1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Forums wiped out!

Discussion in 'General Chat' started by anthonycea, Dec 23, 2004.

  1. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #41
    I don't know why Shawn's fix doesn't work for me but I found two other solutions that are presented on various forums as doing the trick:

    .htaccess version
    RewriteEngine on
    RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
    RewriteRule ^.*$ - [F,L]

    viewtopic.php version
    After

    <?php

    Add

    if(stristr($QUERY_STRING,'%2527')) {
    die();
    }
     
    minstrel, Dec 25, 2004 IP
  2. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #42
    Sort of like fighting fire with fire, hey Minstrel, using forums to find out how to solve forum security problems :p :D

    I did not know you were the coder/technical management of your sites Minstrel :confused:
     
    anthonycea, Dec 25, 2004 IP
  3. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #43
    I am for my solo sites; Dodger is the main man for the BoG but he's still away. I used to do a fair bit of programming in the old days, until they started selling software for pretty much everything anyone wants to do cheaper than I could make it myself; these days I only do as much as I have to, so I learn new things as I go along...
     
    minstrel, Dec 25, 2004 IP
  4. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #44
    You know this is a major disaster for the entire forum community, first we think it is a flaw in the software, that gets updated.

    Next you get a worm that sends so much traffic to every type of forum knocking them out even after they patch the software.

    This seems to be a problem that can not be solved because so many forums are out of business right now.

    The question has been Minstrel, what are these guys after, email addresses or do they want to use the forums for URL’s to dump referral links on?
     
    anthonycea, Dec 25, 2004 IP
  5. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #45
    I don't think they want anything other than to create as much havoc as possible. It's no different from the virus writers... the reward is the hope of 15 minutes worth of notoriety in little people with lives so barren and empty that this is the biggest thrill they can look forward to.
     
    minstrel, Dec 25, 2004 IP
  6. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #46
    Very funny Minstrel, but there must be more to it than that, why would they flood a forum like Digital Point with thousands of visitors from different IP addresses all looking like guests viewing different threads.

    There has to be a reason they are attacking forums like this and no one is giving any reasons yet.
     
    anthonycea, Dec 25, 2004 IP
  7. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #47
    They're not real visitors, AC -- it's a worm and they are looking to take down vulnerable forums. The problem is the worm is too stupid to realize it when it hits a forum that isn't vulnerable so it keep hitting and hitting trying to get in. That has the effect of a DoS attack because it fills up the session tables and clogs the forums servers. Frankly, I doubt that they're smart enough to have planned that but it does make the worm a double threat.
     
    minstrel, Dec 25, 2004 IP
  8. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #48
    I know they are not real vistors, I knew it was a bot attack when I seen this happening the last two days, at DP this morning I knew something was wrong before Shawn got up. DP was slow then it went down for 15 minutes until Shawn fixed it.

    What are they after once they get in?

    They were in DP this morning because you could see 16 pages of visitors in different threads.

    The question is, are they collecting URL's from the threads? They must be after something Minstrel. :confused:
     
    anthonycea, Dec 25, 2004 IP
  9. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #49
    Why must they be after something? Was Bagle after something? or MyDoom? or any one of a hundered other viruses?

    This isn't a conspiracy. These are script kiddies trying to pretend they are somebodies. It's the same motivation as vandalism -- the motive is to deface and destroy, nothing more noble or intelligent than that.
     
    minstrel, Dec 25, 2004 IP
  10. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #50
    I was reading some of these threads that I linked to in both of these threads in this forum and someone else mentioned the same thing I have mentioned.

    That they may be after email addresses, who knows Minstrel, that is what I am trying to find out, I can not do that without asking questions.
     
    anthonycea, Dec 25, 2004 IP
  11. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #51
    I'm not faulting you for asking questions, Anthony. I just think you're looking too hard for rationality here. Again, I'd suggest the mentality we're dealing with is the type of person that breaks phone booths and bus stops and turns over grave stones in a cemetery. These are not deep thinkers or people with real ambition or goals. They are miserable people trying to make life miserable for others who seem to them to be happier than they are, or they're bored little middle class assholes with nothing better to do.
     
    minstrel, Dec 25, 2004 IP
  12. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #52
    Well Minstrel, you seen and reported that they were Muslim folks and they sent anti-western messages.

