Sentinel 2.2.0 and Forum Search - Possible Santy Worm Attack

Posted: Tue Mar 15, 2005 6:14 pm

With Santy Worm protection enabled, if I search for an author and then click on any of there posts (link) I am directed to a possible santy worm attack. Disabling the Santy Worm protection the issue goes away.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

If you are using the SantyWorm code in NukeSentinel, I highly recommend that you don't. Use the .htaccess method because it is safer and less conflicts. That code is for those that have no other alternative.

Posted: Tue Mar 15, 2005 6:26 pm

Ok, I will seek out directions on the htaccess method. Thanks Raven. Smile

Posted: Tue Mar 15, 2005 6:29 pm

Code:

RewriteEngine on


#The next lines check for Email Spammers Robots and redirect them to a fake page


#Check for Santy Worms and redirect them to a fake page


RewriteCond %{HTTP_USER_AGENT} ^LWP                   [NC,OR]


RewriteCond %{REQUEST_URI} ^visualcoders              [NC,OR]


RewriteCond %{QUERY_STRING} rush=([^&]+)              [NC,OR]


RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]


RewriteCond %{REQUEST_URI} ^civa                      [NC,OR]


#variant-6 redirect all inner http:// request


RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]


#variant-7 redirect all inner http request regardless if encoded


RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC]


RewriteRule ^.*$ http://127.0.0.1 [R,L]

Posted: Tue Mar 15, 2005 6:38 pm

Do I place that at the beginning of my htaccess?

Posted: Tue Mar 15, 2005 6:44 pm

Doesn't really matter, but I would have it towards the top

Posted: Tue Mar 15, 2005 7:01 pm

Thanks a bunch. That got me taken care of. Smile

New Member Joined: Aug 17, 2004 Posts: 11

I am having the same problem. I added the code to .htaccess, but I dont know how to stop NukeSentinel from using the Santy worm code. Care to explain please?

Posted: Fri Mar 25, 2005 8:02 am

Under Sentinel Administration scroll down to the Santy Worm Protection setting. Select OFF

That should fix your issue

Posted: Fri Mar 25, 2005 8:03 am

d***, that was a fast reply, I feel stupid because I looked through the options and saw it. Tried to come back here and edit and it was already answered. Thanks! Smile

registered · Posted: Wed Mar 30, 2005 10:41 am

Thank you for the info....this helped me out as well....cheers!

Worker Joined: Dec 21, 2004 Posts: 116

I have to use santy worm protection because haven't the possibility to use .htaccess on my host.

I got the same problem, I have resolved it removing the "highlight" option in the search (in my search highlight field is always void... probably a bug in my theme Confused

):

Code:

Open ./modules/Forums/search.php





Find:





$topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id'] . "&amp;highlight=$highlight_active");


$post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id'] . "&amp;highlight=$highlight_active") . '#' . $searchset[$i]['post_id'];





Substitute with (or comment and add under...):





$topic_url = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . '=' . $searchset[$i]['topic_id']);


$post_url = append_sid("viewtopic.$phpEx?" . POST_POST_URL . '=' . $searchset[$i]['post_id']) . '#' . $searchset[$i]['post_id'];

You now haven't highlight search function, but won't get the error "probably santy worm" Wink

Client Joined: Jul 18, 2003 Posts: 977

Raven wrote:

Code:

RewriteEngine on


#The next lines check for Email Spammers Robots and redirect them to a fake page


#Check for Santy Worms and redirect them to a fake page


RewriteCond %{HTTP_USER_AGENT} ^LWP                   [NC,OR]


RewriteCond %{REQUEST_URI} ^visualcoders              [NC,OR]


RewriteCond %{QUERY_STRING} rush=([^&]+)              [NC,OR]


RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]


RewriteCond %{REQUEST_URI} ^civa                      [NC,OR]


#variant-6 redirect all inner http:// request


RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]


#variant-7 redirect all inner http request regardless if encoded


RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC]


RewriteRule ^.*$ http://127.0.0.1 [R,L]

I had a user with crush in his name and he received this message. I put your code in thehtaccess and it worked. Is this still the case with RavenNuke 2.20? That is what I am using...

Posted: Tue Oct 10, 2006 9:31 pm

I believe, from what Technocrat has said, that if you are up on the BBtoNuke forum updates, this issue is no longer there, and so these are no longer necessary. Since 2.02.02 is at 2.0.20, you should be fine.

Posted: Tue Oct 10, 2006 11:16 pm

montego wrote:

I believe, from what Technocrat has said, that if you are up on the BBtoNuke forum updates, this issue is no longer there, and so these are no longer necessary. Since 2.02.02 is at 2.0.20, you should be fine.

Okay, but I had a "possible Santy Worm attack" message when a user clicked on his account activation link.

Posted: Tue Oct 10, 2006 11:43 pm

Compare it to that logic in .htaccess and you should see right away why it got flagged. Remember that NukeSentinel(tm) also has Santy Worm protection.

Posted: Wed Oct 11, 2006 10:43 am

Make sure the username isn't using anything banned like "perl"

Posted: Fri Oct 13, 2006 12:14 pm

so my question is: Now that I have placed the code in my htaccess can I turn off Nuke Sentinel Santy Worm protection? Thank you all!