Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
magnum
Client


Joined: Jun 23, 2006
Posts: 83

PostPosted: Sat Nov 11, 2006 2:40 am Reply with quote

my site seems to be getting hit by this ip and another msn one im pretty new at this and would like to know if this can be stoped or is sentinal stoping it not sure thats why im asking what to do..

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.




C:\Documents and Settings\Magnum>tracert 74.6.67.168

Tracing route to lj612194.inktomisearch.com [74.6.67.168]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.2.1
2 9 ms 9 ms 8 ms 10.99.64.1
3 10 ms 11 ms 9 ms pos0-2.oahuhiwaip-gsr1.hawaii.rr.com [24.25.225.
153]
4 9 ms 7 ms 8 ms srp5-0.oahuhimili-gsr1.hawaii.rr.com [24.25.224.
65]
5 9 ms 9 ms 9 ms pop1-hon-P2-1.atdn.net [66.185.137.61]
6 9 ms 9 ms 10 ms bb1-hon-P0-0.atdn.net [66.185.137.48]
7 86 ms 85 ms 86 ms bb1-sjg-P4-1.atdn.net [66.185.152.21]
8 86 ms 86 ms 86 ms pop2-sjg-P0-0.atdn.net [66.185.150.97]
9 82 ms 76 ms 75 ms Teleglobe.atdn.net [66.185.150.106]
10 77 ms 77 ms 78 ms if-7-0.core2.PDI-PaloAlto.Teleglobe.net [64.86.8
4.133]
11 77 ms 77 ms 78 ms if-1-0.mcore4.PDI-PaloAlto.teleglobe.net [216.6.
86.5]
12 153 ms 152 ms 154 ms if-4-0.mcore4.NQT-NewYork.teleglobe.net [216.6.8
6.14]
13 154 ms 153 ms 153 ms if-5-0.mcore3.NYY-NewYork.teleglobe.net [216.6.8
7.54]
14 141 ms 141 ms 143 ms if-6-0-0.core4.AEQ-Ashburn.teleglobe.net [216.6.
81.14]
15 147 ms 144 ms 142 ms 64.86.85.34
16 144 ms 153 ms 153 ms ge-1-0-0-p406.msr1.ac2.yahoo.com [216.115.96.211
]
17 158 ms 145 ms 156 ms g-10-0.bas-b2.ac2.yahoo.com [72.30.64.54]
18 144 ms 143 ms 147 ms lj612194.inktomisearch.com [74.6.67.168]

Trace complete.

C:\Documents and Settings\Magnum>


another one hit my site and there was at one time 454 visitors showing now i know there wasnt that many ppl visiting

_________________
Nukes real friend is a big cup of Java with a valium stirred in. Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Sat Nov 11, 2006 3:26 am Reply with quote

Well Inktomi is a bot used by Yahoo to crawl pages, so I don't think you are being attacked.

Is Sentinel sending you an email telling you that the IP is being banned?

If the bot isn't causing your site any problems then I would leave it as it is.
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Nov 11, 2006 4:42 am Reply with quote

Looks like a typical Slurp bot (inktomi).
This thing can be an absolute menace despite it being robots.txt friendly.
You can use this in htaccess to stop him dead in his tracks
Code:


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} Slurp
RewriteRule ^.*$ X.html [L]
</IfModule>


Or if you prefer Yahoo to crawl your site but a little less visourously, you can use this in robots.txt
Code:


User-agent: Slurp
Crawl-delay: 20


Some of your other hits does look like an attack - possibly looking for XSS vulnerabilities.
 
View user's profile Send private message Send e-mail
Guardian2003
PostPosted: Sat Nov 11, 2006 4:43 am Reply with quote

Make sure your Sentinel Harvest blocker and Script blocker are turned on
 
magnum
PostPosted: Sat Nov 11, 2006 10:47 am Reply with quote

jakec wrote:
Well Inktomi is a bot used by Yahoo to crawl pages, so I don't think you are being attacked.

Is Sentinel sending you an email telling you that the IP is being banned?

If the bot isn't causing your site any problems then I would leave it as it is.



yes im getting tons of these:

Date &amp; Time: 2006-11-10 23:11:22 EST GMT -0500
Blocked IP: 65.55.212.21
User ID: Anonymous (1)
Reason: Abuse-Flood
--------------------
User Agent: msnbot-media/1.0 (+http://search.msn.com/msnbot.htm)
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 65.55.212.21
Remote Port: 21449
Request Method: GET
--------------------
DNSStuffDNSStuffSorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses Only registered users can see links on this board! Get registered or login! and Only registered users can see links on this board! Get registered or login! here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 65.254.38.234. Thanks!
 
magnum
PostPosted: Sat Nov 11, 2006 10:51 am Reply with quote

how do i protect against this XSS
 
jakec
PostPosted: Sat Nov 11, 2006 11:22 am Reply with quote

What version of Sentinel are you using? I would check the settings in Sentinel for the flood pretection. In theory bots shouldn't be triggering Sentinel, but it seems to be happening a lot recently.

Try adding a crawl delay like Guardian suggested. You can use something like:

User-agent: *
Crawl-delay: 20

and this will apply the same rule to all bots that obey the robots.txt file.
 
Guardian2003
PostPosted: Sat Nov 11, 2006 11:23 am Reply with quote

Let us be clear - the inktomi/Slurp bot is not trying to conduct an XSS (cross site scripting attack), it is simply coming too fast for whatever setting you have specified in Flood blocker.
So as jakec stated, its not an atack as such.

Now, some of the *other* IP/domains you listed do look familiar which is why in my post I said that those could be looking for vulnerabilities and I asked you to make sure the Harvest and Script blockers are turned on.

If you need help finding the settings for those in Sentinel then I'll be happy to assist - they need to be set to "email,ban,default page" or if you do not want an email every time one gets banned, set them to "default page,ban".
 
magnum
PostPosted: Sat Nov 11, 2006 11:42 am Reply with quote

yes i did turn on the harvest and script blocker and it seems to have stopped this morning and ive added the user agent to the robot txt sentinal version is NukeSentinel(tm) 2.4.2pl5 is there a thread the says what all the setting in sentinal should be set too? btw thanks for all your help everyone.
 
jakec
PostPosted: Sat Nov 11, 2006 11:45 am Reply with quote

I would definately upgrade your Sentinel to the latest version.

The default settings are usually OK.
 
magnum
PostPosted: Sat Nov 11, 2006 12:29 pm Reply with quote

i dont see the upgrade patch for sentinal from 2.4.2pl5 to the newest in the d/l?
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Nov 11, 2006 1:30 pm Reply with quote

Given so many changes, you will just need to download the full 2.5.03 package

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
magnum
PostPosted: Sat Nov 11, 2006 5:17 pm Reply with quote

hhmm i dont see 2.5.03 in the downloads only 2.5.1
 
jakec
PostPosted: Sat Nov 11, 2006 5:23 pm Reply with quote

Where are you looking? NSN?

Try here: Only registered users can see links on this board! Get registered or login!
 
magnum
PostPosted: Sun Nov 12, 2006 2:26 pm Reply with quote

thanks for the link jakec
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©