Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
izone
Involved
Involved



Joined: Sep 07, 2004
Posts: 354
Location: Sweden

PostPosted: Wed Mar 09, 2005 11:41 am Reply with quote

Since yesterday I have many visitors (probebly spider/bot) on my site at the same time which causing that site wont be available and server is geting HOT.

I don't know if there is a virus or anything else doing this. But today for a few minutes ago I've got near 201 guests on my site!!!!

Could anyone PLEASE tell me what is going on or what shall I do to get rid of this?

I write down a list of them here so maybe you can see where they are from.

Best Regards.

Quote:


01: 148.223.105.82 -> News
02: 148.223.194.250 -> News
03: 148.235.92.153 -> News
04: 148.244.97.163 -> News
05: 148.245.27.229 -> News
06: 160.79.249.240 -> News
07: 161.196.215.78 -> News
08: 163.28.33.228 -> News
09: 163.28.80.40 -> News
10: 164.9.70.28 -> News
11: 168.234.181.154 -> News
12: 168.98.201.170 -> News
13: 170.224.224.150 -> News
14: 170.224.224.86 -> News
15: 193.120.73.239 -> News
16: 193.227.168.5 -> News
17: 193.251.147.242 -> News
18: 193.251.149.11 -> News
19: 193.251.60.99 -> News
20: 193.95.112.71 -> News
21: 194.29.25.2 -> News
22: 195.137.237.197 -> News
23: 195.169.128.165 -> News
24: 195.175.37.6 -> News
25: 198.237.180.60 -> News
26: 199.224.5.42 -> News
27: 200.113.123.178 -> News
28: 200.141.167.29 -> News
29: 200.141.202.186 -> News
30: 200.141.202.2 -> News
31: 200.141.207.210 -> News
32: 200.153.112.250 -> News
33: 200.153.218.217 -> News
34: 200.153.31.74 -> News
35: 200.162.244.20 -> News
36: 200.163.206.130 -> News
37: 200.168.70.104 -> News
38: 200.171.46.167 -> News
39: 200.171.57.19 -> News
40: 200.181.73.234 -> News
41: 200.186.98.54 -> News
42: 200.201.178.58 -> News
43: 200.202.200.39 -> News
44: 200.206.143.231 -> News
45: 200.207.168.227 -> News
46: 200.207.5.181 -> News
47: 200.207.8.87 -> News
48: 200.215.220.25 -> News
49: 200.228.136.130 -> News
50: 200.228.212.79 -> News
51: 200.247.198.2 -> News
52: 200.247.92.130 -> News
53: 200.251.193.2 -> News
54: 200.35.81.254 -> News
55: 200.36.248.4 -> News
56: 200.60.234.9 -> News
57: 201.128.54.228 -> News
58: 201.137.135.39 -> News
59: 202.152.53.147 -> News
60: 202.202.0.11 -> News
61: 202.213.226.170 -> News
62: 202.234.131.166 -> News
63: 202.43.255.28 -> News
64: 202.56.253.183 -> News
65: 202.56.253.184 -> News
66: 202.73.161.3 -> News
67: 203.101.42.91 -> News
68: 203.130.192.194 -> News
69: 203.145.183.12 -> News
70: 203.167.109.146 -> News
71: 203.167.109.147 -> News
72: 203.187.242.70 -> News
73: 203.200.19.7 -> News
74: 203.208.166.227 -> News
75: 204.60.65.164 -> News
76: 206.191.32.10 -> News
77: 206.40.162.222 -> News
78: 207.213.145.240 -> News
79: 208.4.85.110 -> News
80: 209.236.124.24 -> News
81: 209.86.122.188 -> News
82: 209.88.8.182 -> News
83: 209.97.127.98 -> News
84: 210.14.17.102 -> News
85: 210.164.53.108 -> News
86: 210.172.101.62 -> News
87: 210.190.37.68 -> News
88: 211.114.138.135 -> News
89: 211.248.89.4 -> News
90: 211.252.47.222 -> News
91: 212.0.138.14 -> News
92: 212.0.150.9 -> News
93: 212.165.146.27 -> News
94: 212.199.249.206 -> News
95: 212.210.176.133 -> News
96: 212.239.175.235 -> News
97: 212.24.138.254 -> News
98: 212.55.146.194 -> News
99: 212.97.10.162 -> News
100: 213.121.209.14 -> News
101: 213.152.66.195 -> News
102: 213.212.245.10 -> News
103: 213.212.245.14 -> News
104: 216.104.196.225 -> News
105: 216.148.244.86 -> News
106: 216.148.246.150 -> News
107: 216.185.118.13 -> News
108: 216.204.237.7 -> News
109: 216.235.60.26 -> News
110: 216.250.195.196 -> News
111: 216.79.41.36 -> News
112: 216.86.205.8 -> News
113: 217.139.191.10 -> News
114: 217.153.50.82 -> News
115: 217.166.70.40 -> News
116: 217.23.37.86 -> News
117: 217.27.90.135 -> News
118: 217.27.94.20 -> News
119: 217.33.216.141 -> News
120: 217.97.134.186 -> News
121: 217.97.237.145 -> News
122: 217.98.20.195 -> News
123: 217.98.20.20 -> News
124: 218.26.171.199 -> News
125: 218.44.136.10 -> News
126: 218.44.163.210 -> News
127: 218.57.243.18 -> News
128: 218.57.243.19 -> News
129: 218.57.243.20 -> News
130: 218.57.243.4 -> News
131: 219.118.190.154 -> News
132: 219.163.126.250 -> News
133: 219.166.122.250 -> News
134: 219.240.37.28 -> News
135: 219.48.8.14 -> News
136: 220.171.48.135 -> News
137: 220.254.43.7 -> News
138: 220.34.60.67 -> News
139: 24.215.138.198 -> News
140: 24.97.17.180 -> News
141: 61.1.21.131 -> News
142: 61.143.210.106 -> News
143: 61.161.72.211 -> News
144: 61.174.212.38 -> News
145: 61.206.125.114 -> News
146: 61.220.150.2 -> News
147: 61.233.144.194 -> News
148: 61.9.97.65 -> News
149: 62.156.141.194 -> News
150: 62.252.64.15 -> News
151: 62.62.146.66 -> News
152: 62.7.244.103 -> News
153: 63.201.18.219 -> News
154: 64.0.85.204 -> News
155: 64.28.135.13 -> News
156: 65.69.127.117 -> News
157: 66.119.33.182 -> News
158: 66.119.34.54 -> News
159: 66.128.44.82 -> News
160: 66.134.252.243 -> News
161: 66.193.225.182 -> News
162: 66.249.66.8 -> Stories_Archive
163: 68.120.181.17 -> News
164: 68.127.43.33 -> News
165: 68.224.171.7 -> News
166: 69.55.238.194 -> News
167: 69.95.73.185 -> News
168: 80.100.96.216 -> News
169: 80.207.188.140 -> News
170: 80.51.176.158 -> News
171: 80.51.240.130 -> News
172: 80.53.255.174 -> News
173: 80.53.3.46 -> News
174: 80.58.0.109 -> News
175: 80.58.11.107 -> News
176: 81.115.229.202 -> News
177: 81.116.246.58 -> News
178: 81.168.157.34 -> News
179: 81.168.201.95 -> News
180: 81.199.108.12 -> News
181: 81.219.124.12 -> News
182: 81.255.122.209 -> News
183: 81.31.6.23 -> News
184: 81.56.6.67 -> News
185: 81.75.197.111 -> News
186: 81.80.185.217 -> News
187: 81.86.4.161 -> News
188: 82.105.73.81 -> News
189: 82.129.167.165 -> News
190: 82.129.167.171 -> News
191: 82.129.167.19 -> News
192: 82.129.167.28 -> News
193: 82.141.204.211 -> News
194: 82.224.216.83 -> News
195: 82.225.61.24 -> News
196: 82.229.244.15 -> News
197: 82.35.5.25 -> News
198: 82.45.180.183 -> News
199: 83.146.17.76 -> News
200: 83.16.107.158 -> News
201: 83.16.99.166 -> News
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce



