Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Enhancement Requests
Author Message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Tue Jan 25, 2005 2:11 pm Reply with quote

Hi

As you may or may not be aware, it has been extremely difficult for me to get NukeSentinel to spit out accurate information regarding any blocked abuse domain.

Now I should mention that in my case, I have disabled (commented out) the Santy protection features that were added in NukeSentinel 2.1.3. The new settings ended up messing with things on my site, and frankly, I didn't mind the old way, which simply sends me a "Script Abuse Blocked" message.

Unlike most webmasters, I actually examine every NukeSentinel report and in the case of Santy infections, I actually send out a notice to each domain holder notifying them that they are infected.

There are good reasons for this with the main reason being that if they don't know, chances are good that they will simply keep hitting my domain (and every one else's) via different IP addresses in their IP Block(s) until I end up with 100 different blocked abuse attempts.

To combat this, I use Only registered users can see links on this board! Get registered or login! to lookup information about the IPs in question and to contact:
A) The Webmaster of the infected domain
B) The Communications provider of the infected domain (if necessary in the case of repeated attacks).

Then I forwared a modified version of the email sent by NukeSentinel to them. I modify the below information in the Standard NukeSentinel email to reflect:
A) The Time Zone of The Notification Message (NukeSentinel includes the time, but fails to identify how that time is associated with GMT in relation to when the attack happened).
B) The Subject. NukeSentinel includes a simple "Blocked on $Sitename/slogan" message for the subject. I would really rather have this read: "Blocked Abuse From $IP". Personally, this is how I send out all notifications. It identifies the problem and the IP address as my site name really isn't needed in notifications sent to me, nor to the people I'm sending the message to.

In My "Forwarding" section above the NukeSentinel Email, I add Forwarding Information Regarding The Attack.

Basically, I have a canned email for Santy that simply tells the people that they are infected and attacking other outside domains. I include links to CERT to show them that they are infected and what to do, etc...

Here's a copy of my standard message:
Quote:
Subject: Blocked Abuse From (IP ADDRESS IN QUESTION).

Quote:
This is an urgent abuse notification!

You are infected with a variation of the SANTY worm and are attacking other Internet domains, including ours.

Please perform an immediate virus scan on your servers to identify and eliminate this infection. You will then be required to update all versions of PHPBB on your servers to 2.0.11 as well as your PHP version to 4.3.10 or 5.0.3 to eliminate vulnerabilities that would result in re-infection!

We urge you to take immediate action to eliminate this threat so that your servers stop attacking other Internet domains, especially ours!

See: Only registered users can see links on this board! Get registered or login!

Thanks
My Signature


It's simple and yet gets the message out.

Now, what I would really like to see in NukeSentinel is this:
1) DNSSTUFF.COM - IP LOOKUP information in the email.
2) TIMEZONE INDICATED next to the time of the attack in the email.
3) "Blocked Abuse From IP ADDRESS" in the email subject.

This would save me (and I suspect others) a great deal of time when reporting each case of abuse to domain holders.

To enable some of this, here are the changes I just made to NukeSentinel.
In version 2.1.3:
In includes/Sentinel.php
FIND:
Code:
$subject = ""._AB_BLOCKEDON." ".$nuke_config['sitename'];


CHANGED TO:
Code:
    $subject = ""._AB_BLOCKEDBY.": $banip";


THEN FIND:
Code:
    $message  = ""._AB_DATETIME.": ".date("Y-m-d H:i:s",$bantime)."\n"._AB_IPBLOCKED.": $banip"."\n";


CHANGED TO:
Code:
    $message  = ""._AB_DATETIME.": ".date("Y-m-d H:i:s",$bantime)." EST (GMT-5)\n"._AB_IPBLOCKED.": $banip"."\n";
To reflect that MY Server is using EST (GMT-5) as in Eastern Standard Time. Your settings in this section would need to be adjusted to how your server reports the actual time.

Then in the language file at language/sentinel/lang-english.php
FIND:
Code:
define("_AB_BLOCKEDON","Blocked On");


IMMEDIATELY FOLLOWING THAT, ON A NEW LINE ADDED:
Code:
define("_AB_BLOCKEDBY","Blocked Abuse From");


I did it this way (instead of changing the "BLOCKEDON") because I'm not sure if that message is used anywhere else in NukeSentinel and I didn't want to take the chance that I could mess up a description used in another part of NukeSentinel.

There may be more eligant ways to do this, but I'm going to try this for now. I'll let everyone know if I have any problems. Additionally, in the meantime I'm going to see if I can get DNS notification information to work in the emails.

Thanks
Steph

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
64bitguy
PostPosted: Tue Jan 25, 2005 5:05 pm Reply with quote

Here is how the emails look (and yes, I covered up the the email address which was in there).

Image

I hope this helps others.

Steph
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Wed Jan 26, 2005 2:32 am Reply with quote

All good ideas going into 2.2.0 Smile

However you already have the choice of having it include the IP Lookup info from either DNS Stuff or Arin provided your PHP is complided as an Apache module and not as PHP-CGI.

