Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Thu May 29, 2008 4:30 am Reply with quote

NS 2.5.18

Ok, educate me here please ...

Was CLike attempted FOUR times by the same IP: 89.249.160.180 for you folks that want to add this to your blocker.

What I don't understand is the timing:

1. 0428 CDT
2. 0429 CDT
3. 0429 CDT
4. 0430 CDT

My question is why isn't the IP blocked from attempts 2 thru 4 if the first attempt is "blocked"?? Is it a session thing where the hacker makes 4 quick attempts and THEN is blocked if he returns in a new session?

Cheers, Jay

BTW: Obviously not going to publish the method but it was two different strings that was tried twice each.
 
View user's profile Send private message
dad7732
PostPosted: Thu May 29, 2008 4:40 am Reply with quote

Ok, I'm back and I think I can answer my own question after some deep thought. Wink

The first attempt is intercepted because it's a CLike.

The second, third and fourth attempts are actually blocked by IP, not by the CLike string itself.

Is this correct ?

Cheers
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Thu May 29, 2008 5:39 am Reply with quote

What message is Sentinel giving you for each attempt?

Has the IP been written to the .htaccess file?

If the IP has been written to the .htaccess then the subsequent attempts should never get through to Sentinel.
 
View user's profile Send private message
dad7732
PostPosted: Thu May 29, 2008 7:11 am Reply with quote

The message is the same from Sentinel, the only changes are the times and the script tried.

.htaccess

deny from 89.249.160

I'd have to look at the server log to see what actual time the deny was added. If it works correctly it should be on the first attempt. Also, the server log should show the subsequent attempts as well.

Same session attempts? If the hacker closed the session and tried again then the htaccess would deny the access. Dunno, guessing on this one.

Cheers
 
dad7732
PostPosted: Thu May 29, 2008 7:29 am Reply with quote

Ok, here's your answer from the logs.

The first attempt was at 00:04:29 CDT after which the log shows over 150 attempts the last one being at 00:05:10 CDT

Note: The above are attempts shown in the main server log

The error log shows:

[Thu May 29 00:04:33 2008] [error] [client 89.249.160.180] client denied by server configuration: /[server path]/[my domain]/modules.php

This proves that the htaccess did it's job as the remaining 100 or so attempts showed the same error log entries for each attempt at access.

Also obvious that he was using a script as the attempts are literally fractions of a second apart.

Sentinel did it's job for sure !!!! Smile

Cheers
 
jakec
PostPosted: Thu May 29, 2008 1:10 pm Reply with quote

Great analysis. It good to show that Sentinel does its job. Smile
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu May 29, 2008 6:20 pm Reply with quote

It is possible that .htaccess hasn't been written to yet, before Apache processes the next 3 requests. Such automated scripts make requests in quick succession, there isn't really anything you can do about it. At least Sentinel is working Smile

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
dad7732
PostPosted: Fri May 30, 2008 7:25 am Reply with quote

evaders .. that's exactly it, the time lag. But like I emphasized, NS is working up to snuff. Wink

Cheers
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©