PDA

View Full Version : Keep an eye on your Bandwidth Usage



wildjokerdesign
12-25-2004, 09:17 PM
I have been haveing a problem on one of my sites with an outside attack on viewtopic.php. Seems someone is trying to expliot the security hole in the old version. If you have 2.0.11 you should be fine as far as security but what it is doing on my site is driveing the bandwidth usage out of control.

I shut down Apache overnight hopeing it would pass but it has not yet.

What I have done is change my max_client in httpd.conf to 5 to try and control the usage. I have also found out that all these attacks are coming from different IP's all over the world so you can't block using that but you can put a block of sorts on the User Agent that is always the same. I have put this at the the top of my veiwtopic.php script temproarly.

// TEMP MOD
if ( ereg('^lwp', $HTTP_SERVER_VARS['HTTP_USER_AGENT'], $trashed ) || ereg('^LWP', $HTTP_SERVER_VARS['HTTP_USER_AGENT'], $trashed ) )
{
die("Hacking attempt");
}
// END TEMP MOD I inserted it right above
define('IN_PHPBB', true); I think really the only thing it well do is keep the count of most users going up on your board but who knows. At least it kicks them out of the script right at the begining. :)

If you want to google and find some of the stuff I found... wich is old... try this: User Agent lwp-trivial

I could be that they may try to hit a different page on your site. Look for a very odd GET that does not look like a normal url and ends with the lwp-trivial/ and different version numbers. There is a varation on this from time to time wich is LWP::... wich is the reason for the variation in what I added to the php page.

Your Disk Usage may be growing also since due to the fact that the access_log is bigger because of the increased traffic.

Hope this may help some others. Not much more you can do that I can think of or WH Tech. I have spoke with them several times and they are aware of this. If you have a small board that does not show up in Google the chances of this happening are samll since that is one way they were able to find sites that used the script. One article I read mentioned that Google has already taken measures to put a lid on this.

wildjokerdesign
12-26-2004, 11:38 AM
Here are a few links to topics on the PhpBB board that may be usefull to you:

http://www.phpbb.com/phpBB/viewtopic.php?t=249450

This thread has a detection script you can use to see if there are any back door files. I have tried it on several WH accounts and it seems to work pretty good. Nothing pretty or fancy and you well most likely get some files listed that may not be a risk so make sure to explore fully any files it may say are a backdoor. If you read the whole thread you'll see some results you may get that others did that may not be a problem.

http://www.phpbb.com/phpBB/viewtopic.php?t=240513

These are the changes needed in viewtopic.php to help secure it.

Armadillo
12-26-2004, 05:59 PM
Thanks Wildjoker.
:)

wildjokerdesign
12-26-2004, 09:24 PM
Your welcome Armadillo,...
and yet more links to the phpBB board that may be of help....
http://www.phpbb.com/phpBB/viewtopic.php?t=249010
http://www.phpbb.com/phpBB/viewtopic.php?t=250093

Both discuss using mod_rewrite wich may be a better solution.

nsc
12-27-2004, 09:13 PM
I noticed that the past three days the my bandwidth usage increased, but I am sure it was not caused by visitors. I found that the most requested file was viewtopic.php so probably I have the problem you describe. My phpBB version is 2.0.11 so I suppose I am safe as regards to security, but I will try to implement your solution because I don't like anybody eating my bandwidth. Thank you for posting that!

wildjokerdesign
12-28-2004, 07:58 AM
It did seem to work and it was a pretty easy fix. There are some "fuller soulutions" using mod_rewrite on the phpBB2 board. The reason I used quotes is that the worms keep changeing so you have to keep modifying what you do to battle them. :) You need to look and see if the request include lpw as part of the useragent. This is going to be close to the end of he request.

For those who have not updated to 2.0.11 it is important that you do so. Since it is viewtopic.php that seems to be the current file being exploited thee are some that have made the changes to it first while they continued upgradeing the rest of their board.

It seems that some varients insert code in to your forum descriptions. It seems at this point it is normally set in the first forum you set up. You can check this out by going into your Admin area and looking at the descriptions via the Forum - Management. If there is anything you did not put there remove it.

As I mentioned above this just keeps changeing so you have to keep an eye on your accounts and keep reading post about it on the internet. Ofcourse the folks doing it are doing the same things. :( Remember this is their fault.