Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
sqzdog
Involved
Involved


Joined: Sep 22, 2003
Posts: 252

PostPosted: Sun Jun 04, 2006 8:10 am Reply with quote

Ok, I just had it set to forward. Now it should email, block and forward. Fingers crossed! Thanks
 
View user's profile Send private message Send e-mail
ardmhacha
Hangin' Around


Joined: Jan 26, 2004
Posts: 30
Location: Ireland

PostPosted: Mon Jun 05, 2006 3:14 pm Reply with quote

viper155 wrote:
Blocker Configuration>String blocker settings>

Enter in box

blogspot.com
lipster.net
mespacha.com
noparara.com
src21.net
wisral.com
zeppele.com


I'm having the same problem however when I add the above list to Sentinel it is only banning zeppele.com for some reason. Any suggestions on how to stop this would be much appreciated.
 
View user's profile Send private message
viper155
Regular
Regular


Joined: Feb 18, 2006
Posts: 99

PostPosted: Mon Jun 05, 2006 3:27 pm Reply with quote

Im the wrong person to ask why its not banning the other ones too, perhaps someone else can help you out with that.

Are these bots still able to register with those other names such as Only registered users can see links on this board! Get registered or login!?
 
View user's profile Send private message Visit poster's website
Tao_Man
Involved
Involved


Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK

PostPosted: Mon Jun 05, 2006 3:52 pm Reply with quote

there is one character of whitespace after each of the above site other then the last one. remove that and ill bet the rest will work.

_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! 
View user's profile Send private message Visit poster's website
ardmhacha
PostPosted: Tue Jun 06, 2006 2:20 am Reply with quote

Tao_Man,

I think you're right, well spotted. Originally, I had copied and pasted the above into string blocker settings. Late last night I had added (by typing in) @mespacha.com to the list (as well as having mespacha.com) and it started banning those as well. So taking out the space after each seems to have done the trick will confirm that as soon as I get email notifications that the others are being banned. I think I'll install PCKiller and really sicken them.

Thanks again
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Jun 06, 2006 8:07 am Reply with quote

Raven's UserInfo addon makes it really easy to delete users. That's what we used to clear out the hundred users who registered in 2 days to post news comments spam.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
dirtbag
Regular
Regular


Joined: Nov 09, 2003
Posts: 73

PostPosted: Tue Jun 06, 2006 8:59 am Reply with quote

i am having the same problem i will try this
 
View user's profile Send private message
dirtbag
PostPosted: Tue Jun 06, 2006 9:18 am Reply with quote

yeah i removed all them by do searches with phpadmin

Anyways i did searches in my nuke_user and nuke_user_temp and deleted all the members with a % wilcard search as they were using a series of email addresses ending with the same server name... all seemed quiet for a day but now i see its happening again..

muchaho1199
myhouse3614
muchaho5149
myhouse4179
drakula4963
drakula1798

these are some names above where the numbers are just different at the end

and the emails are ending like this
Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!

-------------------

%@mespacha.com
%@wisral.com
%@lipster.net
%@noparara.com
%@zeppele.com
 
dirtbag
PostPosted: Tue Jun 06, 2006 9:31 am Reply with quote

ok i put in the Sentinel like you guys recommended... and alrgihtly got to bites

Code:
Date & Time: 2006-06-06 08:14:03 PDT GMT -0700

Blocked IP: 203.198.162.124
User ID: Anonymous (1)
Reason: Abuse-String
String Match: mespacha.com
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login! user
Forwarded For: 203.198.162.124
Client IP: none
Remote Address: 210.87.251.107
Remote Port: 39682
Request Method: POST


Code:
Date & Time: 2006-06-06 08:14:03 PDT GMT -0700

Blocked IP: 203.198.162.124
User ID: Anonymous (1)
Reason: Abuse-String
String Match: mespacha.com
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login! user
Forwarded For: 203.198.162.124
Client IP: none
Remote Address: 210.87.251.107
Remote Port: 39682
Request Method: POST


now are all these ip are going to get blocked??? since they keep switching ip address?
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Jun 06, 2006 9:38 am Reply with quote

Yes, everytime Sentinel detects mespatcha.com in a POST string it will grab the IP and block it.
 
View user's profile Send private message Send e-mail
viper155
PostPosted: Tue Jun 06, 2006 3:07 pm Reply with quote

To bad it seems like they have a million diff IPs. Ive blocked over 500 and still going.
 
Guardian2003
PostPosted: Tue Jun 06, 2006 3:10 pm Reply with quote

They are more than likely going through a proxy server.
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Tue Jun 06, 2006 9:44 pm Reply with quote

freespirit wrote:
Whew !! Thanks a lot everybody. I thought I was the only one with the problem !!


