Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) Bug Reports
Author Message
ring_c
Involved
Involved



Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Mon Jun 20, 2005 11:26 pm Reply with quote

I'm running phpnuke 6.7 with Sentinel 2.3, but this happened with 2.2.1 as well.

My site is using Hebrew mostly, i.e. 99% of the messages in the forums are using Hebrew. Hence, most forums' searches are based on Hebrew. The problem is that when clicking a result, the message the user get is:

Code:
Possible Santy Worm Attack!


I know I can disable Santy warnings in Sentinel's control panel, but thought this might be fixed by you somehow in future versions or some patch.

Here's an example of a search result causing that message:

Code:
http://www.hagigim.com/modules.php?name=Forums&file=viewtopic&t=4765&highlight=%E3%E5%F1%E9%E1%E5%FA


You can click that link now safely (is it needed at all?), as I've set off that security alarm, unfortunately.
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Tue Jun 21, 2005 12:25 am Reply with quote

If you have access to .htaccess, then don't use the NukeSentinel code. Use this instead
Code:
RewriteEngine on

#Check for Santy Worms and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP                   [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders              [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+)              [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]
RewriteCond %{REQUEST_URI} ^civa                      [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC,OR]
#New one 2-2-2005
RewriteCond %{QUERY_STRING} q=emessenger                 [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]


It's the word "highlight" that sets it off.
 
View user's profile Send private message
ring_c







PostPosted: Tue Jun 21, 2005 12:35 am Reply with quote

Raven wrote:
It's the word "highlight" that sets it off.

Oh, thanks!
I have this code in my htaccess

Code:
RewriteEngine on 

#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP                     [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]
#Redirect - Send worms packing, but NOT to a real web site!
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]


Should I replace it?
 
Raven







PostPosted: Tue Jun 21, 2005 2:09 am Reply with quote

Combine the two.
 
ring_c







PostPosted: Tue Jun 21, 2005 5:09 am Reply with quote

Raven wrote:
Combine the two.

Thanks.

What's the diff. between these 2 ?

Code:
RewriteRule ^.*$ http://127.0.0.1 [R,L]

RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]


Have no idea what the [R,L] or [L] repersents...
Which one should I pick?

PS: My htaccess now look like the following, any comment?

Code:
# $Author: zx $ 

# $Date: 2003/08/17 14:03:21 $

# PHP_FLAG output_buffering On

RewriteEngine on
#Check for Santy Worms and redirect them to a fake page
#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP                   [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders              [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+)              [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)               [NC]
RewriteCond %{REQUEST_URI} ^civa                      [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC,OR]
#Redirect - Send worms packing, but NOT to a real web site!
RewriteCond %{QUERY_STRING} q=emessenger                 [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]
# RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>

<Limit GET PUT POST>
  Order Allow,Deny
  deny from 200.
  Allow from all
</Limit>


<Files 403.shtml>
order allow,deny
allow from all
</Files>
 
Raven







PostPosted: Tue Jun 21, 2005 9:07 am Reply with quote

Quote:
What's the diff. between these 2 ?
Code:


RewriteRule ^.*$ http://127.0.0.1 [R,L]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

The first one redirects them to their own PC and the second to an html page or a dead end. Chances are they use a program anyway, rather than sitting at their PC, so it's really here nor there.

Quote:
Have no idea what the [R,L] or [L] repersents...
[ Only registered users can see links on this board! Get registered or login! ]
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) Bug Reports

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©