httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Crosman" <ACros...@afsc.org>
Subject RE: [users@httpd] Sanity A worm and apache
Date Tue, 25 Jan 2005 18:36:56 GMT
Sanity A Worm effects phpbb on all platforms. While a patch is out, the
infected systems can still attack others, causing problems in the logs
files as described below.

I'd love to see an answer to the original question.  My phpbb
installations don't seem to have been found yet, and I'm hoping to avoid
it. BUT it's always nice to have a trick ready to deal with any issues
that pop-up.

Aaron

> -----Original Message-----
> From: John [mailto:naverxp@yahoo.com.sg] 
> Sent: Tuesday, January 25, 2005 12:38 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Sanity A worm and apache
> 
> I believe these bugs does not affect windows right?
> 
> >I run a few instances of phpBB under Apache 1.x, running as 
> the default 
> >Apache install under OS X client 10.3.7
> >
> >Several of my forums are getting hit with this type of thing:
> >forums.example.com 216.237.49.226 - - [24/Jan/2005:20:22:53 
> -0800] "GET 
> >/viewtopic.php?t=6852&highlight=%2527%252Esystem(chr(112)%252
> Echr(101)%
> >252Ec 
> >hr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252
> Echr(32)%2
> >52Ech 
> >r(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252
> Echr(116)%
> >252Ec 
> >hr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252E
> chr(86)%25
> >2Echr 
> >(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252E
> chr(41)%25
> >2Echr
> >(34))%252E%2527 HTTP/1.0" 302 716 "-" "Mozilla/4.0"
> >
> >Someone on the phpBB forums came up with this for a .htaccess file:
> >RewriteEngine On
> >
> ># prevent access from sanity webworm a-e RewriteCond %{QUERY_STRING} 
> >^(.*)highlight=\%2527 [OR] RewriteCond %{QUERY_STRING} 
> >^(.*)rush=\%65\%63\%68 [OR] RewriteCond %{QUERY_STRING} 
> ^(.*)rush=echo 
> >[OR] RewriteCond %{QUERY_STRING} ^(.*)wget\%20 RewriteRule ^.*$ 
> >http://127.0.0.1/ [R,L]
> >
> ># prevent pre php 4.3.10 bug
> >RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
> RewriteRule ^.*$ 
> >http://127.0.0.1/ [R,L]
> >
> ># prevent perl user agent (most often used by santy) RewriteCond 
> >%{HTTP_USER_AGENT} ^lwp.* [NC] RewriteRule ^.*$ 
> http://127.0.0.1/ [R,L]
> >
> >
> >This is working, I no longer see 1000+ guest users on the 
> forums, but I 
> >can not wonder if there is a better way. I think 
> SetEnvIfNoCase is the 
> >better way, and I think I want it in the httpd.conf file so 
> I need not 
> >worry about applying this new rule to all the sites, it can 
> act on a global basis.
> >
> >The problem I have with the above is it still logs all those 
> requests 
> >to my access_log, which is making a mess of things and the logs are 
> >growing much too fast, not to mention it is blowing out my 
> stats on the 
> >logs as well and artificially inflating requests to one file.
> >
> >
> >Is it possible to convert the above to SetEnvIfNoCase, and 
> send those 
> >matches to a new log file so they do not muddy the main 
> combined log I 
> >have in place.  Is it then possible to deny based on that 
> new rule and 
> >send those deny logs to some other file as well?
> >
> >I am starting to think this can be done somewhat like this:
> ><directory />
> >    order allow,deny
> >    allow from all
> >    deny from env=sanityworm
> ></directory>
> >
> >Then, I need my regex matching:
> >SetEnvIfNoCase ??????? "regex here" sanityworm
> >
> >What I can not find out, what are all the options of the 
> second part of 
> >SetEnvIfNoCase, is QUERY_STRING part of those option, as well as the 
> >others listed above?  I just don't know how to convert the rewrite 
> >rules above to fit into this new scenario, assuming it is 
> the correct 
> >way to accomplish this.
> >
> >Then there is the logging side of this, which I have no idea how to 
> >make happen.  Thanks for any and all help in this.
> >
> >
> >  
> >
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message