Sentinel 2.2.0 and Forum Search - Possible Santy Worm Attack

CurtisH · Posted: Tue Mar 15, 2005 6:14 pm

With Santy Worm protection enabled, if I search for an author and then click on any of there posts (link) I am directed to a possible santy worm attack. Disabling the Santy Worm protection the issue goes away.

Raven · Posted: Tue Mar 15, 2005 6:21 pm

If you are using the SantyWorm code in NukeSentinel, I highly recommend that you don't. Use the .htaccess method because it is safer and less conflicts. That code is for those that have no other alternative.

CurtisH · Posted: Tue Mar 15, 2005 6:26 pm

Ok, I will seek out directions on the htaccess method. Thanks Raven. Smile

Raven · Posted: Tue Mar 15, 2005 6:29 pm

Code:

RewriteEngine on
#The next lines check for Email Spammers Robots and redirect them to a fake page
#Check for Santy Worms and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP       [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders    [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+)    [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos    [NC,OR]
RewriteCond %{REQUEST_URI} ^civa    [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)          [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)    [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]

CurtisH · Posted: Tue Mar 15, 2005 6:38 pm

Do I place that at the beginning of my htaccess?

Raven · Posted: Tue Mar 15, 2005 6:44 pm

Doesn't really matter, but I would have it towards the top

CurtisH · Posted: Tue Mar 15, 2005 7:01 pm

Thanks a bunch. That got me taken care of. Smile

Dreakon · New Member Joined: Aug 17, 2004 Posts: 11

I am having the same problem. I added the code to .htaccess, but I dont know how to stop NukeSentinel from using the Santy worm code. Care to explain please?

CurtisH · Posted: Fri Mar 25, 2005 8:02 am

Under Sentinel Administration scroll down to the Santy Worm Protection setting. Select OFF

That should fix your issue

Dreakon · New Member Joined: Aug 17, 2004 Posts: 11

d***, that was a fast reply, I feel stupid because I looked through the options and saw it. Tried to come back here and edit and it was already answered. Thanks! Smile

SmackDaddy · Posted: Wed Mar 30, 2005 10:41 am

Thank you for the info....this helped me out as well....cheers!

shmk · Worker Joined: Dec 21, 2004 Posts: 116

I have to use santy worm protection because haven't the possibility to use .htaccess on my host.

I got the same problem, I have resolved it removing the "highlight" option in the search (in my search highlight field is always void... probably a bug in my theme Confused

):

Code:

Open ./modules/Forums/search.php

Find:

$topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id'] . "&highlight=$highlight_active");
$post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id'] . "&highlight=$highlight_active") . '#' . $searchset[$i]['post_id'];

Substitute with (or comment and add under...):

$topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id']);
$post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id']) . '#' . $searchset[$i]['post_id'];

You now haven't highlight search function, but won't get the error "probably santy worm" Wink

blith · Client Joined: Jul 18, 2003 Posts: 975

Raven wrote:

Code:

RewriteEngine on
#The next lines check for Email Spammers Robots and redirect them to a fake page
#Check for Santy Worms and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP       [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders    [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+)    [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos    [NC,OR]
RewriteCond %{REQUEST_URI} ^civa    [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)          [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)    [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]

I had a user with crush in his name and he received this message. I put your code in thehtaccess and it worked. Is this still the case with RavenNuke 2.20? That is what I am using...

montego · Posted: Tue Oct 10, 2006 9:31 pm

I believe, from what Technocrat has said, that if you are up on the BBtoNuke forum updates, this issue is no longer there, and so these are no longer necessary. Since 2.02.02 is at 2.0.20, you should be fine.

blith · Client Joined: Jul 18, 2003 Posts: 975

montego wrote:

I believe, from what Technocrat has said, that if you are up on the BBtoNuke forum updates, this issue is no longer there, and so these are no longer necessary. Since 2.02.02 is at 2.0.20, you should be fine.

Okay, but I had a "possible Santy Worm attack" message when a user clicked on his account activation link.

Raven · Posted: Tue Oct 10, 2006 11:43 pm

Compare it to that logic in .htaccess and you should see right away why it got flagged. Remember that NukeSentinel(tm) also has Santy Worm protection.

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 3221

Make sure the username isn't using anything banned like "perl"

blith · Client Joined: Jul 18, 2003 Posts: 975

so my question is: Now that I have placed the code in my htaccess can I turn off Nuke Sentinel Santy Worm protection? Thank you all!