Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x
Author Message
ons
New Member
New Member


Joined: Jul 16, 2006
Posts: 6

PostPosted: Mon Jul 24, 2006 2:01 pm Reply with quote

Hi there, I am in the process of updating and maintaining a small community website running RavenNuke76 v2.02.02 - Version 2.4.2pl5 of Sentinel.
Today I was looking through the sentinal logs I noticed 5 hits from turkey and they were each a diffrent UNION SELECT hack attempt - The details are as follows:

  • 88.224.75.139 (tr) Turkey 2006-07-24 @ 12:22:10 1
  • 81.213.163.113 (tr) Turkey 2006-07-18 @ 23:39:14 2
  • 81.213.68.249 (tr) Turkey 2006-07-24 @ 03:15:12 1
  • 85.107.32.221 (tr) Turkey 2006-07-24 @ 08:59:53 3
  • 85.106.180.86 (tr) Turkey 2006-07-24 @ 14:03:41 3


The hack attempts are as follows:

  • /modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-24 @ 12:22:10
  • /modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-18 @ 23:39:14
  • /modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-18 @ 23:36:55
  • /modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-24 @ 03:15:12
  • /modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories 2006-07-24 @ 08:59:52
  • /modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories 2006-07-24 @ 14:03:41


My problem is no hack attempt was reported - no email recieved - no blocked IP added to the .htaccess file.

I attempted to visit /modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories and it did indeed detect a hack attempt and fire off an email and attempt a ban - however I was logged on as an admin so it was ignored as expected.

Could someone advise on why no hack attempt was specified here please?

On another note - Where could I find updated versions of NukeSentinel? - I believe 2.4.2pl5 is a bit out of date?

Thanks very much.
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Jul 24, 2006 2:32 pm Reply with quote

I've tried to replicate the hacks on two systems (one test, one production) that I run. I don't get anywhere with them, one generates a 406 not acceptable and another can't find a module with the name in the hack. So they don't get as far as Sentinel. Do you have any evidence that the hacks worked on your site?

The latest Sentinel is on Nukescripts.net. It's 2.5.0 or something like that.
 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Jul 24, 2006 2:34 pm Reply with quote

What was the result of that attempt? If it's already blocked at the server level (i.e. in htaccess, it won't trigger another message, but you will see a different result code.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
ons
PostPosted: Mon Jul 24, 2006 2:50 pm Reply with quote

The result of My attempt with the /modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories was a redirection to the You have been blocked from entering this site. You have attempted a Union attack on this site page - An email was sent to me however as I am logged on as an admin no block was added.

I did the same from a proxy and same page / email and deny from <ip> was added to the .htaccess folder - then access was no longer possible.

The script seems to be working with well when I test it - however it was just those 5 attacks that made me think something is wrong..

I then attempted the [/modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*][/i] and was given the same hack detected message.

I may attempt to upgrade to 2.5.0 & possibly ban turkey from accessing the website..
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©