Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Tazz
New Member
New Member


Joined: Mar 18, 2004
Posts: 10

PostPosted: Fri Jun 23, 2006 11:05 am Reply with quote

Running Nuke 7.6 - 7.8 on various sites and have Sentinel on all of them updated to pl9.

This morning someone attempted to hack one of the sites, below is the info.

Quote:

Date & Time: 2006-06-23 05:48:15 PDT GMT -0700
Blocked IP: 1.0 servidor.primatec:3128 (squid/2.5
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Query String: XXX.XXXXXX.com/modules.php?name=Downloads&ampd_op=viewsdownload&a mpsid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
Get String: XXX.XXXXXX.com/modules.php?name=Downloads&ampd_op=viewsdownload&a_mpsid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
Post String: XXX.XXXXXX.com/modules.php
Forwarded For: XXX.XXX.X.XX
Client IP: 1.0 servidor.primatec:3128 (squid/2.5.STABLE11)
Remote Address: 201.21.216.142
Remote Port: 53704
Request Method: GET
--------------------
Unable to query WhoIs information for 1.0 servidor.primatec:3128 (squid/2.5.STABLE11).



Which everything looks as if the user was blocked like normal, when the block was written to the .httaccess it caused an internal server error, causeing the site not to load.

Quote:

deny from 1.0 servidor.primatec:3128 (squid/2.5


My question is, Is there any way to keep this from happening?
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Fri Jun 23, 2006 1:04 pm Reply with quote

well what i could find as extra info is that its a server,probably from brazilian developers,i could be wrong but thats what i could find... Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Tazz
PostPosted: Fri Jun 23, 2006 5:37 pm Reply with quote

Quote:

--------------------
User Agent: Combine/3 Only registered users can see links on this board! Get registered or login!
Query String: xxx.xxxxxx.com/index.php?none
Get String: xxx.xxxxxx.com/index.php
Post String: xxx.xxxxxx.com/index.php
Forwarded For: xxx.x.xxx.xx
Client IP: 1.1 u1-gw-v1.k-net.ro:6665 (squid/2.5.STABLE10)
Remote Address: 86.55.12.98
Remote Port: 48199
Request Method: GET
--------------------
Unable to query WhoIs information for 1.1 u1-gw-v1.k-net.ro:6665 (squid/2.5.STABLE10).


Well the second one today, same result, once it writes to the .htaccess file the site is down for internal server errors. I remove the line it added and all is fine.
 
hitwalker
PostPosted: Fri Jun 23, 2006 5:44 pm Reply with quote

ok i did some digging and im positive that these are proxy servers...
but why it puts the name init instead of the ip i dont know...
for now set your proxy settings in sentinel on....as in not allowed...
see if that helps..
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Sat Jun 24, 2006 2:36 pm Reply with quote

Looks like I need to add some code to make sure the ip is numberic and not alphanumberic. These are anonymizing proxies that are passing the string in place of the ip.

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
hitwalker
PostPosted: Sat Jun 24, 2006 3:32 pm Reply with quote

very good idea bob....
 
BobMarion
PostPosted: Sat Jun 24, 2006 3:43 pm Reply with quote

Depending on your version of NukeSentinel(tm) add the following:
Code:
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }

if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }


just after:
Code:
// Load constant vars

$nsnst_const['server_ip'] = get_server_ip();
$nsnst_const['client_ip'] = get_client_ip();
$nsnst_const['forward_ip'] = get_x_forwarded();
$nsnst_const['remote_addr'] = get_remote_addr();
$nsnst_const['remote_ip'] = get_ip();
$nsnst_const['remote_long'] = sprintf("%u", ip2long($nsnst_const['remote_ip']));
$nsnst_const['remote_port'] = get_remote_port();
$nsnst_const['request_method'] = get_request_method();
$nsnst_const['script_name'] = get_script_name();
$nsnst_const['http_host'] = get_http_host();
$nsnst_const['query_string'] = st_clean_string(get_query_string());
$nsnst_const['get_string'] = st_clean_string(get_get_string());
$nsnst_const['post_string'] = st_clean_string(get_post_string());
$nsnst_const['query_string_base64'] = st_clean_string(base64_decode($nsnst_const['query_string']));
$nsnst_const['get_string_base64'] = st_clean_string(base64_decode($nsnst_const['get_string']));
$nsnst_const['post_string_base64'] = st_clean_string(base64_decode($nsnst_const['post_string']));
$nsnst_const['user_agent'] = get_user_agent();
$nsnst_const['referer'] = get_referer();
$nsnst_const['ban_time'] = time();
$nsnst_const['ban_ip'] = "";


This should casue NS to display the "Invalid IP" message.
 
hitwalker
PostPosted: Sat Jun 24, 2006 3:50 pm Reply with quote

this is going to be in the next update?
 
BobMarion
PostPosted: Sat Jun 24, 2006 5:30 pm Reply with quote

In the 2.5.00 version that is nearing completion. Currently being tested by the devs.
 
Tazz
PostPosted: Sat Jun 24, 2006 6:09 pm Reply with quote

Thanks Bob,

I got it on two of my sites at the moment. Will let you know the outcome.
 
myrtletrees
Involved
Involved


Joined: Sep 13, 2005
Posts: 259
Location: Cornfields of Indiana

PostPosted: Mon Jul 31, 2006 8:21 am Reply with quote

Hey guys and gals.

I have this same exact problem. Every day for the last 4 days this has been blocked and added to my htaccess.
deny from 1.1 sfc-cache.ai3.net:3128 (squid/2

I am running Nuke 7.5 with Sentinel 2.5.00

Has the above fix by Bob been added to the 2.5.00 version? If so, then my problem must be something different. And what files is that code change in..It is never specified.
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Mon Jul 31, 2006 11:04 am Reply with quote

Hi myrtletrees, I think that would be in inlcudes/nukesentinel.php
 
View user's profile Send private message Send e-mail
myrtletrees
PostPosted: Mon Jul 31, 2006 11:43 am Reply with quote

Thanks, found it. I had the most recent version but just for giggles I uploaded all nuke sentinel files again, overwriting my exisiting ones. We'll see if this little issue pops up for me again or not.
 
Guardian2003
PostPosted: Mon Jul 31, 2006 1:12 pm Reply with quote

Yes, please let me know Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©