Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
May 25, 2012, 07:05:36 AM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: phpInclude.worm aka Santy.E.Worm phpbb Protection  (Read 679 times)
psykik
Jedi
*****
Offline Offline

Posts: 750



WWW
« on: December 29, 2004, 04:22:24 AM »
It's been a while I posted anything so here I go Wink


given the recent sites being attacked by this worm

I thought I should share this with you:


First method:

Install a protection mod (it's a german mod but the instructions are in english

Code:

##############################################################
## MOD Title:        CBACK CrackerTracker
## MOD Author:       CBACK < sonny@cback.de > (Christian Knerr) http://www.cback.de
## MOD Description:  Dieser MOD Blockt einige gängige Wurmattacken
##                   auf phpBB Foren. Denn auch wenn DU ein
##                   sicheres phpBB 2.0.11 im Einsatz hast verursachen diese
##                   Wurmattacken bremsende und unnötige Datenbankabfragen
##                   und viel Traffic.
##                   Dieser MOD blockiert Wurmzugriff auf Dein Board, die Dateien
##                   schützen sich dynamisch, somit sind auch ständig wechselnde IPs
##                   kein Problem mehr. Außerdem wird ein kleiner Angriffslog erstellt.
## MOD Version:      1.0.1
##
## Installation Level: Easy
## Installation Time:  8 Minutes
## Files To Edit:      10
##                     admin/page_header_admin.php
##                     index.php
##                     faq.php
##                     login.php
##                     memberlist.php
##                     profile.php
##                     search.php
##                     templates/subSilver/admin/index_navigate.tpl
##                     viewforum.php
##                     viewtopic.php
## Included Files:     - ctrack.txt
##                     - admin/ctrack_stat.php
##                     - templates/subSilver/admin/ctrack_stat.tpl
##############################################################
## For Security Purposes, Please Check: http://www.phpbb.com/mods/downloads/ for the
## latest version of this MOD. Downloading this MOD from other sites could cause malicious code
## to enter into your phpBB Forum. As such, phpBB will not offer support for MODs not offered
## in our MOD-Database, located at: http://www.phpbb.com/mods/downloads/
##############################################################
## MOD History:
##
##   2004-12-27 - Version 1.0.1
## - Release 2 with better Logfile Management
##
##   2004-12-26 - Version 1.0.0
## - First release with better protection
##
##   2004-12-25 - Version 0.0.1
## - Preview Version
##
##############################################################
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD
##############################################################
#
#-----[ COPY ]------------------------------------------
#
  ctrack.txt                                     >>   ctrack.txt
  admin/ctrack_stat.php                          >>   admin/ctrack_stat.php
  templates/subSilver/admin/ctrack_stat.tpl      >>   templates/subSilver/admin/ctrack_stat.tpl


#
#-----[ FTP-COMMAND ]------------------------------------------
#
  Set CHMOD777 with your FTP Program on the file ctracker.txt in the root
  Directory of your forum! The Hacking-Logs will be saved in this file.


#
#-----[ OPEN ]------------------------------------------
#
faq.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
index.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
login.php


#
#-----[ FIND ]------------------------------------------
#
define("IN_LOGIN", true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
memberlist.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
profile.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
search.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
viewforum.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#

#-----[ OPEN ]------------------------------------------
#
viewtopic.php


#
#-----[ FIND ]------------------------------------------
#
define('IN_PHPBB', true);


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker
// Worm Protection System
//
  $cbackcracktrack = $_SERVER['REQUEST_URI'];
  // Checking for already known Worm Attacks
  $checkworm1 = str_replace("chr(", "*", "$cbackcracktrack");
  $checkworm2 = str_replace("wget", "*", "$checkworm1");
  $checkworm3 = str_replace("cmd=", "*", "$checkworm2");
  $checkworm4 = str_replace("rush=", "*", "$checkworm3");

if ($cbackcracktrack == $checkworm4)
  {
//
// End Check-Code of CBACK CrackerTracker
//


