Forums worldwide hit Christmas eve and Christmas day

[minstrel]

Numerous phpBB and vBulletin forums are being hit currently by a variant of the Santy worm, now using Yahoo and other search engines to locate forums using PHP and especially unpatched versions of phpBB.

Even safe (newer) versions of PHP and phpBB version 2.0.11 are being hit because of the sheer volume of hits to the forums being generated, amounting to a defacto DDos attack even if the worm cannot actually infect the forum. And if your forum sits on the same server housing vulnerable phpBB or vBulletin forums, yours can be affected even if it is patched.

For those of you using vBulletin who believe yourselves to be safe, Shawn at DigitalPoint posted this:

Quote:

someone put out a new worm this morning which uses Yahoo to find phpBB forums. Looked at the source, and it's searching for pages that contain "showthread.php" in the URL. Which also is the case for vBulletin. So I woke up this morning and the server was taking a beating from hundreds of requests per second trying to install a worm on the forum (all from different IP addresses). I ended up blocking it on my end, but I can imagine other vBulletin forums are taking a DoS beating right now.

[RikR]

Is there any way to put up a defense?

[minstrel]

If you are on an Apache server, you can use .htacess to block specific IPs -- however, these attacks/probes are coming from everywhere so you'd have to block a LOT if them.

Shawn Hogan at DigitalPoint has posted a fix here but I can't get it to work for me -- not sure why not yet.

[minstrel]

Two more solutions:

.htaccess version
RewriteEngine on
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$ - [F,L]

viewtopic.php version
After

<?php

Add

if(stristr($QUERY_STRING,'%2527')) {
die();
}

[minstrel]

A combined solution which doesn't use .htaccess mod-rewrite:

1. In common.php:

// Block Perl/Santy Worm
function blocker()
{
if (preg_match('#' . preg_quote('system(chr(99)') . '¦' . preg_quote('wget') . '#', $_SERVER['REQUEST_URI'])) {
$check = 1;
}

if (preg_match('#' . preg_quote('lwp-trivial') . '¦' . preg_quote('LWP::Simple') . '#', getenv('HTTP_USER_AGENT'))) {
$check = 1;
}

if (isset($check)) {
header('HTTP/1.0 403 Forbidden', true);
header('Location: http://' . $_SERVER['REMOTE_HOST'] . $_SERVER['REQUEST_URI']);
exit;
}
}
// Block Perl/Santy Worm

Author's comment: "This checks for two different characteristics in request uri and user agent. Then it redirects to the source server including the request uri. I hope that will awake the admins of the infected servers. "

2. in common.php

// block Santy worm version 2
$browser = isset($_SERVER['HTTP_USER_AGENT']) ? trim($_SERVER['HTTP_USER_AGENT']) : '';
if(substr(strtolower($browser), 0, 3) === 'lwp')
{
die($browser . ' is banned on this server.');
}
// end block Santy worm version 2


3. In viewtopic.php just after the <?php :

if(stristr($QUERY_STRING,'%2527')) {
die();
}

[Deep13]

actually this santy worm is playing a lot with PHP i should say...

first it started playing with PHPBB forums and now it is trying to play with the actual files i.e. trying to exploit include() and require () in php

list of common php mistakes


EDIT: minstrel, as far as I know this worm does not hurt forums which are running on version 2.0.11, i think the worm Santy has nothing to do with DDOS, it just checks for the forums which are running versions prior to 2.0.11 and attack those forums...

there was one loophole in viewtopic.php which allowed to get database password of the forums from query string so this worm is exploiting this loop hole only...

banning the IP is not the solutions coz the worm can be run from any server in the world... but my suggestions would be...

* UPDATE PHPBB to 2.0.11
* UPDATE PHP to 4.3.10 or 5.0.3 (also update Zend optimizer to latest version)

Regards
Deep

[minstrel]

Deep, even upgraded forums are vulnerable and they don't even have to be phpBB forums. The problem is this is a dumb worm -- it doesn't "know" when it's reached a site without the vulnerabilities so it keeps hitting pages anyway, filling up the sessions table and overwhelming the server eventually.

There are actually TWO vulnerabilities: the "highlight" one already noted and the "serialize" one: see http://www.phpbbstyles.com/viewtopic...er=asc&start=0.

You can prevent defacing and destruction of your board by upgrading your PHP and phpBB versions but that won't prevent the DoS attacks.

[Deep13]

yup, 2 security holes, 1 with PHPBB and one with PHP itself..

oh yes you are right...worm might be hitting the forums to search for the loophole..

Deep

[minstrel]

see also http://www.bandofgonzos.com/phpbb/vi...?p=19735#19735

[minstrel]

There are apparently at least five (5!) versions of Santy now circulating.

See http://www.zone-h.org/en/news/read/id=4440/.

[mikmik]

5!?

That didn't take long. All the kids come out to play.

[mike]

It tried to zap us I believe. I think it was behind some of those minor session-related issues we had over the weekend. That's my theory anyway.

It appears as though one of the 'bot counter measure' feature doodads I put in finally figured it out and put the whammy on it though. Forgive me a cruel chuckle as I wallow in self aggrandizement.


Mike: 1
Santy: 0

[minstrel]

Cruel chuckle forgiven... this time.

One of the problems for those of us on smaller servers was that the traffic rapidly outstripped what the server could handle. One of our forums had 1905 simultaneous visitors just before it "crashed". Maybe WPW or other sites on dedicated servers can handle that kind of traffic but we couldn't.

Once I could get a word in edgewise to FTP to the site, I was able to install the blocks but that took a few hours.

Incidentally, Mike, I noticed that since the new facelift to WPW I am now getting personal notificatioins from Mike instead of the old generic ones that everyone else gets. I feel so special now :o)