Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ladysilver
Hangin' Around


Joined: May 03, 2004
Posts: 49
Location: Cyberspace

PostPosted: Thu May 13, 2004 7:51 pm Reply with quote

I am trying to figure out how ip 200.177.162.127 is still able to access one of my sites. After the first hack attempt, I banned it in Protector and .htaccess and destroyed the session. Next day, it was back again. I thought I must have typed in the ip wrong. I hadn't, but I deleted it and re-added it (both places). I stopped getting UNION hack attempts on existing modules, but started getting dozens of attempts from this same ip on modules I don't have, like coppermine. My_eGallery, and 4nalbum. I caught them in the error messages. I wrote a redirect script to a particularly nasty site, named it for each of the scripts the ip was trying to access and dumped them into folders for his viewing pleasure.

This is the only banned ip that does not appear to stay banned. Does anyone have any ideas? The only thing I can think of at the moment is he is somehow using a cache of my site.
 
View user's profile Send private message Visit poster's website ICQ Number
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Thu May 13, 2004 9:37 pm Reply with quote

Take it up a notch and ban the whole 200 range for a while

htaccess
deny from 200.*.*.*
 
View user's profile Send private message
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Thu May 13, 2004 9:47 pm Reply with quote

And so that you know that it's working add you own ip to your site's htaccess file and try viewing it afterwards.
 
View user's profile Send private message Visit poster's website
sixonetonoffun
PostPosted: Thu May 13, 2004 10:10 pm Reply with quote

I remember you posting something about the coppermine ect... a few days ago they must have automated a script that tests for more then one exploitable module now. The only question is why is it returning to your site when its failed so many times? I really thought these guys had more on the ball them that. Using the same IP isn't a suprise no one seems to get much of a response from their abuse dept.

They must be using a search engine to harvest domains the come back to phpnuke? Then are just recycling the same list over and over. Could be why so many people are hit once fix it just to get slammed within days by another attack to a different module ect.. maybe there is more to the security through obscurity approach then we give credit for.
 
ladysilver
PostPosted: Thu May 13, 2004 11:35 pm Reply with quote

Thanks for the advice - I will try everything suggested and let you know what happens. I really wanted to avoid banning 200. I did that once, then took them off the list and eventually ended up with some decent members from Brazil. But maybe a temporary ban will clear whatever he is using in his attack. I am inclined to think it is some kind of automated script because the gallery attacks are always the same kind and always within seconds of each other, though the modules and scripts he is attempting to access are different.

Quote:
A 404 error was encountered by 200.177.162.127 using Mozilla 4.0 (Linux) at 04:05:39

A 404 error was encountered by 200.177.162.127 using Mozilla 4.0 (Linux) at 04:05:38.

A 404 error was encountered by 200.177.162.127 using Mozilla 4.0 (Linux) at 04:05:37.


I left out what he was trying to access in the above, but I have a folder full of similar stuff over the past two weeks. That was one reason I set up a redirect script for everything he was trying to access. A couple of weeks ago I was checking through direct calls to hackattempt.php and found the referrer was a Russian hacking forum. My site (along with others) was listed in in their "flood" forum. I changed the name of hackattempt.php to something else, then put up a redirect script and named it hackattempt.php. A couple of days afterwards I checked the hacker forum and saw the post had been removed. This may be something similar, an attempt to flood through error monitoring, possibly to hide something else in a rift of messages, but more likely to annoy. I deliberately left 1 script he keeps trying to access out of my redirects so I could track whether banning him was being at all successful without a flurry of mail. The last attempt was the 13th.

(edited to correct date - last attempt was the early morning of the 13th).
 
sixonetonoffun
PostPosted: Fri May 14, 2004 9:26 am Reply with quote

Interesting stuff I wasn't aware of public "Flood" lists. They are going on the attack trying to show that they can turn a convenient script like hackalert into a DOS attack of its own.