I thought I was the only one with this problem, too! Laughing The zombies just kept marching in and registering, over and over, vasily, andre, drakula, lexa, etc. from all over. And they all used the same routine-
Quote:

/modules.php?name=Your_Account 2006-06-07 00:34:04
/modules.php?name=Your_Account&op=gfx&random_num=335980 2006-06-07 00:34:01
/modules.php?name=Your_Account&op=new_user 2006-06-07 00:33:58
/modules.php?name=Your_Account 2006-06-06 23:14:26
/modules.php?name=Your_Account&op=gfx&random_num=882781 2006-06-06 23:14:23
/modules.php?name=Your_Account&op=new_user 2006-06-06 23:14:20
/modules.php?name=Your_Account 2006-06-06 06:08:20
/modules.php?name=Your_Account&op=gfx&random_num=17509 2006-06-06 06:08:15
/modules.php?name=Your_Account&op=new_user 2006-06-06 06:08:08
/modules.php?name=Your_Account 2006-06-06 04:12:03
/modules.php?name=Your_Account&op=gfx&random_num=114951 2006-06-06 04:12:00
/modules.php?name=Your_Account&op=new_user 2006-06-06 04:11:56
/modules.php?name=Your_Account 2006-06-06 02:25:45
/modules.php?name=Your_Account&op=gfx&random_num=889978 2006-06-06 02:25:34
/modules.php?name=Your_Account&op=new_user 2006-06-06 02:25:21
/modules.php?name=Your_Account 2006-06-06 02:07:08
/modules.php?name=Your_Account&op=gfx&random_num=816290 2006-06-06 02:07:04
/modules.php?name=Your_Account&op=new_user 2006-06-06 02:07:01
/modules.php?name=Your_Account 2006-06-05 23:55:10
/modules.php?name=Your_Account&op=gfx&random_num=641576 2006-06-05 23:55:06
/modules.php?name=Your_Account&op=new_user 2006-06-05 23:55:02
/modules.php?name=Your_Account 2006-06-05 23:15:42
/modules.php?name=Your_Account&op=gfx&random_num=673057 2006-06-05 23:15:39
/modules.php?name=Your_Account&op=new_user

I put on Approve Membership and the emails came pouring in so I turned off Your Account for a while. Raven kicked me in the direction of this forum and I put those domains above in NukeSentinel's string blocker and it stopped the zombies good as garlic. Here is Approve Membership for nuke 6.9 Only registered users can see links on this board! Get registered or login!

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
southern
PostPosted: Wed Jun 07, 2006 12:41 pm Reply with quote

BTW I'm getting some useragents mixed with the IPs NS blocks
Code:


1.1 penguin.cs.*
1.1 localhost..*
1.1 TR-HJ9JTYBY4H69..*
1.1 Symantec_Web_Security (3.0.*
1.1 PROXY..*
 1.1 ISA..*
1.1 YTYH-VGZ24D16M4..*
1.1 cache1:80 (DataReactor/4.0.*

Would someone know a useragent code for htaccess to block these? Thanks
 
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Wed Jun 07, 2006 3:09 pm Reply with quote

Here's a website that gets realy spammed Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
southern
PostPosted: Wed Jun 07, 2006 6:54 pm Reply with quote

Tough t!tty... I want to block those useragents not gawp at spammed sites. *grumble mutter* Hiya DJMaze!
 
jimmo
Worker
Worker


Joined: Dec 08, 2005
Posts: 107

PostPosted: Sat Jun 10, 2006 4:02 am Reply with quote

I created a hack for the Your Account module that checks the email address and posted it to Only registered users can see links on this board! Get registered or login!. Admittedly, it is embarrassing to say that I was not aware of the string blocker settings. Sad I am going to do both to be sure.

My only concern about the string blocker is when someone mentions the domains in a forum post, won't that get blocked as well.

BTW, what these bozos did on my site was to flood the News comments with all sorts of spam, primarily for porno sites. There were a few thousand commands, but they were easy enough to delete.

regards,

jimmo

My current list of bad domains:

1stflirt.org
4watcher.com
dro4ers.net
koziavok.net
lipster.net
lovesnake.net
noparara.com
pornoscop.com
strokersclub.net
sweetsnet.com
wisral.com
yamy.net
zeppele.com
blogspot.com
mespacha.com
src21.net
 
View user's profile Send private message
kenwood
Worker
Worker


Joined: May 18, 2005
Posts: 119
Location: SVCDPlaza

PostPosted: Sat Jun 10, 2006 4:17 am Reply with quote

southern wrote:
BTW I'm getting some useragents mixed with the IPs NS blocks
Code:


1.1 penguin.cs.*
1.1 localhost..*
1.1 TR-HJ9JTYBY4H69..*
1.1 Symantec_Web_Security (3.0.*
1.1 PROXY..*
 1.1 ISA..*
1.1 YTYH-VGZ24D16M4..*
1.1 cache1:80 (DataReactor/4.0.*

Would someone know a useragent code for htaccess to block these? Thanks


I have the same problem southern see Only registered users can see links on this board! Get registered or login!
And no solution on this moment.
 
