e107, it's why they invented the internet
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Hosting Reviews
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]
e107 Project Tracker
Changelog Changelog | Stats
Bugtracker Bugtracker
     80 open | 5030 total | Stats
Issue tracking (Jira) Issue tracking (Jira)
Feature Requests Feature Requests
     1372 open | 2139 total
SVN Tree SVN Tree
Released Files Released Files
Download Stats Download Stats
How to get SVN version How to get SVN version

e107 on IRC
freenode.net
For real-time help and friendly chat please join #e107 on the Freenode Network

It's a friendly channel so please drop in and say hello regardless of your e107 or IRC experience

If you're new to IRC please click [here] for an explanantion of what to do.

Web Hosting

e107.org :: Forums :: e107 Support :: Core Support   << Previous thread | Next thread >>
Consolidated Flood Attack Information
Go to page  [1] 2 3 4 5 6 7 8 9 10
Moderators: jalist, McFly, bkwon, streaky, C6Dave, SecretR, steved, bugrain, AndyDev, Hansi64, nlstart
Author Post
septor
Wed Jun 30 2010, 07:23PM

Registered Member #37
Joined: Sun Aug 11 2002, 05:20AM
Location:
Posts: 700
Member Of The e107 Support Team
 		Last updated: August 20th, 2010 - 05:09PM EST

In an attempt to present all possible information related to the recent flood attacks on various websites (mostly e107 based due to the targeting of an old, fixed, issue in contact.php) I am creating this thread to place all links to all useful information. Also, I will attempt to present bear minimum information in how to attempt to prevent your site from becoming part of the problem.

Secondly, let me apologize for the "wall of text" that is below. Over time I will attempt to make it easier to read, but for now my main focus is getting the information out there for people to absorb.

Lastly, if you are reading this and have additional information to add please post it in this thread -- do not PM me, or any other member, information -- any information should be made viewable by everyone in all forms. Going with that, please try and get as much information related to something as you possible can so that when I add it to this post it is helpful and not just a "this has been reported to be bad for some reason or another" update!

------

What is known:

The attack seems to be targeting a number of files:

  • contact.php - Due to an exploit in older versions of e107.
  • kontakt.php - Reportedly targeted due to it's similarity to contact.php.
  • help_us.php - For reasons unknown at this time.
  • top.php - For reasons unknown at this time.
  • search.php - For reasons unknown. I am speculating that it's because it allows POST requests to be made.


If your site is up-to-date with e107 (0.7.23) chances are you are just going to get flooded with attempts to infect your server by already infected sites. This is actually causing more harm than the exploit is (the only reported, though unconfirmed to be linked, issues are deleted e107 files). So far the possible ways servers are getting infected are by compromised FTP passwords, lax security measures, or by running an older, unfixed, version of e107.

What you should do, even if you are not currently getting attacked:

For the time being it is recommended that you completely remove the contact form script provided by e107. If you absolutely need a contact form, you should locate a plugin or create a custom page to take over these duties until further notice. Other alternatives would be to rename your contact.php file to an unobvious name. However, due to some findings this may only be a very temporary solution.

Also, if you take the renaming your contact.php file route; do not post what you are renaming it to on these forums as they are being watched!

Other things that can be done:

