Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
dssripper
Regular
Regular


Joined: Feb 16, 2004
Posts: 69

PostPosted: Sun Jan 07, 2007 7:49 am Reply with quote

I get a lot of notifications of ip addresses being blocked from my site,
but they are all from the same page.
Code:
Date & Time: 2007-01-07 02:42:14 MST GMT -0700

Blocked IP: 61.78.216.213
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: larrythecomputerguy.net/modules.php?somlistbox=HTTP://www.larrythecomputerguy.net/modules.php?name=Content&pa=showpage&pid=8
Get String: larrythecomputerguy.net/modules.php?somlistbox=HTTP://www.larrythecomputerguy.net/modules.php?name=Content&pa=showpage&pid=8
Forwarded For: none
Client IP: none
Remote Address: 61.78.216.213
Remote Port: 3692
Request Method: GET


Every notification refers to the same link.
Any ideas?

Thanks!

Larry
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sun Jan 07, 2007 1:57 pm Reply with quote

where does the "modules.php?somlistbox" comes from?
 
View user's profile Send private message
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Sun Jan 07, 2007 3:02 pm Reply with quote

Hi Hitwalker, I had a look at his site and I thought it might be coming from the Sommaire menu block, but I can't see any links which match that.
Although there is a list box under 'linux tips' in the Sommaire block which points to the content mentioned above, but it seems to work fine and I don't get blocked. Confused

This probably doesn't help much, but I thought I would post my thoughts.
 
View user's profile Send private message
hitwalker
PostPosted: Sun Jan 07, 2007 3:05 pm Reply with quote

hi jakec,indeed i saw that and tried a few things but i dont get blocked ...
nothing happens...
 
dssripper
PostPosted: Tue Jan 09, 2007 5:11 am Reply with quote

Thanks hitwalker and jakec for looking.

I am still getting a lot of blocked ip addresses from that same page.
Anymore thoughts?
Thanks again for any input!
 
hitwalker
PostPosted: Tue Jan 09, 2007 5:42 am Reply with quote

but what ip's are blocked ?
from members or "just" ip's ?
 
dssripper
PostPosted: Sat Jan 13, 2007 7:00 pm Reply with quote

no members...just ip's in general
 
hitwalker
PostPosted: Sat Jan 13, 2007 7:22 pm Reply with quote

just check where the ip's come from...
 
Misha
Worker
Worker


Joined: Jul 30, 2006
Posts: 203
Location: McLean, VA

PostPosted: Mon Jan 29, 2007 2:39 am Reply with quote

Hit, like your new title. So, you sold all children and now have no need for family LOL

Anyway, I got similar block:
Code:
Date & Time: 2007-01-27 23:57:11 MST GMT -0700

Blocked IP: 141.155.212.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Opera/8.52 (Windows NT 5.1; U; en)
Query String:
funandsafedriving.com/modules.php?name=Amazon&asin=http://www.intel.com?&NSNST_Flood=5c3ec1f32bb97df4756b8d42bbf54bf1
Get String:
funandsafedriving.com/modules.php?name=Amazon&asin=http://www.intel.com?&NSNST_Flood=5c3ec1f32bb97df4756b8d42bbf54bf1
Post String: funandsafedriving.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 141.155.212.210
Remote Port: 3638
Request Method: GET
--------------------
Who-Is for IP
OrgName:    Verizon Internet Services Inc.
OrgID:      VRIS
Address:    1880 Campus Commons Dr
City:       Reston
StateProv:  VA
PostalCode: 20191
Country:    US

NetRange:   141.149.0.0 - 141.158.255.255
CIDR:       141.149.0.0/16, 141.150.0.0/15, 141.152.0.0/14,
141.156.0.0/15, 141.158.0.0/16
NetName:    VIS-141-149
NetHandle:  NET-141-149-0-0-1
Parent:     NET-141-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
Comment:    Please send all abuse reports to Only registered users can see links on this board! Get registered or login!.
Comment:    DO NOT send e-mail to Only registered users can see links on this board! Get registered or login! as it will not
be answered.
RegDate:   
Updated:    2006-06-01

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName:   VIS Abuse
OrgAbusePhone:  +1-214-513-6711
OrgAbuseEmail:  Only registered users can see links on this board! Get registered or login!

OrgTechHandle: ZV20-ARIN
OrgTechName:   Verizon Internet Services
OrgTechPhone:  +1-703-295-4583
OrgTechEmail:  Only registered users can see links on this board! Get registered or login!


and kinda wondering what the hell filter abuse is? Any enlightening info on this, please?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Tao_Man
Involved
Involved


Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK

PostPosted: Mon Jan 29, 2007 12:08 pm Reply with quote

from the Nuke Sentinel manual
FILTER Blocker: Prevents primarily "XSS" type attacks.
xss= cross site scripting

If I understand this right a hacker tries to get a link posted to your site that points to another site that has the actual hacker script. so the link is "clean" no code in it but the link if followed is bad.

BTW I have had the same IP and same attack on my site this weekend, I guess they are testing using Intel.com as it is a "safe" site and if they get that through would come back and post another link

_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! 
View user's profile Send private message Visit poster's website
hitwalker
PostPosted: Mon Jan 29, 2007 1:13 pm Reply with quote

this explains it ....
Only registered users can see links on this board! Get registered or login!
 
Misha
PostPosted: Mon Jan 29, 2007 2:13 pm Reply with quote

Thanks guys. As always feel stupid for asking when question is answered Sad

However a follow-up question. Sentinel blocked the range of addresses, while abuse has been done from one of them. Considering this is ISP provider pool (verizon is the biggest phone company in US), would it be better for me to modify the block to block only this specific address?
 
Tao_Man
PostPosted: Mon Jan 29, 2007 2:21 pm Reply with quote

Misha wrote:
Thanks guys. As always feel stupid for asking when question is answered Sad

However a follow-up question. Sentinel blocked the range of addresses, while abuse has been done from one of them. Considering this is ISP provider pool (verizon is the biggest phone company in US), would it be better for me to modify the block to block only this specific address?


Well that is more a mater for you to decide, In practice most IP are dynamic and a hacker wil have more then one ip address over time, but they will tend to be from the same "pool". If you just block the IP then the hack tries again, over time you end up with most of the IP's blocked anyway. Now he may have a more or less static Ip and in that case just blocking the IP is fine and doen't block other users.

I have very few users so I feel ok in more or less broad rages of blocking IP address as the chances a valid user is close to that IP address is almost nill.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Mon Jan 29, 2007 8:07 pm Reply with quote

Misha - yes that was a cross site scripting attack, I had one yesterday frm the same IP.

dssripper - I still have not figured out what caused the block to occur. There doesnt seem to be anything that would cause it. However, have you tried changing the link in the Sommaire menu to use a relative link e.g. modules.php?xxx rathe than HTTPxxxx
 
View user's profile Send private message Send e-mail
Misha
PostPosted: Mon Jan 29, 2007 9:14 pm Reply with quote

Thanks guys Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©