How is this IP still getting through?

Posted: Thu May 13, 2004 7:51 pm

I am trying to figure out how ip 200.177.162.127 is still able to access one of my sites. After the first hack attempt, I banned it in Protector and .htaccess and destroyed the session. Next day, it was back again. I thought I must have typed in the ip wrong. I hadn't, but I deleted it and re-added it (both places). I stopped getting UNION hack attempts on existing modules, but started getting dozens of attempts from this same ip on modules I don't have, like coppermine. My_eGallery, and 4nalbum. I caught them in the error messages. I wrote a redirect script to a particularly nasty site, named it for each of the scripts the ip was trying to access and dumped them into folders for his viewing pleasure.

This is the only banned ip that does not appear to stay banned. Does anyone have any ideas? The only thing I can think of at the moment is he is somehow using a cache of my site.

Posted: Thu May 13, 2004 9:37 pm

Take it up a notch and ban the whole 200 range for a while

htaccess
deny from 200.*.*.*

Posted: Thu May 13, 2004 9:47 pm

And so that you know that it's working add you own ip to your site's htaccess file and try viewing it afterwards.

Posted: Thu May 13, 2004 10:10 pm

I remember you posting something about the coppermine ect... a few days ago they must have automated a script that tests for more then one exploitable module now. The only question is why is it returning to your site when its failed so many times? I really thought these guys had more on the ball them that. Using the same IP isn't a suprise no one seems to get much of a response from their abuse dept.

They must be using a search engine to harvest domains the come back to phpnuke? Then are just recycling the same list over and over. Could be why so many people are hit once fix it just to get slammed within days by another attack to a different module ect.. maybe there is more to the security through obscurity approach then we give credit for.

Posted: Thu May 13, 2004 11:35 pm

Thanks for the advice - I will try everything suggested and let you know what happens. I really wanted to avoid banning 200. I did that once, then took them off the list and eventually ended up with some decent members from Brazil. But maybe a temporary ban will clear whatever he is using in his attack. I am inclined to think it is some kind of automated script because the gallery attacks are always the same kind and always within seconds of each other, though the modules and scripts he is attempting to access are different.

Quote:

A 404 error was encountered by 200.177.162.127 using Mozilla 4.0 (Linux) at 04:05:39

A 404 error was encountered by 200.177.162.127 using Mozilla 4.0 (Linux) at 04:05:38.

A 404 error was encountered by 200.177.162.127 using Mozilla 4.0 (Linux) at 04:05:37.

I left out what he was trying to access in the above, but I have a folder full of similar stuff over the past two weeks. That was one reason I set up a redirect script for everything he was trying to access. A couple of weeks ago I was checking through direct calls to hackattempt.php and found the referrer was a Russian hacking forum. My site (along with others) was listed in in their "flood" forum. I changed the name of hackattempt.php to something else, then put up a redirect script and named it hackattempt.php. A couple of days afterwards I checked the hacker forum and saw the post had been removed. This may be something similar, an attempt to flood through error monitoring, possibly to hide something else in a rift of messages, but more likely to annoy. I deliberately left 1 script he keeps trying to access out of my redirects so I could track whether banning him was being at all successful without a flurry of mail. The last attempt was the 13th.

(edited to correct date - last attempt was the early morning of the 13th).

Posted: Fri May 14, 2004 9:26 am

Interesting stuff I wasn't aware of public "Flood" lists. They are going on the attack trying to show that they can turn a convenient script like hackalert into a DOS attack of its own.

I really like your colorful method of coping!

Hangin' Around Joined: Mar 22, 2004 Posts: 49

Ooo, here's an idea, make your re-direct open up a new email msg window everytime they hit it, as an idea look at this link, which I won't make live

Code:

http://nettwerked.mg2.org/code/outlooksploit.html

It does nothing bad other than open up a new email msg window, which if they're trying to flood you then it will piss them off something terrible Smile

Posted: Fri May 14, 2004 9:37 pm

<?php
$i = 0;

do
{
sleep(10);
$i++;
}
while($i<6);
echo "It took this system 60 seconds to determine YOU SUCK!";
?>

Client Joined: Jan 29, 2004 Posts: 624

You might want to look at htaccess posts at this site, ladysilver, courtesy of sixone who referred me to it:
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Sun May 16, 2004 9:12 pm

Thanks again for all the helpful suggestions. Smile

I did not ban the 200 range, but I tested by banning myself in .htaccess and that worked so it seems the problem was not in .htaccess. He is no longer getting past the ban, though I will continue to keep an eye out for him in my logs and lists. I'm am wondering now if he somehow hijacked a user session or cookie. I reduced Nuke's default cookie to a 5-day expiry, and that coincides with the length of time he was getting around the ban, though it may be an unrelated coincidence.

sixone, here is the forum where my site and several others that use hackattempt.php were listed. The post was taken down (or moved - I am not a member and a search attempt took me to login). mazafaka*dot*ru/forum/index.php.

Posted: Sun May 16, 2004 10:43 pm

Thank you ladysilver always interested in fun and exciting sites to visit wink*

Posted: Mon May 17, 2004 10:13 am

ladysilver wrote:

Thanks again for all the helpful suggestions. Smile

I did not ban the 200 range, but I tested by banning myself in .htaccess and that worked so it seems the problem was not in .htaccess. He is no longer getting past the ban, though I will continue to keep an eye out for him in my logs and lists. I'm am wondering now if he somehow hijacked a user session or cookie. I reduced Nuke's default cookie to a 5-day expiry, and that coincides with the length of time he was getting around the ban, though it may be an unrelated coincidence.

sixone, here is the forum where my site and several others that use hackattempt.php were listed. The post was taken down (or moved - I am not a member and a search attempt took me to login). mazafaka*dot*ru/forum/index.php.

Ah, those make wonderful keepsakes, getting listed on some self styled hacking forum. See here for my own keepsake.
Just put that site's IP 213.248.54.79 in your htaccess... dang someday I need to learn Dutch or whatever they speak on that forum, and Arabic too. Smile

Posted: Sun Jun 13, 2004 3:57 pm

OK, I've started using bablefish to translate live that site in Russia... followed a link to another site...

[ Only registered users can see links on this board! Get registered or login! ] dot*rootlab*dot*ru/exploits/phpnuke.htm

b@st@rds....

babelfish failed in this particular translation , but you can get the jiist of where to look in 7.3 for their favourite exploits, etc...... Crying or Very sad

Posted: Mon Jun 14, 2004 8:37 am

southern wrote:

You might want to look at htaccess posts at this site, ladysilver, courtesy of sixone who referred me to it:
[ Only registered users can see links on this board! Get registered or login! ]

So, using that code in our .htaccess file:

Code:




# deny most common except .php 


<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$"> 


deny from all 


</FilesMatch> 





#Disable .htaccess viewing from browser 


<Files ~ "^\.ht"> 


    Order allow,deny 


    Deny from all 


    Satisfy All 


</Files> 





<Files ~ "\config.php$"> 


deny from all 


</Files>

Allows us to protect the config and .htaccess files from being "seen" in the browser then, correct?

Posted: Mon Jun 14, 2004 9:25 am

Yes sir thats correct.

Posted: Mon Jun 14, 2004 2:59 pm

And if you don't believe sixone try viewing the files in your browser before and after you use the codes. And I'm sticking to that!™