Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
killerskippy
New Member
New Member


Joined: Jun 12, 2007
Posts: 2

PostPosted: Tue Jun 26, 2007 6:07 pm Reply with quote

My site and one of our servers got taken over via a code issue allowing php files to be uploaded via thumbnail upload with a submitted video.


This was fixed the same day by the admin at Nuke Video once i reported and gave logs, but i figured i would post here so if anyone is using the script they know to grab the patch.

They uploaded a couple of files one main one that gave them access to the Server and all root / users passwords for the server along with database access etc.


36_rachid.php

.r57shell.php

The server is now back in our control and has been formated and reloaded complete and all new security added to the phpnuke website.

What i dont understand is why Sentinal didnt block them i had set all IP address from Russian and morrocian to be blocked and the ip address found in the httpd_access_log file in the server are from within the ranges i blocked.

I added this to my httaccess file also

RedirectMatch r57shell.php Only registered users can see links on this board! Get registered or login!
RedirectMatch rachid.php Only registered users can see links on this board! Get registered or login!


Can anyone tell me how to block a whole country?

Im really over being hacked and the attempts so i wish to just block all IP's from RU

I recieve many emails ever day saying blocked someone from an ip in RU and they all seem to include this:


Date & Time: 2007-06-26 20:26:26 EST GMT +1000 Blocked IP: 216.117.141.102 User ID: Visitor (1)
Reason: Abuse-Filter
--------------------
User Agent: libwww-perl/5.65
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 216.117.141.102
Remote Port: 55123
Request Method: GET

Or

Date & Time: 2007-06-27 04:54:44 EST GMT +1000 Blocked IP: 85.98.179.220 User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0) Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 85.98.179.220
Remote Port: 4873
Request Method: GET




Cheers
KillerSkippy
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Jun 26, 2007 8:43 pm Reply with quote

Did Sentinel write any of the Russian IP ranges to the banned list in .htaccess ?

You can block all the libwww-perl attacks using .htaccess - its referenced in a previous thread before. I've seen usage of Mozilla/4.0 before, but I am unaware whether this is truly an automated bot or just a bad hacker.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
killerskippy
PostPosted: Tue Jun 26, 2007 8:53 pm Reply with quote

evaders99 wrote:
Did Sentinel write any of the Russian IP ranges to the banned list in .htaccess ?

You can block all the libwww-perl attacks using .htaccess - its referenced in a previous thread before. I've seen usage of Mozilla/4.0 before, but I am unaware whether this is truly an automated bot or just a bad hacker.


Yes the IP address's are added auto to the htaccess file but the range is already set to block in the block range section of sentinal, so they shouldnt be getting to the site in the first place unless im not understanding how it works.

I am searching for the libwww-perl attacks now i hope that helps
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©