Did you join yet Minstrel? Looks like they could help shed light on a lot of things in the "day of the worm" & "traffic bot"
So Joey, what are you doing to insure that your forum does not get attacked by worms/traffic bots? Just yesterday a forum I belong to was attacked and taken down
Besides the obvious patching the forums, and PHP, here is a portion of my .htaccess, a little mod rewrite that takes care of the worms and script kiddies... RewriteEngine On # prevent access from santy webworm a-e RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR] RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR] RewriteCond %{QUERY_STRING} ^(.*)wget\%20 RewriteRule ^.*$ [url]http://127.0.0.1/[/url] [R,L] # prevent pre php 4.3.10 bug RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b RewriteRule ^.*$ [url]http://127.0.0.1/[/url] [R,L] # prevent perl user agent (most often used by santy) RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC] RewriteRule ^.*$ [url]http://127.0.0.1/[/url] [R,L] Code (markup):
Funny Dakar, forums still are being attacked and owners still don't understand what to do, thanks for the post.
Kinda figured that, it's been posted all over phpbb's website for a month or so now, a few refinements here and there, but figured it was worth reposting, if one person reads and implements it then it wasn't a total waste of electrons None the less it's been working very well for me...
The malicious code for this hack is inserted into the phpbb_forums table in the forum_desc field. It seems to go for the first row in the table...
A major haven for groups like this is theplanet.com -- they were implicated in the illegalteam attacks and, perhaps not surprisingly, were a major source of attacks from Santy. theplanet.com just does not care who is on their servers or what they do or how many of their customers are infected or actively initiating attacks. See Blacklist theplanet.com -- if people like this won't clean up their own houses, they should be shut down.
Actually, yes... however, nothing happened as far as I can see (at least not yet -- the wheels of justice grind slow...).
If one wants to do research you can find agencies that have participated in busting these organizations. http://vivisimo.com/search?v:sources=Web&query=Hacker+virus+writers+convicted&x=17&y=20
Wow... it really IS handy having live links back in your posts Thanks, AC, but in this case the complaints were made about both the hackers AND the ISP which was aiding and abetting them. As you have argued elsewhere, I think the key to stopping a lot of this crap is to put pressure on hosts to clean up their own servers... that at least will cut down on some of the volume.