There are 372645732 users online

Forum Moderators: rogerd

Message Too Old, No Replies

There are 372645732 users online

Is this Santy scanning my board?

buksida

9:44 am on Dec 24, 2004 (gmt 0)

Since the emergence of Santy worm I've noticed a great deal of 'guests' on the board, upto 20 times more than usual. I'm guessing that its the worm trying to find a way in but am a little paranoid despite running version 2.0.11

Should I just forget about it, pull another beer out of the fridge, and watch the football? Or is this a cause for concern? The board is operating fine otherwise.

Anyone else experiencing this?

grelmar

8:02 pm on Dec 24, 2004 (gmt 0)

Funny you should ask. I was just noticing "guest" traffic way out of the norm on a board I mod at (but don't administrate), came here to find out what was up.

It's a PR7 board that's becoming more and more of a challenge to keep on top of. It's turned into a big enough target that even with all the hardening against automateds, the manual link-spam is getting a tad brutal.

Frank_Rizzo

8:56 pm on Dec 24, 2004 (gmt 0)

You'll probably find that your phpbb_sessions table fills up such that later visitors can't access the board.

Whilst applying the 2.0.11 update will prevent the exploit, it doesn't stop the attacks.

One way to limit the consequences is to put this in the .htaccess:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$ - [F,L]

NameNick

10:23 pm on Dec 24, 2004 (gmt 0)

Hi,

I did put following code into my phpBB common.php file:

/**
 * Block Perl Worm
 *
 */
function blocker() 
{
 if (preg_match('#' . preg_quote('system(chr(99)') . '�' . preg_quote('wget') . '#', $_SERVER['REQUEST_URI'])) {
  $check = 1;
 }
 
 if (preg_match('#' . preg_quote('lwp-trivial') . '�' . preg_quote('LWP::Simple') . '#', getenv('HTTP_USER_AGENT'))) {
  $check = 1;
 }
 
 if (isset($check)) {
  header('HTTP/1.0 403 Forbidden', true);
  header('Location: http://' . $_SERVER['REMOTE_HOST'] . $_SERVER['REQUEST_URI']);
  exit;
 }
}

It checks for two different characteristics in request uri and user agent. Then it redirects to the source server including the request uri. I hope that will awake the admins of the infected servers.

dvduval

10:39 pm on Dec 24, 2004 (gmt 0)

Thanks for that NameNick. I just added it.
Should this code minimize the mysql load created by the worm?

eaden

10:58 pm on Dec 24, 2004 (gmt 0)

Add this to the very top of viewtopic.php just after the <?php :

if(stristr($QUERY_STRING,'%2527')) {
die();
}

Stuff in common.php isn't needed as the exploit only targets viewtopic.php, also if you are including common.php or any other files then that increases the load. By having the above code at the very top of viewtopic.php no CPU is wasted.

NameNick

12:15 am on Dec 25, 2004 (gmt 0)

dvduval,

The code does reduce the load of the database and the website itself. My website was very slow until I added the code.

But eaden is right. You can place the code directly within the "viewtopic.php".

buksida

10:35 am on Dec 28, 2004 (gmt 0)

Thanks for the tips, have added the extra code to .htaccess and viewtopic.php. This has already exceeded my bandwidth limit and I've had to ask the host to give me a break as its down to viral activity!