| View previous topic :: View next topic |
| Author |
Message |
draude
Administrator
Joined: 10 Dec 2002
Posts: 356
Location: San Francisco
|
 Posted: Sat Dec 25, 2004 1:51 am Post subject: Impact of phpbb worm |
 |
|
As some of you may know, there's a phpbb worm going around that is defacing websites and causing a great deal of trouble. This forum is also based on phpbb. While we have been fortunate in resisting the direct effects of this worm, we are unfortunately vulnerable to one of the worm's indirect effects. Namely, the increased traffic from thousands of compromised sites trying to deliver the worm's payload to OOoForum.
Part of the problem is that Google and other search engines have indexed thousands of OOoForum pages. Since the method by which the worm spreads is via these same search engine results, this site is currently getting bombarded with bogus traffic from compromised forums akin to a distributed DOS attack. Until the problem subsides, you may experience decreased performance while using the site. You have the worm writers to thank for this.
I'm currently evaluating some options to automatically identify these compromised hosts and null route them immediately. Unfortunately, there will probably be a few false positives. My apologies in advance if I block you by accident. It was not intentional.
Hopefully, the problem will subside over the next week or two. In the meantime, please be patient as we work out a solution to this annoying problem and expect a few glitches here and there.
Thanks.
Regards,
Ed |
|
| Back to top |
|
 |
draude
Administrator
Joined: 10 Dec 2002
Posts: 356
Location: San Francisco
|
| Posted: Sun Dec 26, 2004 12:56 pm Post subject: |
|
|
Update: I've written a bit of code to parse the logs several times a day looking for various nefarious web requests, including the worm that's going around. These requests will automatically result in the offending IP address being denied service to OOoForum for 7 days. If you are blocked, all packets from your ip address will be dropped.
Normal use of the forum should not result in your ip address getting blocked. But if you make a particular type of request that attempts to exploit various vulnerabilities, you will be blocked for sure. Please don't try this unless you want to be locked out for a week.
Since the worm was first identified, traffic to OOoForum has increased 10x despite the X-mas holiday, which is usually a very quiet day for web traffic. After implementing the above blocking scheme, traffic and server load appears to have returned to pre-worm levels. The current blocklist stands at about 3000 ip addresses.
Finally, I can get back to opening those X-mas gifts! 
Best,
Ed |
|
| Back to top |
|
|
cwchia
Super User
Joined: 09 Jan 2003
Posts: 1050
Location: Malaysia
|
| Posted: Sun Dec 26, 2004 10:10 pm Post subject: |
|
|
Thanks draude,
I've been away for a few days and it looks like everyting is back to normal. Thanks again fo keeping this wonderful site going.  |
|
| Back to top |
|
|
JohnV
Administrator
Joined: 07 Mar 2003
Posts: 8976
Location: Lexinton, Kentucky, USA
|
| Posted: Mon Dec 27, 2004 5:46 am Post subject: |
|
|
Ed,
It's a real shame that you have had to waste your holiday time contending with a worm but we really appreciate your efforts!
Best wishes to you and yours. |
|
| Back to top |
|
|
DannyB
Moderator
Joined: 02 Apr 2003
Posts: 3991
Location: Lawrence, Kansas, USA
|
|
| Back to top |
|
|
|
