hope of sobriety today either...

What would you put in place of

RewriteRule ^.*$ SOME-OTHER-PAGE.php [L]

to redirect to an off site URL?

Thanks

Posted: Sun Dec 26, 2004 12:21 pm

PC-Killer, or you could probably just put
RewriteRule ^.*$ [F] which will just give them the standard 403 Forbidden screen.

Posted: Sun Dec 26, 2004 12:30 pm

No standard syntax to redirect to a defined off-site URL though?

Thanks!

Posted: Sun Dec 26, 2004 12:32 pm

Sure. RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L] although the FBI might not appreciate it Wink

Posted: Sun Dec 26, 2004 12:54 pm

Where can I find my user agent's nem? Completely in the dark here.

Posted: Sun Dec 26, 2004 2:13 pm

Not YOUR user-agent, but THEIR user-agent as Sentinel reports it.

registered · Regular Joined: Jun 30, 2003 Posts: 81

Is the santy worm gone now? I haven't heard anything in the news about it, in like a week.

Posted: Sun Dec 26, 2004 2:20 pm

Its a safe bet that there is a rip off of it attacking portals whether they have phpbb installed or not.

Regular Joined: May 08, 2004 Posts: 77

Raven wrote:

No. lwp is the start of many of the user agent's nem, like LWP::Simple and several others. So, ^LWP {NC} means any user agent beginning with LWP. The [NC] makes it case insensitive.

Hi Raven..
I put those lines in my .htaccess and it didnt stop
User Agent: LWP::Simple/5.79

Any suggestions?

Thx Wink

Posted: Sun Dec 26, 2004 5:21 pm

Is mod_rewrite installed?

Posted: Sun Dec 26, 2004 5:30 pm

Euh.. i guess not. Is this something that the host should do?

Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

Himmel wrote:

Euh.. i guess not. Is this something that the host should do?

Seeing as mod_rewrite presents no security concern to the server itself, and instead is a desirable option for any dynamic content site, the answer is a resounding YES, your host should have that enabled...

PHrEEk

Posted: Sun Dec 26, 2004 5:37 pm

Run phpinfo() to verify if it is installed or not.

Posted: Sun Dec 26, 2004 5:47 pm

Raven wrote:

Run phpinfo() to verify if it is installed or not.

Sorry ..but dont know where and how Embarassed

Posted: Sun Dec 26, 2004 5:51 pm

<?
phpinfo();
?>

Save that as info.php, ftp it to your web server and run it.

Posted: Sun Dec 26, 2004 6:01 pm

Loaded Modules mod_log_bytes, mod_frontpage, mod_php4, mod_ssl, mod_setenvif, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

Yep it is...

Maybe i made a mistake in the .htaccess :

#Check for Santy Worms and redirect them to a fake page
#Variant -1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant -2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant -3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ [F} [L]

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Raven (and everyone who contributed) thank you so much for the cure, I've not had any pesky emails from Sentinel since I added it to my htaccess file.

Posted: Sun Dec 26, 2004 6:11 pm

Himmel,

Where did you get this? It's wrong

Code:

RewriteRule ^.*$ [F} [L]

It should be

Code:

RewriteRule ^.*$ [F]

Posted: Sun Dec 26, 2004 6:17 pm

Raven wrote:

PC-Killer, or you could probably just put
RewriteRule ^.*$ [F} which will just give them the standard 403 Forbidden screen.

Sorry.. used that1

and: RewriteRule ^.*$ SOME-OTHER-PAGE.php [L]

Will make the change now Wink

Posted: Sun Dec 26, 2004 6:21 pm

- Stupid fingers SORRY!!!

Posted: Sun Dec 26, 2004 6:24 pm

Hehehe.. noproblem .. im the 1 who doesnt understand php Wink