Forums wiped out!

PC magazine coverage of this disaster is in the link below.

http://www.pcmag.com/article2/0,1759,1745667,00.asp

 

Several of the forums I post to have been affected by this worm - but they managed to deal with it and send it to the black hole in cyberspace that has no end.

 

hehe

Tainted Shade! sorry, bro ...

 

Minstrel:

Thanks very much for all of your posts on this topic -- especially this one. This one made my day.

 

Thanks, Will. I'm associated diectly with four forums which have suffered from these worm attacks in spite of being upgraded so I've been following it closely.

At phpbb.com, there are reports that the "signature" has been changed from lwp* which means that any solutions relying only on blocking those user agents may be vulnerable again.

An alternate .htaccess solution may be:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$ - [F,L]

But forum owners are well advised to keep monitoring their logs and other forums. The only thing you can be sure of is that more variants of the worm are going to appear.

 

The new variant seems to be pounding away at WebProWorld as we speak, although their server is big enough and resilient enough that it's handling the attack rather easily.

 

I see it as a short-circuited manifestation of the Will To Power.

Most vandals (neighborhood kids, virus writers, terrorists) are people who feel powerless in their lives and seek to do something, anything, to feel that they are powerful -- to feel that they can affect the world around them.

The fact that their effects are negative seems less important to them than the feeling that at least they are having some kind of effect.

Its sort of like Anthony's posting.

 

Yeah Will, that Anthony is a real fruitcake man, I can hear what you are saying

You gota dig a brother that likes Jimi Hendrix Live though Will

 

This solution is for phpBB forums only but is a more general one than previous suggestions and may therefore withstand more evolutions of the worm:

http://www.phpbb.com/phpBB/viewtopic.php?t=250455

 

Anti-Santy-Worm going around?
Friday, December 31, 2004
Posted by Mikko @ www.f-secure.com

 

What do these guys want Minstrel, have you ever found out why they are trying to destroy forums?

These attacks will never end, they are a direct attack against those who are most interested in the internet, webmasters and site administrators and the network itself.

Why can't the government shut down those hosts that are providing a platform for the hackers Minstrel?

 

Because it's a worm... so it's being launched from infected forums. You can't shut down a hundred thousand hosts world-wide.

And the original worms come from abroad. Apparently, Santy.A originated from a script-kiddy group in Brazil.

 

Funny Minstrel, you have become the champion of investigating this thing for the entire community.

Thank you for providing the energy and research to all of us and the community in general.

 

I'm not the only one but I'd only just cleaned up after the Turkish hackers attacks when this happened -- I don't mind admitting these people have pissed me off.

 

It's not a job you expected or asked for, but at least it is not thankless anymore, I have seen a few forum owners thank you for your help and few would have put as much effort in on this thing as you have.

I seen the one guy just shut his forum down.

So this thing is not over by any means, it is just starting and getting larger?

 

Oh, it's far from over. I'm losing count but with this Anti-Santy version, that makes at least 7 variants on the loose, including the original. I think we'd be naive to assume it will end there.

On the other hand, people are getting more inventive at thwarting or containing the attacks with each new variant. And I have to hand it to the open source community: They are responding quickly and in force.

If you're a forum owner, keep monitoring www.phpbb.com or www.vbulletin.com or whatever is appropriate -- better still, monitor all of them, since some of the blocks emerging are server or site level solutions that might work with any software.

 

Just to add my 2 cents, Cyberalien suggested adding this to the top of common.php file - Worked for me


$browser = isset($_SERVER['HTTP_USER_AGENT']) ? strtolower($_SERVER['HTTP_USER_AGENT']) : '';
if(substr($browser, 0, 3) === 'lwp')
{
die('No bots allowed on this server.');
}
if(isset($_GET['highlight']) && strpos($_GET['highlight'], '%27') !== false)
{
die('Sorry, highlight bug is fixed.');
}

 

The first part ("lwp") won't stop later variants of the worm. They're using a different "user-agent" string.

Also be aware that more than one vulnerability is being exploited now, although the highlight problem is still worth blocking.

 

Could the code be repeated with the new "user-agent" string as variants arise?

 

The problem is the last report I saw said the user-agent was Mozilla/4 or something similar -- you could end up blocking a lot of legitimate visitors.