Forums wiped out!

I don't know why Shawn's fix doesn't work for me but I found two other solutions that are presented on various forums as doing the trick:

.htaccess version
RewriteEngine on
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$ - [F,L]

viewtopic.php version
After

<?php

Add

if(stristr($QUERY_STRING,'%2527')) {
die();
}

 

Sort of like fighting fire with fire, hey Minstrel, using forums to find out how to solve forum security problems

I did not know you were the coder/technical management of your sites Minstrel

 

I am for my solo sites; Dodger is the main man for the BoG but he's still away. I used to do a fair bit of programming in the old days, until they started selling software for pretty much everything anyone wants to do cheaper than I could make it myself; these days I only do as much as I have to, so I learn new things as I go along...

 

You know this is a major disaster for the entire forum community, first we think it is a flaw in the software, that gets updated.

Next you get a worm that sends so much traffic to every type of forum knocking them out even after they patch the software.

This seems to be a problem that can not be solved because so many forums are out of business right now.

The question has been Minstrel, what are these guys after, email addresses or do they want to use the forums for URL’s to dump referral links on?

 

I don't think they want anything other than to create as much havoc as possible. It's no different from the virus writers... the reward is the hope of 15 minutes worth of notoriety in little people with lives so barren and empty that this is the biggest thrill they can look forward to.

 

Very funny Minstrel, but there must be more to it than that, why would they flood a forum like Digital Point with thousands of visitors from different IP addresses all looking like guests viewing different threads.

There has to be a reason they are attacking forums like this and no one is giving any reasons yet.

 

They're not real visitors, AC -- it's a worm and they are looking to take down vulnerable forums. The problem is the worm is too stupid to realize it when it hits a forum that isn't vulnerable so it keep hitting and hitting trying to get in. That has the effect of a DoS attack because it fills up the session tables and clogs the forums servers. Frankly, I doubt that they're smart enough to have planned that but it does make the worm a double threat.

 

I know they are not real vistors, I knew it was a bot attack when I seen this happening the last two days, at DP this morning I knew something was wrong before Shawn got up. DP was slow then it went down for 15 minutes until Shawn fixed it.

What are they after once they get in?

They were in DP this morning because you could see 16 pages of visitors in different threads.

The question is, are they collecting URL's from the threads? They must be after something Minstrel.

 

Why must they be after something? Was Bagle after something? or MyDoom? or any one of a hundered other viruses?

This isn't a conspiracy. These are script kiddies trying to pretend they are somebodies. It's the same motivation as vandalism -- the motive is to deface and destroy, nothing more noble or intelligent than that.

 

I was reading some of these threads that I linked to in both of these threads in this forum and someone else mentioned the same thing I have mentioned.

That they may be after email addresses, who knows Minstrel, that is what I am trying to find out, I can not do that without asking questions.

 

I'm not faulting you for asking questions, Anthony. I just think you're looking too hard for rationality here. Again, I'd suggest the mentality we're dealing with is the type of person that breaks phone booths and bus stops and turns over grave stones in a cemetery. These are not deep thinkers or people with real ambition or goals. They are miserable people trying to make life miserable for others who seem to them to be happier than they are, or they're bored little middle class assholes with nothing better to do.

 

Well Minstrel, you seen and reported that they were Muslim folks and they sent anti-western messages.

I think you may have a point, but I also think if they are smart enough to pull off something like this they are smart enough to have a reason to do it also.

I have been reading quite a bit that a lot of this is Russian Mafia and terrorist related and they are in the hacking business to make (steal money) a lot of money.

If they can pick up email addresses and passwords they can get credit card information from those files.

To just pull off something like this for fun or to have something to laugh about over rock and roll and drinking beer is not what I think is going on.

I have seen a hell of a lot of porno sites leaving referral links on my server logs, they do that for a reason, so they can get traffic back.

 

Yes but those are different exploits, different people. This one is just another "virus".

There is one thing common to the two, though: theplanet.com -- a lot, though not all, of the worm attacks are coming through their servers. They were also implicated in the Turkish Hackers exploits -- their servers leak like a cheap diaper. I've alerted them three times now and asked them to clean up their act but after more than three weeks nothing at all significant is happening. The best i got back from them was that their client's sites were compromised -- no shit! They are also harboring hackers. I'm not waiting for them any longer. Now, we're taking it a step further and have filed two official complaints so far.

the planet.com operates on a number of IP ranges... here are a few of them -- you can do a whois on theplanet.com and get more:

67.18.0.0 - 67.19.255.255
69.93.0.0 - 69.93.255.255
70.84.0.0 - 70.85.127.255
216.185.96.0 - 216.185.127.255

If you don't want to do anything else, you can probably significantly reduce some of the hits by banning those IP ranges.

 

There is a hell of a lot of good information on the phpBB forum in the support section and other forums over there.

So the community will get to the bottom of this very hot story.

I understand your anger, I was pissed off that a few of the forums I post at do not exist at this point.

I was mad as hell this morning when I seen all the bot visitors at DP, then the forum was down for 15 minutes, I was really pissed off about all of it myself.

Security is so important and we all need to put that as the first priority or you can kiss your data and your business goodbye.

 

Yes. I've been to the phpBB forums, the vBulletin forums, and half a dozen others. If you are a forum owner, read as much as you can.This probably isn't the last variant of Santy.

I agree with you about security, AC. The problem is that even if you are secure you can still be brought down by people and sites who aren't -- again, just like Bagle and MyDoom and Netsky.

 

Well, I patched my forum from the highlighting exploit (the one santy uses) before the release ever came out, and I just patched my forum for the searlize() exploit yesterday, so I think thats all the major ones I know of that allow shell acces..


Josh

 

Minstrel may hire you soon Josh

 

I've just applied the serialize patch too.

Obviously, I need to pay closer attention to the PHP vulnerabilities now that the script kiddies have discovered them

 

Just make quick friends with Josh and you will be fine Minstrel, we can learn a lot from this 13 year old genius

 

Hey Minstrel, i disabled php on my win2k3 and completely disabled the forums. i PMed u somethings.