  • If you're running e107 make sure you are using the most recent version available. The latest version, as said previously, is 0.7.23.
  • Harden the security of your e107 install. (forum thread that spawned the wiki page; may include additional information)
  • Look at installing ZB Block from SpambotSecurity. It doesn't have signatures for this spate of attacks (will in the next release v4.7), but does have defense mechanisms that will help mitigate the attacks. There is an e107 forum thread for it here: click to open link in new window
  • Modify your .htaccess file (forum thread discussiong the .htaccess file) to prevent anyone to access the previously mentioned files. -- Note: This precaution is not a set it and forget it option. As the "exploit" is constantly using different user agents and methods to get to your server; you are going to have to baby sit the .htaccess file and constantly update it's parameters for it to be completely effective. The community members here, discussed somewhat in this very thread, are actively modifying the example .htaccess file located on the wiki for your ease of use. It should be noted, however, that the .htaccess file gets called on every request to your site regardless of the file being called. Therefore, you will still get the traffic that was going to come but it will eat a considerably less amount of bandwidth if the request is denied.
  • Check your web server to make sure no dodgy files have been added without your knowledge. This should be done more than once, as it's possible you missed the first wave of "egg laying".
  • Chances are your host is already aware of this issue, but if your site is getting flooded you should inform them that you are aware of the issue and you have taken all measures that you can to prevent it from getting worse. If they are unaware of this issue make sure they are doing everything in their power to prevent your site from getting hit any harder than it is.
  • If you have been attacked, regardless of infection or not; change your FTP password from a different, trusted, computer. You should also scan your computer with anti-malware/virus software just to make sure your server wasn't comprised because your FTP password was leaked.
  • Scan your website with the tool at Unmask Parasites to see if your site is potentially infected. As the site suggests, it may not catch everything, but it's still a very good tool.

It should be known that there is no simple solution to ensure your website is 100% secure nor is there anyway for you to keep your site from getting flooded for requests of the above files. Following the above listed items and practicing safe computing skills will go along way in helping you keep your site up and running. The most important thing is; don't give up. Running a website isn't an easy task.


Additional thoughts:

If you're thinking about dropping e107 to stop this attack on your site, you should probably know that it won't work. Chances are you have taken all possible precautions (as far as renaming or removing the files in question) and your site is still getting hit. This means that, regardless of what you have installed you're still going to get hit because the attacks are all automated and you've already been put on the special guest list.

This type of attack happens to every CMS. It just so happens that this specific attack is targeting e107, which pretty much sucks giant donkey dong for all of us. The best thing you can do at this point is keep your site clean if it is clean, or get it cleaned up if it's not. If your site has been infected you are, unwillingly, part of the grand problem and can only help other's by removing the malicious files from your web server as soon as possible. If you are infected and cannot access your website due to your webhost contact them and ask them to clean up your server, even if it means sacrificing your e107 install. If your database is intact, your site can be retrieved easily.

Banning IP addresses is unlikely to yield any promising results due to the nature of this attack. You are more than welcome to ban all the IPs that are attacking your website, but you will still get hit just as hard as you are as people continue to get infected adding additional servers (IPs) to the "hackers" arsenal. With all that said, banning the IP addresses will not cause any negative affects to any of your users (unless they for some reason are browsing the internet from the server hosting their website) because the attacks are, in a sense, coming from other websites. So in short; ban away but don't expect any promising results.


Related, already existing, threads:

The below threads have previously been created and may contain additional information that I have yet to add to this thread. If you're finished reading this thread and still feel you need more information, consult these threads as they, and the conversations within, may hold valuable information that may directly help you.

Contact Form - Attack - Fixes
When is this going to end?
Getting attacked
UDP Attack
DDoS resistant web hosting?
new attacks again??
Good read on Botnets (Not directly related to the issue, but informative nonetheless.)
ZB Block and e107

And for fun, Idea for hacker aggravation.

[ Edited Fri Aug 20 2010, 04:09PM ]
Security issue? e107 security is here to help.

My e107 related scripts can now be found on GitHub. Use at your own risk.
Public ready scripts will be pushed to plugins.e107 only.
Back to top
Website
Yakumo
Wed Jun 30 2010, 09:06PM
Registered Member #31165
Joined: Thu Oct 05 2006, 03:48PM
Location:
Posts: 454
 		great info septor ^^ hopefully people will have an easier time finding all the info related to the ongoing attacks.

on the wiki, a new agent needs to be added:

    RewriteCond %{HTTP_USER_AGENT}  ^dex\ Bot\ Search

Like Anime?
Back to top
Website
C6Dave
Thu Jul 01 2010, 01:46AM
AKA 2dopey

Registered Member #9506
Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298
 		Looking at my logs I found a lot of 'Yandex' in them which is a Russian 'Bot'

