New variants of Santy worm hitting forums

[minstrel]

WPW may be one of the victims:

Quote:

In total there are 461 users online :: 6 Registered, 2 Hidden and 453 Guests
[ Administrator ] [ Moderator ]
Most users ever online was 549 on Thu Dec 30, 2004 9:51 AM

There are reports at phpbb.com of new variants that don't contain "lwp*" in the user-agent string. Many forums used that method of blocking the worms in .htaccess but that's no longer going to work, evidently.

Methods that look for telltale sequences in the GET string so far still seem to work.

[mike]

Yep, he's pounding away... but he can't get in. We're the little piggies in the brick house.

[minstrel]

Yes but forums not on larger dedicated servers may not be as resilient.

Would you object if I just moved my forums to your server? I could promise you a site-wide text link to sweeten the deal... ;o)

[mike]

The current config on this forum could handle 50 times what santy is throwing at me before I'd even bat an eye (2 weeks ago would have been another story).


Huff and puff away santy.

Incidentally, I have tried a few of the currently circulating 'fixes' for santy.

Some were working for a while but unfortunately he seems to be changing his game quite rapidly and is starting to bleed through the workarounds.

I wish I had some words of wisdom for those of you impacted negatively by santy, but I couldn't stop him either...

Fortunately for WebProWorld our new configuration just lets us take his best shot with little/no impact to our services (to this point -- knocking on wood).

[minstrel]

So (I'm just double checking here)...

You're saying no to moving my forums?

[mike]

Sorry, but no, I can't swing that.

[minstrel]

DANG!

[mikmik]

I just read about the new stonehaven dual opteron 250. It can handle 16,700 requests per second.

Hey, Mike, how about a wee loan? I'll link to you on the main page, using your image as the link :O)

[Deep13]

this santy is creating major problems for the servers around...

currently also i see around 400 visitors online

Quote:

In total there are 407 users online :: 6 Registered, 1 Hidden and 400 Guests

but as mike said server is capable to this load then it shouldnt be a problem but the thing is people will have to find proper solution for this...

Deep

[DannyS]

The worm started requesting pages from us on Christmas Day. We were shut down for almost 24 hours on the 26th. of December for going over our bandwidth limit. We couldn't even buy more bandwidth until the host's billing department showed on Monday morning and we aren't even a board, we have an Oscommerce cart! We tried banning IPs but couldn't keep up, (we even managed to ban our own shared ssl server which took a week to figure out;-(

What we did that helped was add mod_rewrite rules that returned a 403 error page to worm requests instead of the whole page requested. This saved bandwidth. Afterwards the techs at Jumpline.com did something upstream of us which has blocked them totally, but I don't know what they did. I’m guessing it was some rules added to the firewall.

Danny