Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
steve_lemaster
Worker
Worker


Joined: Dec 26, 2006
Posts: 178

PostPosted: Sun Jun 01, 2008 5:03 pm Reply with quote

Well, the site I run has suffered 500+ hack attempts and counting.

Is there any way to stop this stuff or at least reduce it. I am tired of getting Blocked Abuse emails.

_________________
The urge to save humanity is often a false front for the urge to rule.

- H.L. Mencken 
View user's profile Send private message Send e-mail
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sun Jun 01, 2008 6:21 pm Reply with quote

Adding the IP's to .htaccess will stop them from reaching your site which will stop the notifications. So, if you have the write to .htaccess option turned on then you shouldn't be getting repeats. Just turn the email admin option off to stop the emails.

I also always add the 4th octet as a wild card when I ban them, ie Full C Class
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Jun 01, 2008 6:47 pm Reply with quote

There is no real solution. Automated scripts constantly try to exploit any vulnerability. Blocking won't slow these down as they have a full botnet of compromised machines.

Just keep your site up-to-date. If you're tired of the notifications, you can turn them off.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
steve_lemaster
PostPosted: Sun Jun 01, 2008 6:51 pm Reply with quote

Thanks guys. I added them to the .htaccess and I didn't even think about shutting off the notifications.
 
steve_lemaster
PostPosted: Sun Jun 01, 2008 6:55 pm Reply with quote

Ok. Where do I shut off notifications? I looked everywhere.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sun Jun 01, 2008 8:26 pm Reply with quote

You can configure Sentinel what to do for each type of attack. One of the options is to send email.

I added something to my .htaccess file that has stopped 90% of my notifications. Most of the time these guys are trying to do a remote script execution via a _GET parameter. This stops that:

Code:


RewriteEngine on
#
# Prevent cross-site scripting
#
RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.*
Rewriterule ^.* - [F,L]

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
steve_lemaster
PostPosted: Sun Jun 01, 2008 9:01 pm Reply with quote

Thanks Gremmie, I just copy and pasted it.

Bizarre. I went from 5,400 page views to 13,000+ in under two hours and the visitor count doesn't even remotely reflect it.
 
steve_lemaster
PostPosted: Mon Jun 02, 2008 11:50 am Reply with quote

Well, Gremmie that piece of code seems to have done the trick.

However, can anyone help me understand how I can have 42 visitors and have page views jump from 5193 to well over 16,000 in a little over 2 hours?
 
evaders99
PostPosted: Mon Jun 02, 2008 3:49 pm Reply with quote

You may be under a more direct form of attack, a denial of service.
 
steve_lemaster
PostPosted: Mon Jun 02, 2008 3:55 pm Reply with quote

Isn't a DoS a server side attack, rather than an attack directed at the site itself?

Sorry if I am coming across as thick headed and asking all of these questions.
 
Raven
PostPosted: Tue Jun 03, 2008 1:24 am Reply with quote

It can be either but is usually directed at a particular site.
 
warren-the-ape
Worker
Worker


Joined: Nov 19, 2007
Posts: 196
Location: Netherlands

PostPosted: Tue Jun 03, 2008 1:29 am Reply with quote

Is it a new site with a lot of contents/topics?
It could just be search engine spiders indexing your pages.

You can easily verify this in NS or in the Forums admin.


Open up your forums admin on the 1st page and check the IP's listed.

You can do the same in NS if you enabled IP tracking. Go to tracked IP's and sort on 'hits' (highest hits on top choose; 'descending').
WHOIS the IP's with a large amount of hits to see if they are search engines or not.

Edit:
Some time ago I had a dude/bot from France who was requesting topics every second, sometimes 2-3 per second and that for a couple of minutes.

I noticed it cause my site statistics for that day went through the roof..

If its not Google or another known search engine I dont need them Wink
 
View user's profile Send private message
steve_lemaster
PostPosted: Tue Jun 03, 2008 10:44 am Reply with quote

warren-the-ape wrote:
Is it a new site with a lot of contents/topics?
It could just be search engine spiders indexing your pages.

You can easily verify this in NS or in the Forums admin.


Open up your forums admin on the 1st page and check the IP's listed.

You can do the same in NS if you enabled IP tracking. Go to tracked IP's and sort on 'hits' (highest hits on top choose; 'descending').
WHOIS the IP's with a large amount of hits to see if they are search engines or not.

Edit:
Some time ago I had a dude/bot from France who was requesting topics every second, sometimes 2-3 per second and that for a couple of minutes.

I noticed it cause my site statistics for that day went through the roof..

If its not Google or another known search engine I dont need them Wink


It's a very controversial topic...Global Warming/Climate change and the science behind it.
 
evaders99
PostPosted: Tue Jun 03, 2008 12:32 pm Reply with quote

Well it is possible you have many links to a certain topic. And if you've gotten linked from some major site, you'll have increased traffic that you may not be able to handle (see: Slashdot effect)
 
steve_lemaster
PostPosted: Tue Jun 03, 2008 12:35 pm Reply with quote

evaders99 wrote:
Well it is possible you have many links to a certain topic. And if you've gotten linked from some major site, you'll have increased traffic that you may not be able to handle (see: Slashdot effect)


I suppose that's possible. It's just strange that the visitor count could not have possibly accounted for that amount of hits in that amount of time.
 
Raven
PostPosted: Tue Jun 03, 2008 12:48 pm Reply with quote

Use AWSTATS or something like it to find out the details.
 
steve_lemaster
PostPosted: Tue Jun 03, 2008 12:57 pm Reply with quote

Forgot about that. Thanks!
 
steve_lemaster
PostPosted: Tue Jun 03, 2008 1:39 pm Reply with quote

AWSTATS isn't telling me anything.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Jun 03, 2008 2:10 pm Reply with quote

PM me your cPanel (or other hosting control panel) login and your God admin user/pass and lets check this puppy out, I have about an hour to spare.
 
View user's profile Send private message Send e-mail
steve_lemaster
PostPosted: Wed Jun 04, 2008 1:59 pm Reply with quote

I PM'd you my cPanel and site admin logins. If you get the chance to check it out, let me know.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©