Joined:
Posts: 5661

PostPosted: Wed Mar 09, 2005 2:17 pm Reply with quote

oh that was an attack....nothing spectacular...
just install sentinel...and set dos function on.
 
View user's profile Send private message
izone







PostPosted: Wed Mar 09, 2005 2:20 pm Reply with quote

Thank you.

But I already have Sentinel installed and Dos function in on.

What shall I do more?
 
DaveTomneyUK
Hangin' Around



Joined: Sep 27, 2003
Posts: 49

PostPosted: Wed Mar 09, 2005 2:21 pm Reply with quote

You could limit the guests so only upto 20 can visit at a time. I am sure someone called Austin made a program like this. http://brandis-realm.com/downloads.php?mode=download&cid=27&lid=251 or use sentinel ddos protection.

_________________
Image
www.daveshouse.org - www.daveshouse.net - www.itanets.co.uk 
View user's profile Send private message
izone







PostPosted: Wed Mar 09, 2005 3:58 pm Reply with quote

ok thanks. After a long registration I have downloaded this file. Where do I have to put it now?

I use Nuke 7.5 doese it works with this ver. and Sentinel installed?
 
izone







PostPosted: Wed Mar 09, 2005 4:02 pm Reply with quote

Oh sorry. I guess I am very tired now. It is a Block.

I ve installed it and let see if it works good.

thanks again.
 