View user's profile Send private message Visit poster's website
micah
Hangin' Around


Joined: May 25, 2006
Posts: 40

PostPosted: Tue Jun 13, 2006 9:33 pm Reply with quote

I have now taken the above list and have added some of the other sites that have hit me. What a pain in the butt this is.

137731.net
angelacrosby.com
blogspot.com
lipster.net
mespacha.com
noparara.com
raph.us
src21.net
wisral.com
xmlrpc.php
zeppele.com
1stflirt.org
4watcher.com
dro4ers.net
koziavok.net
lovesnake.net
pornoscop.com
strokersclub.net
sweetsnet.com
yamy.net
 
View user's profile Send private message
Guardian2003
PostPosted: Wed Jun 14, 2006 5:52 am Reply with quote

You think thats a pain? You should see my list at over 2000 Smile
 
djmaze
PostPosted: Wed Jun 14, 2006 9:21 am Reply with quote

wow 2000 if you contacted me earlier this month i had a 5000+ list for ya.
I've decided to trash it and figure out other ways to block it like a max [url] count
 
kguske
PostPosted: Wed Jun 14, 2006 10:23 am Reply with quote

Go, djmaze, go!
 
Guardian2003
PostPosted: Wed Jun 14, 2006 12:04 pm Reply with quote

Amazing, that list would have been useful!
How would blocking using a max url count work?
Sorry I'm just not seeing the connection, (in my naivety). Something like counting the number of url's in the string?
 
djmaze
PostPosted: Wed Jun 14, 2006 1:34 pm Reply with quote

You can't stay banning domains or you might end up banning potential customers.

"Do not try and bend the spoon, that's impossible.
Instead try and realize the truth"

So instead try to figure out ways how to block posts they make using special techniques.

1. Check HTTP_USER_AGENT if not a valid browser string then block Only registered users can see links on this board! Get registered or login!

2. Count urls used in the post (needs PHP 5.1)
Code:
      # [url] local

      $patterns[] = "#\[url\]([\w]+(\.html|\.php|/)[^ \[\"\n\r\t<]*?)\[/url\]#ise";
      $replacements[] = "'<a href=\"\\1\" title=\"\\1\" class=\"postlink\">'.shrink_url('\\1').'</a>'";
      $patterns[] = "#\[url=([\w]+(\.html|\.php|/)[^ \[\"\n\r\t<]*?)\](.*?)\[/url\]#is";
      $replacements[] = "<a href=\"\\1\" title=\"\\1\" class=\"postlink\">\\3</a>";

      # [url]xxxx://www.cpgnuke.com[/url]
      $patterns[] = "#\[url\]([\w]+?://[^ \[\"\n\r\t<]*?)\[/url\]#ise";
      $replacements[] = "'<a href=\"\\1\" target=\"_blank\" title=\"\\1\" class=\"postlink\" rel=\"nofollow\">'.shrink_url('\\1').'</a>'";
      # [url]www.cpgnuke.com[/url] (no xxxx:// prefix).
      $patterns[] = "#\[url\]((www|ftp)\.[^ \[\"\n\r\t<]*?)\[/url\]#ise";
      $replacements[] = "'<a href=\"http://\\1\" target=\"_blank\" title=\"\\1\" class=\"postlink\" rel=\"nofollow\">'.shrink_url('\\1').'</a>'";
      # [url=www.cpgnuke.com]cpgnuke[/url] (no xxxx:// prefix).
      $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
      $replacements[] = "<a href=\"http://\\1\" target=\"_blank\" title=\"\\1\" class=\"postlink\" rel=\"nofollow\">\\3</a>";
      # [url=xxxx://www.cpgnuke.com]cpgnuke[/url]
      $patterns[] = "#\[url=([\w]+://[^ (\"\n\r\t<]*?)\](.*?)\[/url\]#is";
      $replacements[] = "<a href=\"\\1\" target=\"_blank\" title=\"\\1\" class=\"postlink\" rel=\"nofollow\">\\2</a>";

      // make_clickable
      $patterns[] = "#(^|[\n ])([\w]+?://[\w]+[^ \"\n\r\t<]*)#ise";
      $replacements[] = "'\\1<a href=\"\\2\" rel=\"nofollow\" title=\"\\2\" target=\"_blank\">'.shrink_url('\\2').'</a>'";

      $patterns[] = "#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#ise";
      $replacements[] = "'\\1<a href=\"http://\\2\" rel=\"nofollow\" target=\"_blank\" title=\"\\2\">'.shrink_url('\\2').'</a>'";

      $text = preg_replace($patterns, $replacements, $text,4,$count);

if ($count > 3) die('not allowed');
Only registered users can see links on this board! Get registered or login!
or use something like preg_match or whateffa if you're on PHP4
 
micah
PostPosted: Wed Jun 14, 2006 6:28 pm Reply with quote

I as well as many others would be very appreciative if you would be able to tell me/us how to impliment your suggestions on nuke 7.6.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©