| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Sat Dec 25, 2004 10:00 pm |
|
I used to have them banned outright too but there were a few people that really wanted access, so, I decided to try to ride the storm. We'll see.... |
| |
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sat Dec 25, 2004 10:06 pm |
|
If they want in, I allow on a IP basis only. It's just reverse thinking... instead of allowing all and denying individual IP's, I deny their entire range and allow individual IP's. If they're on dynamic IP networks, too bad... they can take it up with their government about shutting down the sites that attack us. I have enough problems... they are one less problem and have been for awhile now. Apparently they will remain not a problem for quite awhile longer 
PHrEEk |
_________________
PHP - Breaking your legacy scripts one build at a time. |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Sun Dec 26, 2004 12:32 am |
|
| PHrEEkie wrote: | | Ok, now I understand exactly why I haven't had even one attack across an entire server... |
The latest Santy variant has been attacking my site.
LoL! You wouldn't believe which module it's going after - an old Shawn Archer (Nukestyles.com) proggie called 'Website Legal Docs V1.0'.
Go figure...  |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. |
|
 |
|
VinDSL
|
| Posted:
Sun Dec 26, 2004 3:48 am |
|
Okay...
I've been working on this most of the night. I poured over a 295MB log file for hours. I examined 100's of Santy worm attacks against my web site, including ones coming from sites at my own web host, yada, yada...
Basically, I've been hit by three variants. Some contain a common UA. Some contain a common URI. Many share a common string. And, various combinations of all three. So, for now, I'm using this quick 'n' dirty solution. It's basically Raven's solution with one addition.
I've added the following directives to .htaccess
Code:#Check for Santy Worms and redirect them to a fake page
#Variant #1
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple [OR]
#Variant #2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant #3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ emailsforyou.php [L]
|
I've been running exploits against myself. Between Nuke and .htaccess it's catching them all.
Of course, this isn't the end-all answer. It'll have to be tweaked as new Santy variants are spawned, but it's a start.
Good job, Raven! |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:14 am |
|
Thanks VinDSL for the addition! |
| |
|
|
|
|
beetraham
Regular
Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)
|
| Posted:
Sun Dec 26, 2004 8:19 am |
|
For those of whom might be interested in general description of the "common" variants (B & C)
| Quote: |
Santy.c - PHP Scripts Automated Arbitrary File Inclusion
Date : 25/12/2004
--- Note from K-OTik Security ---
This script uses Google/Yahoo to find *.php pages vulnerable to a file inclusion (programming) flaw
[These flaws are independent from the server's PHP version, they result from common coding mistakes]
More information on variant : http://www.k-otik.com/exploits/20041225.SantyC.php
|
About the common PHP coding mistakes: http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
-beetraham |
_________________
- Let there be no windows at your home - |
|
|
|
|
PHrEEkie
|
| Posted:
Sun Dec 26, 2004 2:15 pm |
|
Great page on security beetraham! Thanks!
PHrEEk |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