    I think you may have a point, but I also think if they are smart enough to pull off something like this they are smart enough to have a reason to do it also.

    I have been reading quite a bit that a lot of this is Russian Mafia and terrorist related and they are in the hacking business to make (steal money) a lot of money.

    If they can pick up email addresses and passwords they can get credit card information from those files.

    To just pull off something like this for fun or to have something to laugh about over rock and roll and drinking beer is not what I think is going on.

    I have seen a hell of a lot of porno sites leaving referral links on my server logs, they do that for a reason, so they can get traffic back.
     
    anthonycea, Dec 25, 2004 IP
  13. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #53
    Yes but those are different exploits, different people. This one is just another "virus".

    There is one thing common to the two, though: theplanet.com -- a lot, though not all, of the worm attacks are coming through their servers. They were also implicated in the Turkish Hackers exploits -- their servers leak like a cheap diaper. I've alerted them three times now and asked them to clean up their act but after more than three weeks nothing at all significant is happening. The best i got back from them was that their client's sites were compromised -- no shit! They are also harboring hackers. I'm not waiting for them any longer. Now, we're taking it a step further and have filed two official complaints so far.

    the planet.com operates on a number of IP ranges... here are a few of them -- you can do a whois on theplanet.com and get more:

    67.18.0.0 - 67.19.255.255
    69.93.0.0 - 69.93.255.255
    70.84.0.0 - 70.85.127.255
    216.185.96.0 - 216.185.127.255

    If you don't want to do anything else, you can probably significantly reduce some of the hits by banning those IP ranges.
     
    minstrel, Dec 25, 2004 IP
  14. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #54
    There is a hell of a lot of good information on the phpBB forum in the support section and other forums over there.

    So the community will get to the bottom of this very hot story.

    I understand your anger, I was pissed off that a few of the forums I post at do not exist at this point.

    I was mad as hell this morning when I seen all the bot visitors at DP, then the forum was down for 15 minutes, I was really pissed off about all of it myself.

    Security is so important and we all need to put that as the first priority or you can kiss your data and your business goodbye. :mad:
     
    anthonycea, Dec 25, 2004 IP
  15. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #55
    Yes. I've been to the phpBB forums, the vBulletin forums, and half a dozen others. If you are a forum owner, read as much as you can.This probably isn't the last variant of Santy.

    I agree with you about security, AC. The problem is that even if you are secure you can still be brought down by people and sites who aren't -- again, just like Bagle and MyDoom and Netsky.
     
    minstrel, Dec 25, 2004 IP
  16. Josh

    Josh Peon

    Messages:
    893
    Likes Received:
    82
    Best Answers:
    0
    Trophy Points:
    0
    #56
    Well, I patched my forum from the highlighting exploit (the one santy uses) before the release ever came out, and I just patched my forum for the searlize() exploit yesterday, so I think thats all the major ones I know of that allow shell acces..


    Josh
     
    Josh, Dec 26, 2004 IP
  17. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #57
    Minstrel may hire you soon Josh ;) :)
     
    anthonycea, Dec 26, 2004 IP
  18. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #58
    I've just applied the serialize patch too.

    Obviously, I need to pay closer attention to the PHP vulnerabilities now that the script kiddies have discovered them :mad:
     
    minstrel, Dec 26, 2004 IP
  19. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #59
    Just make quick friends with Josh and you will be fine Minstrel, we can learn a lot from this 13 year old genius :D
     
    anthonycea, Dec 26, 2004 IP
  20. kusadasi-guy

    kusadasi-guy Peon

    Messages:
    83
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #60
    Hey Minstrel, i disabled php on my win2k3 and completely disabled the forums. i PMed u somethings.
     
    kusadasi-guy, Dec 26, 2004 IP