DaveTomneyUK







PostPosted: Wed Mar 09, 2005 5:40 pm Reply with quote

it should work if u set the guests in the block will only allow the stated guests its best set at 20
 
jaded
Theme Guru



Joined: Nov 01, 2003
Posts: 1006

PostPosted: Wed Mar 09, 2005 9:24 pm Reply with quote

That block has never worked for anyone that I know who tried it against an syn attack. Perhaps it will work for you. The best defense is a good server firewall along with something like snort. Have you spoken to your host about this issue?

_________________
Themes BB Skins [ Only registered users can see links on this board! Get registered or login! ]
Graphic Tees [ Only registered users can see links on this board! Get registered or login! ]
Paranormal Tees [ Only registered users can see links on this board! Get registered or login! ]
Ghost Stories & More [ Only registered users can see links on this board! Get registered or login! ] 
View user's profile Send private message Visit poster's website
izone







PostPosted: Thu Mar 10, 2005 10:01 am Reply with quote

jaded wrote:
That block has never worked for anyone that I know who tried it against an syn attack. Perhaps it will work for you. The best defense is a good server firewall along with something like snort. Have you spoken to your host about this issue?


Yes I have. Acctually they wrote to me for about 3 days ago after closing my site for a day.

I don't know if this block will helps but it seems to getting better now. I going know to tell my host about Firewall and see what they can do for me.

Thanks a lot everybody for being so helpfull to me.


Last edited by izone on Thu Mar 17, 2005 3:20 am; edited 1 time in total 
DaveTomneyUK







PostPosted: Thu Mar 10, 2005 10:55 am Reply with quote

If your host is a good host they should have a good Network Firewall as well as a Hardware Firewall. With a desent OS like Linux or Unix. Smile
 
izone







PostPosted: Thu Mar 17, 2005 3:17 am Reply with quote

Jaded was right. This block dosn't works. Yesterday I had these attack again and it caused server crash. Now my site is down again and I don't know what else to do.

Please help me out of this crazy situation. PLEASE!

Best Regards.
 
hitwalker







PostPosted: Thu Mar 17, 2005 5:02 am Reply with quote

wonders me how anyone can even think a block helps..
and izone...i dont know what kind of site you have but realise that it can be the reason for attacks.
 
izone







PostPosted: Thu Mar 17, 2005 7:42 am Reply with quote

hitwalker, it is a site about history, culture and traditions in Iran made by PhpNuke 7,5.

I don't know why just my site is attacked. Maybe unfortune!

I've spooken with my host and they installed a miner firewall against DoS attack today. The attack was against my site and another one on this host.

But shouldn't Sentinel have a blocking system against DoS? I've activated all of the options in Sentinel but it seems to not helping me in this matter. But it is defending my site (and sure many others) very well against other crazy attacks.

Just if you know some better way to blocking DoS from me or my host please let me know it.

And thanks again for helping me hitwalker.
 
hitwalker







PostPosted: Thu Mar 17, 2005 8:11 am Reply with quote

hi izone

Who know why they attack a site...
Before i had sentinel installed i had an attack of more they 800 fake visitors online.. !
Does sentinel protecs on a dos attack ?
I think so,but im not sure cause it nver happend ...
Realise that creating these types of security are created mostly at home of the author and attacks are simulated.

Before sentinel i used the protector,that worked but didnt dio the job it supposed to.

And why you?
Man people do it because your foreign and do it to me because its me...
Best thing if it happens again is to turn your site offline for 15 or 20 minutes,after that connections start to drop and you can get online again...

You can also contact Bob marion (author) and ask what best configuration would be in your case.
Post it here in sentinel forum...
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Thu Mar 17, 2005 8:30 am Reply with quote

Izone,

Yes, NukeSentinel has a 'soft' dDos switch, meaning it can block attempts by the SAME Ip to hammer your SITE. A true/real dDos attack does not attack a site - it attacks your SERVER, of which you need a heavy duty firewall type prevention. this has to come at the server/host level, not a web site level. If you do not have a host that offers that kind of protection then you need to look for one.
 
View user's profile Send private message
izone







PostPosted: Thu Mar 17, 2005 8:41 am Reply with quote

Thanks very much both of you.

Now I know better the reason and solution. My host seems to not know what is the best way to protect the server!!!

I wait for reply from my hosting to see what they can do about this.

thanks again.
 
hitwalker







PostPosted: Thu Mar 17, 2005 8:58 am Reply with quote

well you cannot completely protect yourself against ddos attacks.
And the attacks of those kiddies are probably only against your host..
as for your host...just suggest them to install packetalarm.
that detects,blocks,and reports attack..but 100% ?
 