Also changing the date string mentioned above to:
Code:
date("Y-m-d H:i:s T \G\M\T O",$bantime)
produces a date stamp like:
Code:
Date & Time: 2005-01-26 02:28:19 CST GMT -0600
Smile

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
64bitguy
PostPosted: Wed Jan 26, 2005 8:48 am Reply with quote

Cool, yeah, I should have looked that up at PHP.net, but I was being lazy.
Thanks Bob!
Smile

Sad I'm Running in CGI-Mode; however, I know there is a way to do a lookup and email in CGI mode, so I'm still working on figuring out where the issue is.
 
BobMarion
PostPosted: Thu Jan 27, 2005 9:11 am Reply with quote

Let me know when you find it as it would be great for those users that have PHP-CGI and want lookups.
 
64bitguy
PostPosted: Thu Jan 27, 2005 9:51 am Reply with quote

Will do, but I won't be working on it until later next week. I started on it last night, but as I've been migrating to 7.6 Platinum in production, I'm finding more problems that need fixing than I can shake a stick at.

I also started revising the NukeSentinel Documentation, but haven't submitted any of the changes yet to 3GeekyGuys, nor have I published anything. I'll probably be uploading all of that next week.

On a side note, is the Santy section going to remain the same in 2.2.0? I'll feel pretty goofy if I write all that up, only to have it taken back out again in 2.2.0. Again, personally, I like it the old way better as Script blocking seems to do its' thing in blocking re-attacks and I like getting notifications.... But I'll write it up if it is going to stay the way it is now (in 2.1.3) in 2.2.0. Which means, I'll probably need to write up a FAQ about removing it too... Neutral

Anyway, the migration to 7.6 Platinum has certainly been one heck of a task and that's getting most of my attention right now.... I think I have it all nailed down, but .....

OffTopic
Right now my efforts are concentrated on fixing 7.6 related issues of using my own bastardized version of an advertising module with your latest Banner-Ads module for 7.6.

I think I've fixed everything except having one missing table (placements) in Banner-ads called in the index.php. (It doesn't get installed during the run of nsnba.php)

From /modules/Banner_Ads/index.php
Code:
list ($bantype) = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_nsnba_placements WHERE pid='".$baninfo['pid']."'"));


sigh. Bang Head

You can see it all on my site if you want to check it out.
I haven't setup any of the blocks yet, but you can login with demo/demo.

I'll be setting up demo blocks too (something that I think would be a good idea to include with the install, so people can see demo "active" demonstration banners, without actually having them display on the site)....

Anyway, back to work...
Steph
 
BobMarion
PostPosted: Thu Jan 27, 2005 2:42 pm Reply with quote

Quote:
On a side note, is the Santy section going to remain the same in 2.2.0? I'll feel pretty goofy if I write all that up, only to have it taken back out again in 2.2.0. Again, personally, I like it the old way better as Script blocking seems to do its' thing in blocking re-attacks and I like getting notifications.... But I'll write it up if it is going to stay the way it is now (in 2.1.3) in 2.2.0. Which means, I'll probably need to write up a FAQ about removing it too... Neutral
It has an On/Off switch in 2.2.0. Once I get it stable I'll forward copies to you and the NS Team for them to look over and test. Right now I'm trying to get a hammer protection system worked out.

NSNBA Placements Table:
Code:
DROP TABLE IF EXISTS `nuke_nsnba_placements`;

CREATE TABLE IF NOT EXISTS `nuke_nsnba_placements` (
  `pid` int(11) NOT NULL auto_increment,
  `title` varchar(60) NOT NULL default '',
  `plcdesc` text NOT NULL,
  `imgdis` varchar(200) NOT NULL default 'plc-banner.png',
  `max_height` int(4) NOT NULL default '60',
  `max_width` int(4) NOT NULL default '468',
  `max_size` int(6) NOT NULL default '30720',
  `imgban` varchar(200) NOT NULL default 'ban-banner.png',
  PRIMARY KEY  (`pid`),
  KEY `pid` (`pid`)
) TYPE=MyISAM;

--
-- Dumping data for table `nuke_nsnba_placements`
--

INSERT INTO `nuke_nsnba_placements` VALUES (1, 'Header', '', 'plc-banner-1.png', 60, 468, 20480, 'ban-banner-1.png');
INSERT INTO `nuke_nsnba_placements` VALUES (2, 'Footer', '', 'plc-banner-6.png', 60, 468, 20480, 'ban-banner-2.png');
INSERT INTO `nuke_nsnba_placements` VALUES (3, 'Block Left', '', 'plc-banner-3.png', 300, 140, 40960, 'ban-banner-3.png');
INSERT INTO `nuke_nsnba_placements` VALUES (4, 'Block Right', '', 'plc-banner-4.png', 300, 140, 40960, 'ban-banner-4.png');

I can not believe I left that out of the distro Sad
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Enhancement Requests

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©