Maybe it's the one that's throwing up e107 sites so found the following on the net to add to .htaccess and edited the wiki page to include it

RewriteCond %{HTTP_USER_AGENT} ^Yandex\ Bot\ Search


[ Edited Thu Jul 01 2010, 02:03AM ]
"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995
Back to top
Website
crospyder
Thu Jul 01 2010, 10:55AM
Registered Member #43413
Joined: Thu Feb 21 2008, 04:00AM
Location:
Posts: 15
 		78.46.36.153 Casper search bot - known that is used for hackers to gather info

    Host: 78.46.36.153     *  /contact.php         Http Code: 404         Date: Jul 01 17:48:24         Http Version: HTTP/1.1         Size in Bytes: -         Referer: -         Agent: Casper Bot Search                     *  /%20%20/contact.php         Http Code: 404         Date: Jul 01 17:48:24         Http Version: HTTP/1.1         Size in Bytes: -         Referer: -         Agent: Casper Bot Search


this is from my log - no malicious files detected on 7 different e107 instances - so far so good, got blocked only once before patch because of DDOS attack

[ Edited Thu Jul 01 2010, 10:57AM ]
Back to top
mygoggie
Thu Jul 01 2010, 11:15AM

Registered Member #31889
Joined: Mon Oct 30 2006, 01:44PM
Location:
Posts: 1633
 		I have fixed the .htaccess code in the wiki and added some more bots. Works on my sites now.

Do not point the bot to localhost as you will just eat up your server resources.

[ Edited Thu Jul 01 2010, 11:46AM ]
- To heal the soul is to start a new journey -
Back to top
Website
Brad R
Thu Jul 01 2010, 11:53AM
Registered Member #18939
Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197
 		Do not point the bot to no.bots.wanted.com because wanted.com is a real domain. To create an invalid URL you should always use the .invalid top-level-domain. See click to open link in new window . I've updated the wiki.
Back to top
Joe38
Thu Jul 01 2010, 11:54AM
Registered Member #57198
Joined: Thu Jun 24 2010, 08:13AM
Location:
Posts: 8
 		The user agent "dex Bot Search" as in the .htaccess wiki has changed into "Dex Bot Search" as seen in my logs, and because of the capital letter in Dex the current wiki suggetion will fail. It needs the addition of [NC] at the end of the line so that the string comparison is irrespective of case.

Edit
OK so you beat me to it! and added a second line to cover the situation. It does look as if the hackers are changing their approach, maybe in response to our defences?

[ Edited Thu Jul 01 2010, 12:01PM ]
Back to top
mygoggie
Thu Jul 01 2010, 11:57AM

Registered Member #31889
Joined: Mon Oct 30 2006, 01:44PM
Location:
Posts: 1633
 		Thanks @Brad - forgot about that!

for some reason [NC] makes the script fail

as does [Dd]ex

[ Edited Thu Jul 01 2010, 11:58AM ]
- To heal the soul is to start a new journey -
Back to top
Website
mygoggie
Thu Jul 01 2010, 12:10PM

Registered Member #31889
Joined: Mon Oct 30 2006, 01:44PM
Location:
Posts: 1633
 		Changed the RewriteRule to string without 4 dots which invalidated the rule.
- To heal the soul is to start a new journey -
Back to top
Website
Duce
Thu Jul 01 2010, 12:22PM

Registered Member #38832
Joined: Fri Aug 03 2007, 09:10AM
Location: Centurion, South Africa
Posts: 189
 		Not sure if you guys are interested in going through this: click to open link in new window

Some good advice here and plenty of things we might be able to implement.
You can't touch this!
Back to top
Joe38
Thu Jul 01 2010, 12:23PM
Registered Member #57198
Joined: Thu Jun 24 2010, 08:13AM
Location:
Posts: 8
 		Another new user agent just seen a few minutes ago, another variation which you could add to the list. Trying to "post" to my non-existent contact.php
"sledink Bot Search"
Back to top
mygoggie
Thu Jul 01 2010, 12:39PM

