Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.6.x
Author Message
killing-hours
RavenNuke(tm) Development Team



Joined: Oct 01, 2010
Posts: 438
Location: Houston, Tx

PostPosted: Mon Nov 01, 2010 9:30 am Reply with quote

Hey all-

Got on my site this morning and noticed someone messing around a so I started to look around and noticed this line...

Image

in my tracked refer page. Is this normal or something I should be concerned about. Just curious as the ip address doesn't belong to me but it's pointing back to my admin.php. Thanks.

_________________
Money is the measurement of time - Me
"You can all go to hell…I’m going to Texas" -Davy Crockett 
View user's profile Send private message
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Mon Nov 01, 2010 3:51 pm Reply with quote

I could be wrong but this looks like a cross site scripting attack - the initial IP even has a port number so it looks like that site is hosting 'tools' for the purpose or has been compromised.
 
View user's profile Send private message Send e-mail
spasticdonkey
RavenNuke(tm) Development Team



Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA

PostPosted: Mon Nov 01, 2010 4:27 pm Reply with quote

Not sure how you noticed someone was messing around but if you got some sort of message from Sentinel your probably ok. If you want extra security, I added these to my htaccess some time ago, seems to block alot of attacks before they even get to sentinel

Code:
RewriteEngine on


RewriteCond %{HTTP_USER_AGENT} ^libwww [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

this last part will cause issues with some legit admin functions; like verify weblinks, downloads, and maybe others... but blocks alot of XSS attacks as well
Code:
RewriteCond %{QUERY_STRING} .*http:\/\/.* 

Rewriterule ^.* - [F]


I also use a large list of user agent blocks in .htaccess, but it's kinda old, maybe someone else has an updated one.??
 
View user's profile Send private message Visit poster's website
Guardian2003







PostPosted: Mon Nov 01, 2010 5:04 pm Reply with quote

I have some BIG user-agent and referrer lists but they are in a custom delimited file for use with Spam Stopper, which I'm hoping to revive again now I have developed a fully functioning remote update service (including for the module itself).
 
spasticdonkey







PostPosted: Mon Nov 01, 2010 5:28 pm Reply with quote

well that sounds very cool Smile
 
killing-hours







PostPosted: Tue Nov 02, 2010 7:30 am Reply with quote

well... I noticed it because I keep a very close eye on the ip's on the site. "Generally" speaking... I don't have many people on at one time... but when I do (I drink dos XX's) ... usually the IP address is either directly allocated to their company (so the ip lookup works most of the time) or it's to an individual.

I also try to keep a close eye on the tracked ip page as I like to see what my clients are using the most and usually I can spot errors with my site pretty quick if they are hitting error pages for w/e reason.

@Spastic... thanks for providing that! Does it need to be above/below anything in particular? (Sent. is writing the ip's to the .htaccess)

@Guardian... Man... that thing sounds great... any time frame?
 
spasticdonkey







PostPosted: Tue Nov 02, 2010 8:51 am Reply with quote

I would just place it after the shortlinks (if you are using) before the </IfModule> tag. If you are not using shortlinks make sure to have @ the top RewriteEngine on

The bot list I'm using is 3yr old Rolling Eyes but you can see here [ Only registered users can see links on this board! Get registered or login! ]

I think 64bitguy and others have posted some more added security via htaccess examples, but I can't seem to find them atm.

Also, if you have setup your Admin HTTPAuth / Admin CGIAuth correctly I wouldn't worry to much about that tracked referrer
 
Guardian2003







PostPosted: Tue Nov 02, 2010 9:32 am Reply with quote

@ killing-hours - sorry. no time frame as I already have enough to keep me busy till 2011 with some projects that are overdue.

Good point regarding the HTTP Auth set up!!
 
killing-hours







PostPosted: Tue Nov 02, 2010 11:26 am Reply with quote

Ah ha... I knew at some point I would make it back to this question.

What is the "HTTPAuth / Admin CGIAuth" and how should I set it up "correctly". At this point I don't have that setup precisly because I don't know how to set it up right but I would LOVE to get it going if it will make my site that much more secure. I think I played with it at one point but it blocked me from my own site so i've never really played with it since. Thanks guys!! Learn something new everday.

----------

Edit**** Tried setting it up but I got an attack of the 500. Brought my site down right in the middle of the biz day...whoops... had to get the original .htaccess that came with RN to get my site back online. I'll wait for a more detailed answer before playing with this again. Wink
 
killing-hours







PostPosted: Tue Nov 02, 2010 12:18 pm Reply with quote

BTW... HTTPAuth is not available.
 
spasticdonkey







PostPosted: Tue Nov 02, 2010 5:27 pm Reply with quote

ok, you'll want cgi auth, it's what i use.. The process is explained in detail here [ Only registered users can see links on this board! Get registered or login! ]

skip to the part about cgi auth, if there is a step you have trouble with let us know. Basically you be creating an .staccess file and modifying your htaccess with some code you get from NukeSentinel. There is a basic sample of what you'll be adding commented out in htaccess. If you run forums you should do that part to [ Only registered users can see links on this board! Get registered or login! ]
 
killing-hours







PostPosted: Tue Nov 02, 2010 5:34 pm Reply with quote

Right.... I found a folder with all the pre-wiki .htmls. Got one problem though... the "HTTPAuth" link in the admin panel is not clickable. Wouldn't happen to know why would you? Thanks for the help.

-------

Edit*** NVM... "when all else fails... RTM". Forgot which admin account I was on.
 
killing-hours







PostPosted: Tue Nov 02, 2010 6:13 pm Reply with quote

Got it setup correctly... thanks for the advice and guidance. Much appreciated!!
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Tue Nov 02, 2010 8:00 pm Reply with quote

RavensScripts
 
View user's profile Send private message
killing-hours







PostPosted: Tue Nov 02, 2010 8:14 pm Reply with quote

yessir... you guys rock!!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©