Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
HauntedWebby
Involved
Involved


Joined: May 19, 2004
Posts: 363
Location: Ogden, UT

PostPosted: Sat Sep 25, 2004 4:35 pm Reply with quote

Stuff like this makes me nervious!!!!


Date & Time: 2004-09-25 13:57:54
Blocked IP: 81.213.190.99
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: 81.213.190.99
Client IP: none
Remote Address: 194.20.144.162
Remote Port: 48661
Request Method: GET


Date & Time: 2004-09-23 17:27:44
Blocked IP: 200.179.100.203
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 200.179.100.203
Remote Port: 1304
Request Method: GET

[Edited by Admin Wink]

_________________
--Webby-- 
View user's profile Send private message Send e-mail
Nukeum66
Life Cycles Becoming CPU Cycles


Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA

PostPosted: Sat Sep 25, 2004 4:51 pm Reply with quote

Please remove that Query String: URL or you might get even more hack attempts than you want..Laughing

_________________
Scott Johnson MIS Ubuntu/Linux 11.10 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat Sep 25, 2004 5:05 pm Reply with quote

That's the very hack attempt that caused me to write the HTTP Auth script Wink Script kiddies - idiots. Report them to their ISP. Every once in a while it helps.
 
View user's profile Send private message
GeekyGuy
Client


Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio

PostPosted: Sat Sep 25, 2004 5:17 pm Reply with quote

And unfortunately, the Script twits are still at it. Fortunately for us, we have NukeSentinel™ to protect our sites. And NukeSentinel™ just keeps getting better.

_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger ICQ Number
HauntedWebby
PostPosted: Sun Sep 26, 2004 10:59 am Reply with quote

Nukeum66 wrote:
Please remove that Query String: URL or you might get even more hack attempts than you want..Laughing


Sorry my mouse was acting up .. and then my pc went nuts. Wasn't even sure if the message went through Very Happy I wonder if this board thought I was hacking it ... LOL

But I've been getting about one a day of these admin blocks.
 
blarneystone
Client


Joined: Sep 18, 2004
Posts: 62

PostPosted: Sun Sep 26, 2004 7:03 pm Reply with quote

I am new to Nuke Sentinal myself and I had NO idea how often people where trying to hack my site. I got one of those just now where someone tried to create a godmode account.

So Raven, you do really recommend reporting them? I'd be happy to.

What might be a cool enhancement to Nuke sentinal is an email script that let's you email from the sentinal control panel to the ISP in question Smile

But normal email is good enough if they don't just chuck it in the trash.
 
View user's profile Send private message Visit poster's website
blarneystone
PostPosted: Sun Sep 26, 2004 7:21 pm Reply with quote

BTW, what do you say to the ISP when you are reporting these hacks? Can you post an example note that I can use to send too?

Thanks
 
Raven
PostPosted: Sun Sep 26, 2004 7:39 pm Reply with quote

Unfortunately, you can't really automate it because some IP ranges are further allocated to other domain controllers and require further investigation. Here is bascially a boiler-plate that I use. I have removed most of the Query String.
Code:
On May 15, 2004 at approximately 7:33am CST an attempt to break into my web site and obtain user/admin id and passwords was made by IP 172.185.102.16 .  The following is information from my logs that should identify the person and the type of hack that was attempted.  Can I assume that you will take immediate action to avoid AOL IP's from being blocked altogether from my site and all community sites?  Thank you.


REMOTE_ADDR : 172.185.102.16
REMOTE_HOST : acb96610.ipt.aol.com
REMOTE_PORT : 3273

SERVER_ADDR : 65.254.38.234
SERVER_ADMIN : Only registered users can see links on this board! Get registered or login!
SERVER_NAME : Only registered users can see links on this board! Get registered or login!
SERVER_PORT : 80

SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : op=AddAuthor


Your Name,
5/15/2004

It is very important that you supply the date, time, and time zone when you report these incidences.
 
blarneystone
PostPosted: Sun Sep 26, 2004 7:41 pm Reply with quote

Thanks! I'm on the report team now. RavensScripts
 
blarneystone
PostPosted: Tue Sep 28, 2004 8:44 am Reply with quote

Hey, I noticed this morning that there are quite a few blocks on my downloads section.

For instance see below (I am editing out the actual software link so I am not getting false positives)

Code:
Date & Time: 2004-09-27 23:18:47 

Blocked IP: 24.98.114.102
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 24.98.114.102
Remote Port: 4129
Request Method: GET


How can I tell this is really an Abuse script and not a false positive? It looks like the person just went to look at some download details and got blocked/banned...
 
Raven
PostPosted: Tue Sep 28, 2004 9:03 am Reply with quote

The () are forbidden by both Nuke and NukeSentinel. There are several posts about this in the forums.
 
blarneystone
PostPosted: Tue Sep 28, 2004 9:43 am Reply with quote

Are you referring to the (ARM devices) reference or the Anonymous(1) ?

Hey wait a minute! Shocked My downloads section is password protected. How could annonymous(1) get there...hmmmm
 
Raven
PostPosted: Tue Sep 28, 2004 11:08 am Reply with quote

If () is in the Querystring then it gets banned.
 
blarneystone
PostPosted: Tue Oct 05, 2004 8:58 am Reply with quote

Could I ask what String Match: da is?

Also, what exactly is a Union abuse? I am getting lots of those..

thanks!
 
Raven
PostPosted: Tue Oct 05, 2004 10:34 am Reply with quote

Union abuse is how they try to discover you admin userid's and passwords and also how they can add themselves as an admin. Make sure that you have the HTTP Auth set to on and that won't happen.

'da' is unknown to me and is not added automatically. If there is a 'da' in there then you had to have added it. What the Stringmatch does is to allow you to designate a string within the QueryString to check for and take appropriate action.
 
blarneystone
PostPosted: Tue Oct 05, 2004 11:32 am Reply with quote

Raven wrote:
Union abuse is how they try to discover you admin userid's and passwords and also how they can add themselves as an admin. Make sure that you have the HTTP Auth set to on and that won't happen.


Oh, I meant to say a sentinal is catching a lot of those people Smile

Here are the details of the da thingie...

Date & Time: 2004-10-04 23:26:25
Blocked IP: 208.54.15.1
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: da
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; O2 Xda II;PPC;240x320) Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 208.54.15.1
Remote Port: 1042
Request Method: GET

Thanks!
 
Raven
PostPosted: Tue Oct 05, 2004 12:08 pm Reply with quote

That is an entry in your harvester list and it's to protect against spiders/bots that use DA (Download Accelerator) for raping your downloads.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©