___jay___
New Member
New Member



Joined: Feb 09, 2007
Posts: 19

PostPosted: Sun Apr 08, 2007 2:22 pm Reply with quote

Hello, Im looking for a way to have protector ban an ip off the site permanently when hammer attack is detected. Is there a way I can set protector to ban their ip when they get banned for hammering? That way I can release the ip if I choose. I do have sentinel installed as well. Any ideas?
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Apr 08, 2007 4:00 pm Reply with quote

Sentinel can be told to bann the ips permanently. Also making sure you have the ability to write to .htaccess will be most beneficial.

As much as sentinel(protector is outdated and unsupported) protects the site, if it doesnt write to .htaccess, then you lose a LOT of the protection sentinel offers.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
___jay___







PostPosted: Sun Apr 08, 2007 9:29 pm Reply with quote

I understand fully, I do have Sentinel 2.5.07. I have .htaccess, ftaccess and .staccess all configured. I have admin set up with CGIAuth Setup. Sentinel dose not offer hammer protection. And if it does it sucks. I need site protector to ban the way sentinel dose so when my site is getting hammered it will simply block the ip for good until I release it.
I kind of figured that I would get the sentinel vs. protector lecture, but none the less I would still like to be able to manipulate it. Protector dose a nice job of catching the kind of attack im addressing.
Unless im overlooking somthing, My goal is to stop mass proxy attacks sent to the site on 2000 sockets. i can pass protect the index.php, but pass protecting other folders can be a bother to my users.
 
Raven







PostPosted: Sun Apr 08, 2007 10:40 pm Reply with quote

You are overlooking something. NS offers banning by IP, IP range, and 3 different levels of proxy control. In addition it has a dos setting too. I don't know how much you know about dos and ddos attacks so please don't be offended by the following statements Smile

There is absolutely no software that will stop a dos/ddos attack if it is written correctly. I could (but I won't) give you a 1 or 2 line PHP program that will lock up your server in a matter of seconds (dos attack). But even if your attacks aren't that code effective, but are more just ddos, and if the attacker(s) have written the dos/ddos with any care at all, the IP will be forged anyway so banning IP's will have no effect at all.

I'll stop the lecture here Smile. Suffice it to say, it matters not whether you use product A or B. But just for your edification, NS will protect as good as (actually better than) Protector, if for no other reason (and there are many) it is continually developed and tuned. This isn't about a lecture on one or the other. It is a statement of fact.

BTW, coming to the site of one of the developers of NS and bad mouthing it seems counter-productive, wouldn't you agree? Wink
 
___jay___







PostPosted: Sun Apr 08, 2007 10:53 pm Reply with quote

I see, and I believe you. I know you’re the man at this stuff that’s why I chose your nuke version. All im saying is I own one of these said programs for testing purposes. When I have hammer protection turned on, with setting adjustments, protector will catch my ip for hammering when running a proxy attack. That being said, if its seeing my ip and doing a temporary ban, It is seeing me as attacker on my site. If I were to get a forbidden page this would be more detouring. Keep in mind the level of people doing this attack on my site will probably not take the time to choose proxies carefully. But I think you know what im after by saying you can give me 1 or 2 lines to lock up the server. Anyway thanks. Your time and knowledge is always greatly appreciated. Ill continue my search in hopes for a answer.

Maybe snort??

My intensions are to simply resolve the issue and I do not mean to offend anyone.
 
plague69
New Member
New Member



Joined: Apr 09, 2007
Posts: 1

PostPosted: Sun Apr 08, 2007 11:13 pm Reply with quote

i know damage-inc has theres set up good to where if they get hit it auto bans off the site i know he uses a few lines of code to add in maybe someone could help you find those few lines of code i mean this is a script site and maybe someone would be willing to help
 
View user's profile Send private message
Raven







PostPosted: Mon Apr 09, 2007 1:12 am Reply with quote

Guys, I want to help, really I do. Do you just want to ban all proxies?

To activate the Flood Blocker, Select Flood Blocker settings from the NS Admin Menu. You will want write to .htaccess as well as permanently block at least 2 octets.

Then, on the Main NukeSentinel(tm) admin page you will want to set the
Page Delay
Flood Delay
Block Proxies
Dos Protection.
 
Doulos
Life Cycles Becoming CPU Cycles



Joined: Jun 06, 2005
Posts: 732

PostPosted: Mon Apr 09, 2007 11:14 am Reply with quote

Banning all proxies puts extreme limits on who can view your site. I was getting hit by a couple of banned members who were using proxies from all over the world. I did ban all proxies for a few days, but was getting multiple emails daily from legitimate visitors who use AOL to access the internet. As soon as I lowered the proxy blocking level these people could get on again. As a result, so could the scumbags who began the same kind of mischief - mostly, using some kind of bot to register fake members. What I finally did, as a compromise, was just start blocking the whole range of IP's that proxy came from. Not the best solution but one we decided we could live with. The problems have since dwindled down to only one fake member registration every couple months.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©