| Author |
Message |
mds
Client
Joined: Dec 24, 2004
Posts: 194
Location: Michigan
|
 Posted:
Fri Dec 24, 2004 8:04 pm |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Dec 24, 2004 8:37 pm |
|
|
|
|
|
mds
|
| Posted:
Fri Dec 24, 2004 8:45 pm |
|
thanks so much for the point i added now waiting to see what happens MERRY CHRISTMAS..
P.S
is there anything else i should be worried about with that query or should i be ok ? |
| |
|
|
|
|
Raven
|
| Posted:
Fri Dec 24, 2004 8:49 pm |
|
If you have updated phpbb then it won't hurt you anyway, but, that code in .htaccess will not even allow it to reach your site. We have discovered that they are altering the agent too, so you might want to do more of a wildcard, like
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC] |
| |
|
|
|
|
mds
|
| Posted:
Fri Dec 24, 2004 8:54 pm |
|
ok now is that only going to block the specific user agent ? so should i addin each additional thats different ?
and what happens if this executed ?
sorry for being a pest just trying to learn |
| |
|
|
|
|
Raven
|
| Posted:
Fri Dec 24, 2004 10:27 pm |
|
That will stop any user agent that begins with LWP (case insensitive) |
| |
|
|
|
|
mds
|
| Posted:
Fri Dec 24, 2004 10:34 pm |
|
OK i have added both uppercase and lowercase as individual/seperate entries and im still getting the blocked emails tho not as frequent
heres is what is in my .htaccess
Options -Indexes
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 12:59 am |
|
Replace that with this.
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
That's all you need. The [NC] means ignore the case, so LwP==lWp
The last line can be replaced by your own page. If others get through, then check the user agent and add it if it is different. |
| |
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Sat Dec 25, 2004 9:24 am |
|
It appears a couple of my sitres are getting bombarded as well by this agent.
I have added the suggested lines to my htaccess but for some reason, the agent is still gettign trhu. I am gettign at least one hack attempt every 5 minutes.
User Agent: LWP::Simple/5.76
the /5.76 has varied, but the LWP::Simple is the same. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 10:48 am |
|
It should be working. It's working here and in other sites too. Make sure it's typed exactly as shown. |
| |
|
|
|
|
Viper-
New Member
Joined: Dec 24, 2004
Posts: 5
|
| Posted:
Sat Dec 25, 2004 11:18 am |
|
Hey guys,
I can verify that it is working.
cprompt, do you have the line that Raven added above? RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
I received well over 500 e-mails from Sentinel banning this in less than 24 hours. At one point I was getting around 5 a minute 
Merry Christmas everyone, I hope all of you have a terrific and blessed day. |
_________________
Only registered users can see links on this board! Get registered or login!
www.ViperWebHosting.net |
|
|
|
cprompt
|
| Posted:
Sat Dec 25, 2004 10:31 pm |
|
| Viper- wrote: | Hey guys,
I can verify that it is working.
cprompt, do you have the line that Raven added above? RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
I received well over 500 e-mails from Sentinel banning this in less than 24 hours. At one point I was getting around 5 a minute
Merry Christmas everyone, I hope all of you have a terrific and blessed day. |
darn..I have the EXACT same lines. I have now gotten 85 more hack attempts by
User Agent: LWP::Simple/5.803
/version number varies.
Here is what I have in my htaccess.
Code:RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
|
Please advise. This is becoming a headache. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 10:39 pm |
|
I don't know what to tell you. I was getting hundreds a day and now - ZERO. Try dropping the rewriteEngine Off, although I can't believe that would matter. Make sure that you still have mod_rewrite installed. Maybe your host recompiled Apache and didn't include it? Also, make sure it's at the beginning of your .htaccess so that nothing else impedes it. |
| |
|
|
|
|
mds
|
| Posted:
Sat Dec 25, 2004 11:17 pm |
|
REPLACED this :
Options -Indexes
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
WITH COPY AND PASTE OF THIS :
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
and moved the Options -Indexes that preceded this to beneath it with a couple spaces in between
im up to 633 total blocked now as of time of post
i do appreciate the help very much hope you all had an enjoyable christmas day |
Last edited by mds on Mon Dec 27, 2004 12:40 am; edited 1 time in total |
|
|
|
|
mds
|
| Posted:
Sun Dec 26, 2004 1:48 am |
|
well so far i have no new emails dated for 12-26 so the adjustments that were made looks for now as if it did the trick....thanks a million much appreciated |
| |
|
|
|
|
cprompt
|
| Posted:
Sun Dec 26, 2004 7:23 am |
|
Thanks!
Once I moved my Options -Indexes line below the other lines, it seems to be working.
Thank you ALL!
Merry Christmas |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:10 am |
|
Thanks mds! I've said in a few posts that the best place to put this is at the very top. To recap from all the posts, we have:
.htaccess only applies to Apache
mod_rewrite must be compiled in Apache
The lines to add at the top of .htaccess are (YOUR-REDIRECT-PAGE needs to be replaced with a real redirect page) - The new code is from VinDSL  Code:#Check for Santy Worms and redirect them to a fake page
#Variant -1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant -2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant -3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ emailsforyou.php [L]
|
This assumes that the user-agent does begin with LWP. If yours is different then make the needed adjustments.
VinDSL has contributed this also. He has found 2 other variants, so |
Last edited by Raven on Sun Dec 26, 2004 9:14 am; edited 1 time in total |
|
|
|
|
Muffin
Client
Joined: Apr 10, 2004
Posts: 649
Location: UK
|
| Posted:
Sun Dec 26, 2004 8:29 am |
|
Thanks Raven
One more question, I see in some posts people have Options - Indexes in their htaccess file, and that they put this line below the third line of code above.
I dont have that in mine, if it should be there, do I put it under the third line of code, and is there anything else that should be below it apart from 2 or 3 empty lines then the list of banned ip's?
Sorry see there's new code now to replace the 3 line code (you must have edited your post as I posted lol sorry)
So do I need Options - Indexes as asked in the first paragraph of this post? |
_________________
Classic Mini rules the bends & bends the rules!
[img]
Last edited by Muffin on Sun Dec 26, 2004 8:33 am; edited 1 time in total |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:31 am |
|
Not necessarily. Just put the protection at the top and leave everything else alone |
| |
|
|
|
|
Muffin
|
| Posted:
Sun Dec 26, 2004 8:35 am |
|
Thank you
so it's safe to replace the rewrite 3 line code with this new one then. |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:36 am |
|
|
|
|
|
Muffin
|
| Posted:
Sun Dec 26, 2004 8:43 am |
|
Thank you Raven (and VinDSL)
where you say : YOUR-REDIRECT-PAGE needs to be replaced with a real redirect page
and the first line says : #Check for Santy Worms and redirect them to a fake page
I dont understand what to do.
I'm really sorry to be a pain but it's very confusing for non techy people like myself. |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:44 am |
|
It can be a fake page but then you will get errors in your server error log. I think what we are trying to say is that you just redirect them away from the intended attack. |
| |
|
|
|
|
Muffin
|
| Posted:
Sun Dec 26, 2004 8:51 am |
|
OIC
Is that a bad thing to have errors in the server error log?
ermm where's my redirect page and how do I make a new one?
and can I redirect them to a custom made page specially for this purpose out of my nuke folder?
or do I just alter this : #Check for Santy Worms and redirect them to a fake page
to something like this: #Check for Santy Worms and redirect them to http://www.mydomain.com/wormdump.html
Thank you for your patience. |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:56 am |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
