Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Sat Jul 30, 2005 2:31 pm Reply with quote

User Agent: Mozilla/4.0
Query String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Get String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Post String: xxxxxx.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 209.67.215.xxx
Remote Port: 51485
Request Method: GET

Any ides what is it all about?!
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Jul 30, 2005 3:48 pm Reply with quote

Do you have the Santy Worm Protection on in NukeSentinel? If so, try turning it off.
 
View user's profile Send private message
ring_c
PostPosted: Sat Jul 30, 2005 4:03 pm Reply with quote

It's already turned off, as I use Site_Messenger which from time to time is detected as abuse-script as well...

Is the above string malicious?
 
Raven
PostPosted: Sat Jul 30, 2005 4:54 pm Reply with quote

Please supply this part of the email
Code:
Blocked IP: 64.140.49.*

User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: turnitinbot
 
ring_c
PostPosted: Sat Jul 30, 2005 8:38 pm Reply with quote

Here's the whole mail:

Date & Time: 2005-07-30 16:07:20 EDT GMT -0400
Blocked IP: 209.239.47.138
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0
Query String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Get String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Post String: xxxxxx.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 209.239.47.138
Remote Port: 55304
Request Method: GET
 
Raven
PostPosted: Sat Jul 30, 2005 8:46 pm Reply with quote

It's being flagged because of the singe quote marks. That's how javascript and other things can be injected.
 
ring_c
PostPosted: Sun Jul 31, 2005 12:33 am Reply with quote

2 questions:
A. Is the original string I've pasted here should be treated as malicious?
B. Re. Site_Messenger - indeed, charcters like " ( ) Sentinel set the alarm abuse-script on. anyway to allow such charcters?
 
ring_c
PostPosted: Wed Aug 03, 2005 4:57 am Reply with quote

Well, no question? Raven?!
 
Raven
PostPosted: Wed Aug 03, 2005 6:31 am Reply with quote

#1 - Yes, it is malicious
#2 - Even if NukeSentinel was turned off, mainfile.php would flag the same charatcers.

See also Only registered users can see links on this board! Get registered or login!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©