1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Forums wiped out!

Discussion in 'General Chat' started by anthonycea, Dec 23, 2004.

  1. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #81
    PC magazine coverage of this disaster is in the link below.

    http://www.pcmag.com/article2/0,1759,1745667,00.asp :mad: :confused: :eek:
     
    anthonycea, Dec 28, 2004 IP
  2. amberstar702

    amberstar702 Peon

    Messages:
    181
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    0
    #82
    Several of the forums I post to have been affected by this worm - but they managed to deal with it and send it to the black hole in cyberspace that has no end. :cool:
     
    amberstar702, Dec 28, 2004 IP
  3. Blogmaster

    Blogmaster Blood Type Dating Affiliate Manager

    Messages:
    25,924
    Likes Received:
    1,354
    Best Answers:
    0
    Trophy Points:
    380
    #83

    hehe

    Tainted Shade! sorry, bro ... ;)
     
    Blogmaster, Dec 29, 2004 IP
  4. Will.Spencer

    Will.Spencer NetBuilder

    Messages:
    14,789
    Likes Received:
    1,040
    Best Answers:
    0
    Trophy Points:
    375
    #84

    Minstrel:

    Thanks very much for all of your posts on this topic -- especially this one. This one made my day.
     
    Will.Spencer, Dec 30, 2004 IP
  5. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #85
    Thanks, Will. I'm associated diectly with four forums which have suffered from these worm attacks in spite of being upgraded so I've been following it closely.

    At phpbb.com, there are reports that the "signature" has been changed from lwp* which means that any solutions relying only on blocking those user agents may be vulnerable again.

    An alternate .htaccess solution may be:

    RewriteEngine on
    RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
    RewriteRule ^.*$ - [F,L]

    But forum owners are well advised to keep monitoring their logs and other forums. The only thing you can be sure of is that more variants of the worm are going to appear.
     
    minstrel, Dec 30, 2004 IP
  6. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #86
    The new variant seems to be pounding away at WebProWorld as we speak, although their server is big enough and resilient enough that it's handling the attack rather easily.
     
    minstrel, Dec 30, 2004 IP
  7. Will.Spencer

    Will.Spencer NetBuilder

    Messages:
    14,789
    Likes Received:
    1,040
    Best Answers:
    0
    Trophy Points:
    375
    #87
    I see it as a short-circuited manifestation of the Will To Power.

    Most vandals (neighborhood kids, virus writers, terrorists) are people who feel powerless in their lives and seek to do something, anything, to feel that they are powerful -- to feel that they can affect the world around them.

    The fact that their effects are negative seems less important to them than the feeling that at least they are having some kind of effect.

    Its sort of like Anthony's posting. :rolleyes:
     
    Will.Spencer, Dec 30, 2004 IP
  8. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #88
    Yeah Will, that Anthony is a real fruitcake man, I can hear what you are saying :p :D ;)

    You gota dig a brother that likes Jimi Hendrix Live though Will :cool:
     
    anthonycea, Dec 30, 2004 IP
  9. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #89
    minstrel, Dec 30, 2004 IP
  10. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #90
    Anti-Santy-Worm going around?
    Friday, December 31, 2004
    Posted by Mikko @ www.f-secure.com

     
    minstrel, Dec 31, 2004 IP
  11. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #91
    What do these guys want Minstrel, have you ever found out why they are trying to destroy forums?

    These attacks will never end, they are a direct attack against those who are most interested in the internet, webmasters and site administrators and the network itself.

    Why can't the government shut down those hosts that are providing a platform for the hackers Minstrel?
     
    anthonycea, Dec 31, 2004 IP
  12. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #92
    Because it's a worm... so it's being launched from infected forums. You can't shut down a hundred thousand hosts world-wide.

    And the original worms come from abroad. Apparently, Santy.A originated from a script-kiddy group in Brazil.
     
    minstrel, Dec 31, 2004 IP
  13. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #93
    Funny Minstrel, you have become the champion of investigating this thing for the entire community.

    Thank you for providing the energy and research to all of us and the community in general. :)
     
    anthonycea, Dec 31, 2004 IP
  14. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #94
    I'm not the only one but I'd only just cleaned up after the Turkish hackers attacks when this happened -- I don't mind admitting these people have pissed me off.
     
    minstrel, Dec 31, 2004 IP
  15. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #95
    It's not a job you expected or asked for, but at least it is not thankless anymore, I have seen a few forum owners thank you for your help and few would have put as much effort in on this thing as you have.

    I seen the one guy just shut his forum down.

    So this thing is not over by any means, it is just starting and getting larger?
     
    anthonycea, Dec 31, 2004 IP
  16. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #96
    Oh, it's far from over. I'm losing count but with this Anti-Santy version, that makes at least 7 variants on the loose, including the original. I think we'd be naive to assume it will end there.

    On the other hand, people are getting more inventive at thwarting or containing the attacks with each new variant. And I have to hand it to the open source community: They are responding quickly and in force.

    If you're a forum owner, keep monitoring www.phpbb.com or www.vbulletin.com or whatever is appropriate -- better still, monitor all of them, since some of the blocks emerging are server or site level solutions that might work with any software.
     
    minstrel, Dec 31, 2004 IP
  17. l234244

    l234244 Peon

    Messages:
    1,225
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    0
    #97
    Just to add my 2 cents, Cyberalien suggested adding this to the top of common.php file - Worked for me


    $browser = isset($_SERVER['HTTP_USER_AGENT']) ? strtolower($_SERVER['HTTP_USER_AGENT']) : '';
    if(substr($browser, 0, 3) === 'lwp')
    {
    die('No bots allowed on this server.');
    }
    if(isset($_GET['highlight']) && strpos($_GET['highlight'], '%27') !== false)
    {
    die('Sorry, highlight bug is fixed.');
    }
     
    l234244, Dec 31, 2004 IP
  18. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #98
    The first part ("lwp") won't stop later variants of the worm. They're using a different "user-agent" string.

    Also be aware that more than one vulnerability is being exploited now, although the highlight problem is still worth blocking.
     
    minstrel, Dec 31, 2004 IP
  19. l234244

    l234244 Peon

    Messages:
    1,225
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    0
    #99
    Could the code be repeated with the new "user-agent" string as variants arise?
     
    l234244, Dec 31, 2004 IP
  20. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #100
    The problem is the last report I saw said the user-agent was Mozilla/4 or something similar -- you could end up blocking a lot of legitimate visitors.
     
    minstrel, Dec 31, 2004 IP