Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Wed Sep 14, 2005 3:56 pm Reply with quote

Recently (pre-Sentinel which I have now installed) we were hacked by someone who was able to fake various IP addresses. Here's a couple of examples from the log file:

Quote:
24.194.120.122 - - [26/Aug/2005:07:58:17 -0700] "GET /v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=500&t=219&rdns=63.65.68.246 HTTP/1.1" 200 8485 "http://webmhcc.org/v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=500&t=219" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
and
24.194.120.122 - - [26/Aug/2005:08:00:23 -0700] "GET /v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=506&t=219&rdns=dsl.dynamic8121572156.ttnet.net.tr HTTP/1.1" 200 8591 "http://webmhcc.org/v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=506&t=219&rdns=81.215.72.156" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"


The hacker to "impersonate" both my IP (the 24.194.120.122 one) and the 63.65.68.246 IP address. I believe that the 81 address is his real one in Turkey.

Now my question is, I don't see RDNS showing up much in the logs and where it does I assume that there is a mismatch between what the server looks up and what the client claims to be? If that's true, does Sentinel attempt to deal with this? Or should it? Could there be a check in place that if a RDNS doesn't resolve the "right hand side" gets banned?

The 63... address is "owned" by a legitimate organization in our area and several members of our web site try to use it but it's banned and staying that way until I can be assured the hacker doesn't have access. I've offered to share my logs with the Data Processing Department but I'm wondering if anyone has other ideas about how hackers do this or how to proceed.

TIA
 
View user's profile Send private message Visit poster's website
djdiz-e
Regular
Regular


Joined: Dec 19, 2004
Posts: 51
Location: Ontario, Canada

PostPosted: Wed Sep 14, 2005 6:41 pm Reply with quote

that looks like you were looking up ip info on a user that posted in the forums


example login you site as admin/forum admin
then visit this link and see Only registered users can see links on this board! Get registered or login!

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
fkelly
PostPosted: Thu Sep 15, 2005 9:29 am Reply with quote

My concern is not where they are trying to hack into. My concern is that the hacker is making it appear that one IP is being used where he is really coming from another. I've been sitting here looking at the proxy blocker code and I've even put some echo's in to see the effect but that's only on my local system and it's hard to simulate what happens on the Net or to put it into production (and only the hacker would see the echoes anyway).

I guess what I'm asking for from the Sentinel experts is what the best way to block this type of attack is. Is there some level of proxy blocker setting that I should be using? Will it filter this attack but not keep out "legitimate" proxies? Could I use a string blocker and block on the string "rdns"? As far as I can see the rdns is only triggered when the real address doesn't match that the hacker is simulating. Will the proxy blocker compare the "right side" of what's on the rdns with the "claimed" IP and block on a mismatch. I don't see that in the code but I don't claim to be expert at reading it.

Any help would be appreciated as my hacker keeps trying. I just banned the whole 81.* domain but he uses "proxies" so he keeps coming in from domains I haven't banned and as soon as I see that I ban that too but it's what they call a p.i.t.a.
 
fkelly
PostPosted: Fri Sep 16, 2005 12:57 pm Reply with quote

When the hack mentioned in the first post happened I had Forums 2.0.7 and no Sentinel. Now I have the latest Sentinel and latest Forums (2.0.17). But, I believe the "hack" can still happen.

The goose chase I was on was the "rdns" in the log string that I printed. One of the options in the older Forums was for a moderator or admin to change the IP address of a post. They would go into Forums/modcp.php to do this with a "case" set to a value of "IP". From reading the results of Google searches, I believe the BB folks may have removed the option to select the value of IP from the Forum screens but the IP case code is still in modcp.php. So, a hacker could put the value in and change the value of the IP assigned to a Post. Well not quite, I can get into the screen that displays the value of the IP's by "hacking" this code onto the address line but it doesn't change the address. Perhaps the older Forum versions also let the IP be changed, I don't know.

I'm not sure at this point, just didn't want people to go off searching for the wrong thing. Someone might try on their system to see if, as moderator or God admin they can get in to display or change the IP addresses on Forum postings and post the results here. At the very least a hacker shouldn't be able to enter something on the address line that you can't access thru the normal Forum programs.

Thanks.
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Tue Sep 20, 2005 9:02 am Reply with quote

I will test the query string on a couple of sites and see if there needs to be an addition to NukeSentinel(tm) for it.

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©