Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Mar 29, 2008 5:07 pm Reply with quote

I'm seeing these now:

Code:


Date & Time: 2008-03-29 15:44:32 CDT GMT -0500
Blocked IP: 89.149.241.126
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login! Result: captcha recognized;registered;logged in;probably, registration failed (activation code was sent / there are additional protection used on forum / forum SQL-error / ...); Result: invalid;not found;no post sending forms are found;
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 89.149.241.126
Remote Port: 3523
Request Method: GET


Looks like they have a script that analyzes your Nuke/phpBB setup. Either that or their script is really malfunctioning. You wouldn't expect that stuff to get passed in the get string like that, would you?

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Mar 29, 2008 5:42 pm Reply with quote

I have seen similar things but not exact the same in my logs.
However, it not a surprise because there are tools and scripts available for this. Rolling Eyes
Also it doesn´t bring anything to ban the country because they usally use proxies.
 
View user's profile Send private message
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Sat Mar 29, 2008 11:01 pm Reply with quote

I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Mar 30, 2008 1:27 am Reply with quote

Yep I've seen it. Looks like a robot with some errors

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Mon Mar 31, 2008 2:55 pm Reply with quote

I've seen this alot, with my old job. I've not had time to test it, but from what I could tell, it was something that was exploitable in the version of php-nuke that was installed with fantastico.

Who would have thought it. Cpanel and fantastico releasing exploitable scripts Laughing

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Thu Apr 03, 2008 5:30 am Reply with quote

slackervaara, that is an interesting list indeed. I am going to have to mull this list over some more...

Just this list alone might make for interesting discussion. Any thoughts regarding slackervaara's list? Will there be false positives with this list? I.e., some legitimate users blocked?

I am seriously considering adding these, but am interested in community input.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
slackervaara
PostPosted: Thu Apr 03, 2008 5:55 am Reply with quote

I have got only two complaints since I started with this in my .htaccess. One member could not access the site from her job anylonger and the another could not access the site from his health workers office. I guess those computers must be behind a proxy and thus blocked. I got the tip about this from a Norwegian PHP-Nuke site.
 
montego
PostPosted: Thu Apr 03, 2008 6:24 am Reply with quote

Yes, that sounds right to me. It was one of my concerns. I have also had folks with various levels of "anonymizers" on their PC (for example, even Norton Internet Security) which can even affect NukeSentinel(tm).

Interesting... let us see what others have to say too. Good discussion.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Thu Apr 03, 2008 6:42 am Reply with quote

I would be interested to see how those lines affect AOL users.
Anyone here using AOL?
 
View user's profile Send private message Send e-mail
gregexp
PostPosted: Thu Apr 03, 2008 1:27 pm Reply with quote

EWWWW, AOL, stay away!!!!

lol, only kidding.

The only problem I do see, is there are many proxy servers out there that dont broadcast that they are proxy servers, which this list looks like it will require they broadcast that they are proxies.

I personally wonder what would happen with custom browsers, like Linux browsers and some Windows browsers.
 
slackervaara
PostPosted: Thu Apr 03, 2008 2:33 pm Reply with quote

I have tested in Windows XP with:
Firefox, Explorer, Opera, Safari and all works OK.
in Linux Mandriva 2006:
Firefox, Konqueror, Ephiphany works all OK

I have used this in my .htacces since Jan 25 this year and Sentinel has not caught a single hacker since that start.
 
gregexp
PostPosted: Thu Apr 03, 2008 3:40 pm Reply with quote

There are a few others, but with your testing, I dont think you would have a problem with even those.

I suppose the next question would be, does it block with certain ISP's. which like to add their own headers, AOL being one of those.

Then, can you get visitors from all countries?
 
slackervaara
PostPosted: Thu Apr 03, 2008 7:30 pm Reply with quote

I have a Scandinavian site, but there are mainly US IP:s I guess mainly from search engines like Google. There are also rather many visitors from non-Scandinavian countries too. I don't know about AOL and I also have the proxy blocker on in Sentinel, but this in .htaccess seems more effective to me.
 
redhairz
Worker
Worker


Joined: Nov 17, 2006
Posts: 222

PostPosted: Fri Apr 04, 2008 3:31 am Reply with quote

slackervaara wrote:
I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]


many isp is using the proxy thingy if RN add this into here i'll be block out lol i will give a try on these and see the results.

_________________
Jesus is Alive, He is our joy, be it good times or bad time. 
View user's profile Send private message
redhairz
PostPosted: Fri Apr 04, 2008 3:34 am Reply with quote

RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] what does this mean?
 
montego
PostPosted: Fri Apr 04, 2008 5:31 am Reply with quote

redhairz, it means there is no User Agent being passed within the headers.

BTW, if you have that type of proxy situation, why not you two try and test out whether you get blocked from his site or not. That would be a useful test and would be nice to post the results here I think.
 
slackervaara
PostPosted: Fri Apr 04, 2008 5:59 am Reply with quote

You can check, if you are blocked from my site if you are behind a proxy:


Last edited by slackervaara on Mon Jun 09, 2008 8:52 pm; edited 1 time in total 
redhairz
PostPosted: Sun Apr 27, 2008 9:39 am Reply with quote

there was no blocking here in RN site. if the sn is set to lite or higher the sn will block it.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©