Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
magnum
Client


Joined: Jun 23, 2006
Posts: 83

PostPosted: Wed Sep 27, 2006 11:48 pm Reply with quote

i had a person trying to register on my page and sentinel kept saying it was a santy worm attack now after reading further i found the the word rush in his name was setting it off. now i turned santy worm off in sentinel and he was able to register now . now my question is if i turn the santy worm back on in sentinel will he be blocked from loging on ? or should i leave it off? is the page at risk if its left off? thank you

_________________
Nukes real friend is a big cup of Java with a valium stirred in. Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Thu Sep 28, 2006 5:55 am Reply with quote

When those attacks were being made, people were trying to stop it with .htaccess directives. Several folks posted these for stop Santy and possibly other attacks:

Code:


RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos                  [NC,OR]
RewriteCond %{REQUEST_URI} ^civa                        [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)$           [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)$     [NC,OR]
#Variant-X
RewriteCond %{REQUEST_URI} ^(.*)cgi-bin(.*)             [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)$              [NC,OR]
RewriteRule ^.*$ http://127.0.0.1 [R,L]


This is probably overkill. It is also possible that the whole issue has been resolved already with phpBB, but not sure. You can see the "rush=" line?

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Thu Sep 28, 2006 9:14 am Reply with quote

The sanity attack is pretty much old news. There really isnt a reason to continue to block against. Even more so if you have been keeping up on your forum patches.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
magnum
PostPosted: Thu Sep 28, 2006 10:32 am Reply with quote

thanks very much Smile
 
montego
PostPosted: Thu Sep 28, 2006 8:05 pm Reply with quote

technocrat, thanks!
 
Doulos
Life Cycles Becoming CPU Cycles


Joined: Jun 06, 2005
Posts: 633

PostPosted: Sat Apr 12, 2008 9:28 pm Reply with quote

I am getting the same issue with the name Soul_Crusher.

This user keeps getting this message when he tries to log in:
Quote:
Possible Santy Worm Attack!

The weird thing is if after getting the above warning, he just types in our URL, it goes to our home page and he is logged in.

Soul_Crusher is not in my htaccess file, the only instance that is remotely similar is one of "Conecrusher"

Turned off Santy Worm protection.
 
View user's profile Send private message
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Sun Apr 13, 2008 4:42 am Reply with quote

What settings did you have for the blocker? It may not have been set to permanently block.

Anyway by the sounds of it you should not be at risk anymore if you disable the blocker, if you are running the latest patches etc.
 
View user's profile Send private message
Doulos
PostPosted: Sun Apr 13, 2008 9:24 am Reply with quote

I don't even know if there are settings I can change. I just had the Santy Worm Protection set to ON, in the NS admin main page.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©