Author |
Message |
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
Posted:
Sat Mar 29, 2008 5:07 pm |
|
I'm seeing these now:
Code:
Date & Time: 2008-03-29 15:44:32 CDT GMT -0500
Blocked IP: 89.149.241.126
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Get String: [ Only registered users can see links on this board! Get registered or login! ] Result: captcha recognized;registered;logged in;probably, registration failed (activation code was sent / there are additional protection used on forum / forum SQL-error / ...); Result: invalid;not found;no post sending forms are found;
Post String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 89.149.241.126
Remote Port: 3523
Request Method: GET
|
Looks like they have a script that analyzes your Nuke/phpBB setup. Either that or their script is really malfunctioning. You wouldn't expect that stuff to get passed in the get string like that, would you? |
_________________ GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module |
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
|
Posted:
Sat Mar 29, 2008 5:42 pm |
|
I have seen similar things but not exact the same in my logs.
However, it not a surprise because there are tools and scripts available for this.
Also it doesn´t bring anything to ban the country because they usally use proxies. |
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 236
|
Posted:
Sat Mar 29, 2008 11:01 pm |
|
I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F] |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
Posted:
Sun Mar 30, 2008 1:27 am |
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
Posted:
Mon Mar 31, 2008 2:55 pm |
|
I've seen this alot, with my old job. I've not had time to test it, but from what I could tell, it was something that was exploitable in the version of php-nuke that was installed with fantastico.
Who would have thought it. Cpanel and fantastico releasing exploitable scripts |
_________________ For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
Posted:
Thu Apr 03, 2008 5:30 am |
|
slackervaara, that is an interesting list indeed. I am going to have to mull this list over some more...
Just this list alone might make for interesting discussion. Any thoughts regarding slackervaara's list? Will there be false positives with this list? I.e., some legitimate users blocked?
I am seriously considering adding these, but am interested in community input. |
_________________ Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
slackervaara
|
Posted:
Thu Apr 03, 2008 5:55 am |
|
I have got only two complaints since I started with this in my .htaccess. One member could not access the site from her job anylonger and the another could not access the site from his health workers office. I guess those computers must be behind a proxy and thus blocked. I got the tip about this from a Norwegian PHP-Nuke site. |
|
|
|
|
montego
|
Posted:
Thu Apr 03, 2008 6:24 am |
|
Yes, that sounds right to me. It was one of my concerns. I have also had folks with various levels of "anonymizers" on their PC (for example, even Norton Internet Security) which can even affect NukeSentinel(tm).
Interesting... let us see what others have to say too. Good discussion. |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
Posted:
Thu Apr 03, 2008 6:42 am |
|
I would be interested to see how those lines affect AOL users.
Anyone here using AOL? |
|
|
|
|
gregexp
|
Posted:
Thu Apr 03, 2008 1:27 pm |
|
EWWWW, AOL, stay away!!!!
lol, only kidding.
The only problem I do see, is there are many proxy servers out there that dont broadcast that they are proxy servers, which this list looks like it will require they broadcast that they are proxies.
I personally wonder what would happen with custom browsers, like Linux browsers and some Windows browsers. |
|
|
|
|
slackervaara
|
Posted:
Thu Apr 03, 2008 2:33 pm |
|
I have tested in Windows XP with:
Firefox, Explorer, Opera, Safari and all works OK.
in Linux Mandriva 2006:
Firefox, Konqueror, Ephiphany works all OK
I have used this in my .htacces since Jan 25 this year and Sentinel has not caught a single hacker since that start. |
|
|
|
|
gregexp
|
Posted:
Thu Apr 03, 2008 3:40 pm |
|
There are a few others, but with your testing, I dont think you would have a problem with even those.
I suppose the next question would be, does it block with certain ISP's. which like to add their own headers, AOL being one of those.
Then, can you get visitors from all countries? |
|
|
|
|
slackervaara
|
Posted:
Thu Apr 03, 2008 7:30 pm |
|
I have a Scandinavian site, but there are mainly US IP:s I guess mainly from search engines like Google. There are also rather many visitors from non-Scandinavian countries too. I don't know about AOL and I also have the proxy blocker on in Sentinel, but this in .htaccess seems more effective to me. |
|
|
|
|
redhairz
Worker
Joined: Nov 17, 2006
Posts: 222
|
Posted:
Fri Apr 04, 2008 3:31 am |
|
slackervaara wrote: | I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F] |
many isp is using the proxy thingy if RN add this into here i'll be block out lol i will give a try on these and see the results. |
_________________ Jesus is Alive, He is our joy, be it good times or bad time. |
|
|
|
redhairz
|
Posted:
Fri Apr 04, 2008 3:34 am |
|
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] what does this mean? |
|
|
|
|
montego
|
Posted:
Fri Apr 04, 2008 5:31 am |
|
redhairz, it means there is no User Agent being passed within the headers.
BTW, if you have that type of proxy situation, why not you two try and test out whether you get blocked from his site or not. That would be a useful test and would be nice to post the results here I think. |
|
|
|
|
slackervaara
|
Posted:
Fri Apr 04, 2008 5:59 am |
|
You can check, if you are blocked from my site if you are behind a proxy: |
Last edited by slackervaara on Mon Jun 09, 2008 8:52 pm; edited 1 time in total |
|
|
|
redhairz
|
Posted:
Sun Apr 27, 2008 9:39 am |
|
there was no blocking here in RN site. if the sn is set to lite or higher the sn will block it. |
|
|
|
|
|