worm attacks

[Red Squirrel]

It apears were being attacked by a worm, probably the phpbb one. It's not doing anything to the site though, but it's just messing the stats and increasing views in threads so if you notice odd threads that have super high views but yet were posted recently, it's probably the worm. What is rather interesting is that it is not apearing in the logger so me thinks the worm got to the thread some other way, so I'm investigating since, while the worm is not designed for anything but the phpbb exploit, the way it's accessing the thread aint right so I'm going to check that out. I have a few ideas of what is maybe happening so I'm investigating while eating fruitcake and other christmas deserts.

Archived topic from Iceteks, old topic ID:2950, old post ID:24063

[Red Squirrel]

Yep it is the phpbb worm as far as I know. Here's the logs for educational purposes. There's also this other user agent that shows up that I need to find.

7694 entries total. Glad we're not vulnerble.

Attachement (click to open)

Archived topic from Iceteks, old topic ID:2950, old post ID:24066

[Red Squirrel]

Just reprogrammed part of the security system as some of it was old horrible code. (turned 3 loops and 4 sql queries into 1 loop and 2 queries (1 if no rule matches, 2 if a rule matches)

Now it supports blocking of user agents so I blocked the worm's user agent. Innefective in most cases but given the worm seems to stick to this user agent (with random numbers in it) then it's easy to block - the ips are actually infected servers. If the author would of been smart he would of used a legit user agent and I probably would not even have noticed it was a worm doing these requests.

Archived topic from Iceteks, old topic ID:2950, old post ID:24081

[Red Squirrel]

LWP::Simple is the UA by the way. (there's more to it then that, but that is the string that is always the same)

Archived topic from Iceteks, old topic ID:2950, old post ID:24082