Announcement

Collapse
No announcement yet.

showthread attack attempt?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by digitalpoint
    Can't really be done by IP address since any exploited box will do it.

    Yesterday morning when I saw it happening, I also blocked it with a quick .htaccess entry, which worked. In case anyone couldn't get it to work with the one posted for whatever reason, this is what I'm using:

    Code:
    RewriteEngine on
       RewriteCond %{HTTP_USER_AGENT}  ^LWP* [OR]
       RewriteCond %{HTTP_USER_AGENT}  ^lwp*
       RewriteRule  .*      - [F]
    This works for me. Thanks!

    Two questions:
    1. Would it be any better to have this in the Apache httpd.conf file with my other rewrites than in an htaccess file in my forum directory?
    2. Are there any legitimate referrers you know of that would have either LWP or lwp in them that might get redirected into nowhereland?

    Comment


    • #32
      Originally posted by Marc Smith
      LWP or lwp in them that might get redirected into nowhereland?
      I know no one.

      LWP::Simple is a perl module.
      http://search.cpan.org/dist/libwww-p.../LWP/Simple.pm

      Non of my users use it to surf on my website
      Streicher

      Comment


      • #33
        Yeah - Knew it was a perl script. I was just too stupid sitting here thinking IP blocks rather than limiting access by using mod_rewrite to shuffle the calls from those referrers out into nowhereland.

        Comment


        • #34
          Originally posted by Streicher
          It is easy to block them. Put the code of the attachment into .htaccess
          Which directories should we put this in ?
          Techzonez - Tech News
          Techzonez Forums - Tech Community

          Comment


          • #35
            This started showing up on my site as well... Doesn't do any harm. I've followed them and just got an error message. But just in case I put in the .htaccess control on

            Comment


            • #36
              Originally posted by Reverend
              Which directories should we put this in ?
              In the top folder of your html directory.
              Streicher

              Comment


              • #37
                yeah top directory since this is looking for ANY php script, so it will be attacking all spiderable php scripts.
                Scott MacVicar

                My Blog | Twitter

                Comment


                • #38
                  Originally posted by Streicher
                  In the top folder of your html directory.
                  Thanks
                  Techzonez - Tech News
                  Techzonez Forums - Tech Community

                  Comment


                  • #39
                    Originally posted by Marc Smith
                    This works for me. Thanks!

                    Two questions:
                    1. Would it be any better to have this in the Apache httpd.conf file with my other rewrites than in an htaccess file in my forum directory?
                    2. Are there any legitimate referrers you know of that would have either LWP or lwp in them that might get redirected into nowhereland?
                    For performance it would be better to go in the httpd.conf file, but since I don't imagine it will last too long, I just tossed it into the .htaccess file for now. If it goes on for weeks or more, I'll move it to the httpd.conf file myself.
                    Sphinx Search for vBulletin 4: https://marketplace.digitalpoint.com...tin-4.870/item
                    Someone send me a message on Twitter when this site is usable again. https://twitter.com/digitalpoint

                    Comment


                    • #40
                      I got a huge attack attempt on Dec 23, 200+ attacked at one time, ate up a large amount of bandwidth.

                      Comment


                      • #41
                        Originally posted by Streicher
                        It is easy to block them. Put the code of the attachment into .htaccess
                        Working like a charm, thank you
                        That's the end of that!

                        Comment


                        • #42
                          I haven't seen the problem yet, my site is probably too new to attract this worm. But I would love to be proactive and protect my site from this. Is the text from the file in this thread (block.txt) complete? So that if I don't have an .htaccess file, I can make one that contains just that code? Or does additional stuff need to be in that file for it to function?

                          Yes I'm a newbie when it comes to .htaccess. Any help is appreciated.

                          Comment


                          • #43
                            Originally posted by lottidah
                            I haven't seen the problem yet, my site is probably too new to attract this worm. But I would love to be proactive and protect my site from this. Is the text from the file in this thread (block.txt) complete? So that if I don't have an .htaccess file, I can make one that contains just that code? Or does additional stuff need to be in that file for it to function?

                            Yes I'm a newbie when it comes to .htaccess. Any help is appreciated.
                            I've added the code from this post to my .htaccess file and tested it - someone with LWP in useragent now gets 'forbidden'. So that is cool.

                            Comment


                            • #44
                              Originally posted by lottidah
                              Is the text from the file in this thread (block.txt) complete? So that if I don't have an .htaccess file, I can make one that contains just that code? Or does additional stuff need to be in that file for it to function?
                              The text in block.txt is complete. You don't need additonal stuff. An alternative code is in the link floris has posted. The codes will work unless the worm is changed in the future.
                              Streicher

                              Comment


                              • #45
                                Thank you!

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X