I really like your colorful method of coping!
 
ballymuntrev
Hangin' Around


Joined: Mar 22, 2004
Posts: 49

PostPosted: Fri May 14, 2004 8:16 pm Reply with quote

Ooo, here's an idea, make your re-direct open up a new email msg window everytime they hit it, as an idea look at this link, which I won't make live
Code:
http://nettwerked.mg2.org/code/outlooksploit.html


It does nothing bad other than open up a new email msg window, which if they're trying to flood you then it will piss them off something terrible Smile
 
View user's profile Send private message Visit poster's website
sixonetonoffun
PostPosted: Fri May 14, 2004 9:37 pm Reply with quote

<?php
$i = 0;

do
{
sleep(10);
$i++;
}
while($i<6);
echo "It took this system 60 seconds to determine YOU SUCK!";
?>
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Sat May 15, 2004 10:38 am Reply with quote

You might want to look at htaccess posts at this site, ladysilver, courtesy of sixone who referred me to it:
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
ladysilver
PostPosted: Sun May 16, 2004 9:12 pm Reply with quote

Thanks again for all the helpful suggestions. Smile I did not ban the 200 range, but I tested by banning myself in .htaccess and that worked so it seems the problem was not in .htaccess. He is no longer getting past the ban, though I will continue to keep an eye out for him in my logs and lists. I'm am wondering now if he somehow hijacked a user session or cookie. I reduced Nuke's default cookie to a 5-day expiry, and that coincides with the length of time he was getting around the ban, though it may be an unrelated coincidence.

sixone, here is the forum where my site and several others that use hackattempt.php were listed. The post was taken down (or moved - I am not a member and a search attempt took me to login). mazafaka*dot*ru/forum/index.php.
 
sixonetonoffun
PostPosted: Sun May 16, 2004 10:43 pm Reply with quote

Thank you ladysilver always interested in fun and exciting sites to visit wink*
 
southern
PostPosted: Mon May 17, 2004 10:13 am Reply with quote

ladysilver wrote:
Thanks again for all the helpful suggestions. Smile I did not ban the 200 range, but I tested by banning myself in .htaccess and that worked so it seems the problem was not in .htaccess. He is no longer getting past the ban, though I will continue to keep an eye out for him in my logs and lists. I'm am wondering now if he somehow hijacked a user session or cookie. I reduced Nuke's default cookie to a 5-day expiry, and that coincides with the length of time he was getting around the ban, though it may be an unrelated coincidence.

sixone, here is the forum where my site and several others that use hackattempt.php were listed. The post was taken down (or moved - I am not a member and a search attempt took me to login). mazafaka*dot*ru/forum/index.php.


Ah, those make wonderful keepsakes, getting listed on some self styled hacking forum. See Only registered users can see links on this board! Get registered or login! for my own keepsake.
Just put that site's IP 213.248.54.79 in your htaccess... dang someday I need to learn Dutch or whatever they speak on that forum, and Arabic too. Smile
 
AndyB
Worker
Worker


Joined: Jun 03, 2004
Posts: 231
Location: Torrevieja, Spain

PostPosted: Sun Jun 13, 2004 3:57 pm Reply with quote

OK, I've started using bablefish to translate live that site in Russia... followed a link to another site...

Only registered users can see links on this board! Get registered or login! dot*rootlab*dot*ru/exploits/phpnuke.htm

b@st@rds....

babelfish failed in this particular translation , but you can get the jiist of where to look in 7.3 for their favourite exploits, etc...... Crying or Very sad
 
View user's profile Send private message
SmackDaddy
Involved
Involved


Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH

PostPosted: Mon Jun 14, 2004 8:37 am Reply with quote

southern wrote:
You might want to look at htaccess posts at this site, ladysilver, courtesy of sixone who referred me to it:
Only registered users can see links on this board! Get registered or login!


So, using that code in our .htaccess file:

Code:


# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">
deny from all
</FilesMatch>

#Disable .htaccess viewing from browser
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

<Files ~ "\config.php$">
deny from all
</Files>


Allows us to protect the config and .htaccess files from being "seen" in the browser then, correct?
 
View user's profile Send private message Send e-mail Visit poster's website
sixonetonoffun
PostPosted: Mon Jun 14, 2004 9:25 am Reply with quote

Yes sir thats correct.
 
southern
PostPosted: Mon Jun 14, 2004 2:59 pm Reply with quote

And if you don't believe sixone try viewing the files in your browser before and after you use the codes. And I'm sticking to that!™
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©