Registered Member #31889
Joined: Mon Oct 30 2006, 01:44PM
Location:
Posts: 1633
 		OK added and rewriterule changed again to make it work
- To heal the soul is to start a new journey -
Back to top
Website
Liquid_Squelch
Thu Jul 01 2010, 12:46PM

Registered Member #22677
Joined: Mon Nov 28 2005, 05:06PM
Location: Long Island, NY
Posts: 357
 		from someone who doesn't really understand htaccess apache rules yet,

Shouldn't
RewriteCond %{HTTP_USER_AGENT} ^sledink Bot Search

be
RewriteCond %{HTTP_USER_AGENT} ^sledink\ Bot\ Search

??
Back to top
Website
mygoggie
Thu Jul 01 2010, 12:56PM

Registered Member #31889
Joined: Mon Oct 30 2006, 01:44PM
Location:
Posts: 1633
 		(blush) you are 100% right - comes from having the flu and trying to think.
- To heal the soul is to start a new journey -
Back to top
Website
Liquid_Squelch
Thu Jul 01 2010, 12:57PM

Registered Member #22677
Joined: Mon Nov 28 2005, 05:06PM
Location: Long Island, NY
Posts: 357
 		lol glad I could help. I was just following the pattern! Feel better soon, we need you to keep patching those .htaccess restrictions
Back to top
Website
Brad R
Thu Jul 01 2010, 01:15PM
Registered Member #18939
Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197
 		Someone tell me if I'm wrong, but I'd think you could handle all of those cases with a single regex:

    RewriteCond %{HTTP_USER_AGENT} ^.*\ Bot\ Search


That's assuming it needs to be anchored to the start of the string with ^. Otherwise I'd think you could match \ Bot\ Search and that would be sufficient. But I'm not sure, so I'm not adding this to the wiki until I can test it.
Back to top
C6Dave
Thu Jul 01 2010, 01:37PM
AKA 2dopey

Registered Member #9506
Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298
 		We don't want to block the wanted Google, Yahoo search bots etc. so care needs to be taken with this guys.
"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995
Back to top
Website
AndyP
Thu Jul 01 2010, 01:42PM

Registered Member #19927
Joined: Sun Aug 07 2005, 04:41AM
Location:
Posts: 263
2dopey wrote ...

We don't want to block the wanted Google, Yahoo search bots etc. so care needs to be taken with this guys.


Until this dies down or goes away I'd be happy to block them all, including Yahoo, Google etc - I'll do anything to stop my hosts suspending my account.
If I wish to block ALL bots as suggested above, what actual line(s) do i need to add to my .htaccess file?
Back to top
AndyP
Thu Jul 01 2010, 01:52PM

Registered Member #19927
Joined: Sun Aug 07 2005, 04:41AM
Location:
Posts: 263
 		Should we also add the following to the .htaccess wiki?

deny from 90.216.195.92
deny from 90.209.111.1
deny from 213.239.200.199
deny from 212.129.63.8
deny from 212.117.187.100
deny from 208.96.213.149
deny from 201.45.57.142
deny from 142.22.16.55
deny from 122.128.100.21
deny from 120.28.64.94
deny from 88.198.3.10
deny from 78.46.88.142
deny from 66.132.251.111
deny from 64.25.54.72
Back to top
mygoggie
Thu Jul 01 2010, 02:08PM

Registered Member #31889
Joined: Mon Oct 30 2006, 01:44PM
Location:
Posts: 1633
 		well this is really becoming out of hand now - I can extend your IP address with at least another 30 IPs

- To heal the soul is to start a new journey -
Back to top
Website
Go to page  [1] 2 3 4 5 6 7 8 9 10

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System


All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL licence.
Bug Tracking Software
Render time: 0.3302 sec, 0.1440 of that for queries. Memory Usage: 3,969kB