#
#-----[ FIND ]------------------------------------------
#
?>


#
#-----[ BEFORE, ADD ]------------------------------------------
#
//
// CBACK CrackerTracker Worm Protection Part2
//
  }
else
  {
    $cremotead = $REMOTE_ADDR;
    $cuseragent = $HTTP_USER_AGENT;
    $cstampdate = date(dmy);
    $cstamptime = time();
    $ctrackerlog = "$cstamptime,$cstampdate,$cremotead,$cbackcracktrack,$cuseragent";
$cfilesize = count(file("ctrack.txt"));
if ($cfilesize > 200) // You can change the value 200 (count of maximum entries in LogFile)
{
$clog = fopen("ctrack.txt", "a");
ftruncate($clog, '0');
fwrite($clog, "AUTOMATIC LOG FILE RESET: ".date(r)." -- CBACK CrackerTracker \n");
fclose($clog);
}
else
{
    $clog = fopen('ctrack.txt', 'a');
    fwrite($clog,$ctrackerlog."\n");
    fclose($clog);
    }
    echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";
  }
//
// Worms armageddon ;)
//


#
#-----[ OPEN ]------------------------------------------
#
admin/page_header_admin.php


#
#-----[ FIND ]------------------------------------------
#
'U_INDEX' => append_sid('../index.'.$phpEx),


#
#-----[ AFTER, ADD ]------------------------------------------
#
'U_CTRACK' => append_sid('ctrack_stat.'.$phpEx.'?pane=right'),


#
#-----[ OPEN ]------------------------------------------
#
templates/subSilver/admin/index_navigate.tpl


#
#-----[ FIND ]------------------------------------------
#
<tr>
 <td class="row1"><span class="genmed"><a href="{U_FORUM_INDEX}" target="main" class="genmed">{L_PREVIEW_FORUM}</a></span></td>
</tr>


#
#-----[ AFTER, ADD ]------------------------------------------
#
<tr>
 <td class="row1"><span class="genmed"><a href="{U_CTRACK}" target="main" class="genmed">CrackerTracker</a></span></td>
</tr>

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM
# Generator: CBACK MIRO ModEditor (http://www.cback.de)




notice in the changes it sometimes says:

Code:
echo "Du Wurm! <br /><br /><b>Dieser Angriff wurde geloggt:</b><br />$ctrackerlog";


change this into english (my german is a bit rusty but I believe it's the right translation:

Code:
echo "You Worm! <br /><br /><b>This attack has been logged:</b><br />$ctrackerlog";



you can also create or edit your HTACCESS file with :

Code:
RewriteEngine On

# prevent access from santy webworm
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent pre php 4.3.10 bug
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent perl user agent (most often used by santy)
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
RewriteRule ^.*$ http://127.0.0.1/ [R,L]



voila that's it

greets

Wink
Logged
Psyked-Out.com - Where Insanity has no meaning
psykik
Jedi
*****
Offline Offline

Posts: 750



WWW
« Reply #1 on: December 29, 2004, 04:26:22 AM »
oeps lol

forgot the link for the mod Wink

http://www.community.cback.de/downloads.php?view=detail&id=46&cat=1
Logged
Psyked-Out.com - Where Insanity has no meaning
Pete
Alien Anomaly
Senior Moderator
Professor in Nanotechnology
*****
Offline Offline

Posts: 4302



WWW
« Reply #2 on: December 29, 2004, 05:38:39 AM »
Thanks psykik,

Literal translation of the file info:
Quote
This MOD blocks some usual worm attacks on phpBB forums. Because even if YOU have a safe phpBB 2,0,11 when it runs these worms attacks braking and unnecessary data base inquiries and much Traffic. This MOD blocks worm access to your board, the files protects itself dynamically, thus is also constantly changing IPs no more problem. In addition a small attack log is provided.

Oh well. It sort of make sense  Confused
Logged
x-visions.com


As I'm always saying.. (But nobody listens)
"Take a step back.. Take a deep breath and see if there a simple solution there, thats hiding" lol  Very HappyLunarpages Web Hosting   Lunarpages Forums  Lunarpages Affiliate Program
Nicki Faulk
Web Designer, geek, gamer and aspiring super mom.
Jabba the Hutt
*****
Offline Offline

Posts: 578


Sugar, Spice, and Combat Boots.


WWW
« Reply #3 on: December 29, 2004, 09:10:54 AM »
Whoa!  Thanks for the HTACCESS code!  I don't have a forum, but would like to add that to my htaccess to keep them from even trying.   Thumbs Up  Applause
Logged
Hey, who hid my chocolate!!??

Web designer, geek, gamer, and aspiring supermom [ www.nickifaulk.com ]

Proud Soldiers' Angel [ www.soldiersangels.org ]
CTL, Alabama [ www.bamaangels.org ]


Hobby Sites:

* Now We're Cookin' [ www.nowwerecookin.org ]
* Blogroll Directory [ www.blogrolldirectory.org ]
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: