[pmwiki-users] your mail

Patrick R. Michaud pmichaud at pobox.com
Fri Dec 15 16:28:20 CST 2006


On Fri, Dec 15, 2006 at 11:12:54PM +0100, Laurent Meister wrote:
> First we used pmwiki 2.1.16 and after the first attac I upgraded the  
> wiki to 2.2..0 beta 16.  The user agent string of the bots seems to  
> be always like this two:
> 
> User-Agent: libwww-perl/5.803
> Via: 1.1 cache.edu.hel.fi:8080 (squid/2.5.STABLE14)
> 
> or
> 
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;  
> Maxthon)
> Via: 1.0 mining.becs.ac.in:3128 (squid/2.5.STABLE9)

I've seen a bunch of those on my site, also.   Is it making
requests for a page called gallery_top.inc.php?  If yes, then
it's apparently a bunch of zombie computers that are attempting 
to exploit a security hole in PHPGallery --totally unrelated to
PmWiki.  For some reason it appears to be also targeting PmWiki
sites, even though PmWiki has nothing to do with PHPGallery (afaik).

On my site I simply used Apache's mod_rewrite to block all requests
containing "gallery_top.inc.php":

    RewriteCond %{REQUEST_URI} gallery_top.inc.php
    RewriteRule .* - [F,L]

This causes any request containing "gallery_top.inc.php" to
be instantly returned as "403 Forbidden".  Feel free to try it -- 
http://www.pmwiki.org/wiki/Main/gallery_top.inc.php .

If you can't adjust the webserver to block the requests, then
it can be done from local/config.php:

    if (strpos($_SERVER['REQUEST_URI'], 'gallery_top.inc.php')) exit();

This causes PmWiki to immediately exit if it sees a request
with the offending string.  This isn't as good as the mod_rewrite
above (because it still causes PmWiki to be run), but it gets
caught very early in PmWiki processing and thus doesn't eat up
a lot of resources for no reason at all.

Note that redirecting to another location and blocking /wiki won't
stop the requests from coming in, it'll just mean they don't get
passed to PmWiki.  Blocking the actual urls at the webserver is
effectively the same, and doesn't require that you go moving your
site to a different location.

If the attack isn't consistently requesting gallery_top.inc.php,
then you could try blocking access based on the libwww-perl
user agent.  Let me know if you need ideas or information about doing
that.

Pm

> Am 15.12.2006 um 18:33 schrieb Patrick R. Michaud:
> 
> >On Fri, Dec 15, 2006 at 06:13:50PM +0100, Laurent Meister wrote:
> >>Hello everybody,  in the past few days our provider registered
> >>several DOS-attacs on our pmwiki (http://www.apfelwiki.de). There
> >>seems to be some bots requesting all the time the internal
> >>searchengine. Also the Frontpage (http://apfelwiki.de(wiki/Main/
> >>ApfelWiki) seems to be target. Our provider is now recommending to
> >>redirect to another directory and block wiki/.
> >>
> >>I hope it's not to confusing... does anybody has an idea, what to do
> >>or change on our wiki?
> >
> >What version of PmWiki are you using?
> >
> >What's the user agent string of the bots that are requesting
> >the engine?
> >
> >Pm
> >




More information about the pmwiki-users mailing list