Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
selma
Hangin' Around


Joined: May 09, 2006
Posts: 31

PostPosted: Fri Jul 13, 2007 3:48 pm Reply with quote

Sorry elric,

That was a new topic that should have gone in it's own thread. So I took it out of here and started a new thread.

But, regarding the large number of attackers found by sentinel; Susanne suggested looking in the logs.

When I did look in the NS tracked IP logs I found that more than half the traffic to my site was from a very tight spread of IP addresses. They were only different by a couple of numbers (74.6.23.4 then .21.3 then 22.5) Sometimes there were 50 of them on-site at the same time.

My abuse count rose by at least 5 each day.

Looking at the logs though, which also tells you what they were doing on your site, I just blocked them. Some of the really irritating ones I blocked and forwarded to the PC Killer templates.

The site in question always had 25 - 60 people on line at a time. Which did not make sense because it was a community arts program that doesn't even happen for 4 months. Should only have 50 visitors or less in a day at this point.

Noticed a dramatic decrease in activity after the changes.

Susanne mentioned the send to friend activity. Noticed that the same IP's were sending to friends 20 times a day - every day.

But those ip's were also in that range of those that spanned a limited range of addresses.

Good Luck
 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Fri Jul 13, 2007 6:21 pm Reply with quote

But such entries from Yahoo are harmless.

74.6.29.36 - - [13/Jul/2007:23:59:28 +0200] "GET /article-friend-147.html HTTP/1.0" 302 26 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; Only registered users can see links on this board! Get registered or login!"

74.6.23.4 is INKTOMISEARCH.COM -thats also Slurp.

Slurp is very active currently.
 
View user's profile Send private message
selma
PostPosted: Fri Jul 13, 2007 7:45 pm Reply with quote

hmmm,

So I wonder if they would have been on site that much. 30 - 60 hits all at one time is a serious jump in activity for this site.

I'll go back and look and see if I can see a difference in search engine use and any others. Sure is quiet without them though.

Good information. Worth looking into. Thanks
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Jul 14, 2007 8:29 am Reply with quote

selma wrote:
So I wonder if they would have been on site that much. 30 - 60 hits all at one time is a serious jump in activity for this site.


That, most definitely, would be the profile of a search engine revving it up so to speak. I get this from time-to-time, and, yes, Yahoo in my opinion, has been the "worse".

You might want to check out this post on Guardian's site:
Only registered users can see links on this board! Get registered or login!

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
elric
New Member
New Member


Joined: Jun 15, 2007
Posts: 13

PostPosted: Sat Jul 14, 2007 12:23 pm Reply with quote

selma wrote:
Sorry elric,

That was a new topic that should have gone in it's own thread. So I took it out of here and started a new thread.


No need for sorry's, any information is good information Very Happy and thanks Susann and montego as well.

I'm looking through my logs now. Very Happy

Might be a suggestion for Sentinel, when I view what the tracked IP etc looked at for exampla /modules.php?name=Reviews&rop=write_review
It would be nice to have the option on that screen to block the Useror IP etc, the only option I see is url/admin.php?op=ABTrackedDeleteSave&tid=243301&user_id=1&ip_addr=212.87.151.18&column=date&direction=desc&min=0
I keep having to go back to the main screen whilst remembering the IP so that I can block it.

Also an option to remove them from the tracked page if I block them.

Back on track, I have noticed quite a number of hits to /modules.php?name=Reviews&rop=write_review
while I have have reviews as an inactive module.
 
View user's profile Send private message
selma
PostPosted: Sat Jul 14, 2007 5:57 pm Reply with quote

I'd love to think that real searchers are hitting that site that often. Would actually be kind of nice.

I did check through the logs though. Most are from Yahoo, Inktomi and MSN. Can't complain about that for sure. So I unblocked them - lol

The ones that were going directly to mail and trying to send adverts, I had already sent to the pc killer, so not much more from them. Guardian's Spam Blocker is making it easy to catch a lot of trash too.

Would be so tempting to just relax, now that I've had two whole quiet days. But I see the post about the Italian mail worm, so I guess it isn't time for that yet.

Someday ...
Have a great weekend everyone
 
elric
PostPosted: Sun Jul 15, 2007 1:16 pm Reply with quote

I have just had my first day off as well "yippee"
I found some porn sites were in my referers, I have blocked them using the Protector System.

Lets hope our luck continues for a little while at least.
 
elric
PostPosted: Mon Jul 16, 2007 1:08 pm Reply with quote

Ok so it did not last long, just had another 4.

I have been checking sentinel for updates but I have a strange version
NukeSentinel(tm) 2.5.1
and it reports New version is availible! - 2.5.10 does this mean I actually have 2.5.01?
I have already uploaded the files but did not run the nsnst.php because I was unsure.
 
Susann
PostPosted: Mon Jul 16, 2007 1:34 pm Reply with quote

In nuke_nsnst_ config is this for the current version:

version_newest 2.5.10
version_number 2.5.10
and it reports "Your version is upto date!"

2.5.01 is from August 06 and 2.5.10 from June 07.
 
elric
PostPosted: Wed Jul 18, 2007 5:36 am Reply with quote

Thanks Susann,
Alas I'm still no wiser

nuke_nsnst_ config,
Version_check 1184648400
Version_newest 2.5.10
Version_number 2.5.1

It leaves me unsure and I don't want to do the wrong update.

Perhaps I should look through the update files to the database and compare my tables.
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Wed Jul 18, 2007 5:45 am Reply with quote

It looks like you are using an old version of NS, but to be safe you could always uninstall NS and then reinstall 2.5.10.


Last edited by jakec on Wed Jul 18, 2007 10:31 am; edited 1 time in total 
View user's profile Send private message
Susann
PostPosted: Wed Jul 18, 2007 7:27 am Reply with quote

The version 2.5.1 is an updated patch version from last year.
 
elric
PostPosted: Fri Jul 20, 2007 2:13 pm Reply with quote

Thanks Susann, but I'm still unsure how to proceed, would my version be equivilent to 2.5.01 or do I need to do a different update first? I have searched around but can't find anything that gives direction from my version, the changes file included with thte updates only refer to 2.5.01 or 2.5.10 somewhere I seem to have lost a zero.
I have NukeSentinel_2510_7080_Up at the ready and if it's safe to assume my version is 2.5.01 then I'll proceed, with something like sentinel I want to be a lot more positive before I start messing around.
 
Susann
PostPosted: Fri Jul 20, 2007 3:14 pm Reply with quote

I think your version is 2.5.01 some called the version 2.5.1up and others 2.5.1. However you should know about the date of your last update Smile but there is this nice feature in the NukeSentinel Administration wich tells you "A New version is availible!" So just update from 2501-2502 etc. until you reach 2.5.10 . Good luck !

Btw: Update also IP2Country
 
elric
PostPosted: Sat Jul 21, 2007 2:50 pm Reply with quote

Thank you Susann, you've inspired me with confidence.

I now feel happy to proceed, would have been nice if those version aliases were added to the changelog included with the updates but nevermind it's lucky we have knowledgable people like you.
Very Happy
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©