Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Dec 24, 2004 2:42 pm Reply with quote

The kiddies are at play, once again. NukeSentinel will block them but I didn't even want to see them after I got about 200 today. So, add this to your .htaccess (if you are running Apache)

RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off

Now you can set the Rewrite Rule to direct them wherever you want.
 
View user's profile Send private message
newbie
Regular
Regular


Joined: May 03, 2004
Posts: 62
Location: USA

PostPosted: Fri Dec 24, 2004 3:08 pm Reply with quote

Thanks Raven,

I contacted Six about this EARLY this morning after I got the first 150 or so notices.

You guys are awesome here. I always know where to come in crisis Wink

Happy Holidays!

_________________
Darla
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
newbie
PostPosted: Fri Dec 24, 2004 3:54 pm Reply with quote

Raven,

I added

Code:
RewriteEngine on 

#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteRule ^.*$ ScriptViolation.php [L]
RewriteEngine Off


to my .htaccess ... but just got another 200+ messages?

Thanks in advance for your help.


Last edited by newbie on Fri Dec 24, 2004 7:27 pm; edited 1 time in total 
Raven
PostPosted: Fri Dec 24, 2004 3:59 pm Reply with quote

Check what user agent is in your messages. Maybe they are using another user agent. That's the code I use except I don't turn the engine off. You can try deleting that line.
 
newbie
PostPosted: Fri Dec 24, 2004 4:02 pm Reply with quote

Hi Raven,

It's: User Agent: lwp-trivial/1.41

But I also added that as:

Code:
RewriteEngine on 

#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial
RewriteRule ^.*$ScriptViolation.php [L]
RewriteEngine Off


Did I screw that up? Wink


Last edited by newbie on Fri Dec 24, 2004 7:06 pm; edited 1 time in total 
Raven
PostPosted: Fri Dec 24, 2004 4:39 pm Reply with quote

Make it case insensitive

RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
 
newbie
PostPosted: Fri Dec 24, 2004 4:46 pm Reply with quote

Thanks!

Will let ya know.
 
BohrMe
Hangin' Around


Joined: May 01, 2004
Posts: 28
Location: Fall River, MA

PostPosted: Fri Dec 24, 2004 5:14 pm Reply with quote

As long as you don't ban an IP based on someone's Perl script I would think it's ok. The Only registered users can see links on this board! Get registered or login! Perl module is extremely common on the net. Not everyone who uses this module is a script kiddie so try to be professional in your alternative page. A simple message such as this should be sufficient:

Quote:
Access to <Name of your website> by way of scripts is not permitted. Please use a properly configured web browser.

Thank you.

_________________
BohrMe
eSnider.net 
View user's profile Send private message Visit poster's website
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Sun Dec 26, 2004 12:06 am Reply with quote

newbie wrote:
It's: User Agent: lwp-trivial/1.41...

BohrMe wrote:
LWP::Simple Perl module is extremely common on the net...

I just poured over a 295MB log file (thank God for the Intel P4) and the only LWP::Simple UA's I saw were harvesters and worms. Humans used 'lwp-trivial'... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
Raven
PostPosted: Sun Dec 26, 2004 8:12 am Reply with quote

BohrMe wrote:
As long as you don't ban an IP based on someone's Perl script I would think it's ok. The Only registered users can see links on this board! Get registered or login! Perl module is extremely common on the net. Not everyone who uses this module is a script kiddie so try to be professional in your alternative page. A simple message such as this should be sufficient:

Quote:
Access to <Name of your website> by way of scripts is not permitted. Please use a properly configured web browser.

Thank you.
And also, why would all of a sudden, out of the clear blue sky, woul hundreds or even thousands of nuke sites be seeing this? Let's do the math here Wink
 
BohrMe
PostPosted: Sun Dec 26, 2004 8:33 pm Reply with quote

So what's the difference, other than mine being a little more professional, in my method and your method? Both methods redirect to another page at the server level. Taunting a would-be cracker will just draw attention to your site as a future target. I'm not one of those "try your best to hack me" morons. Of course, keeping the label "PHP-Nuke" or "phpBB" on your website also identifies your site as a potential target as well. Those labels are about to be commented out on my website because I'm tired of seeing REFERER entries in my logs where someone did a Google search for religion/abortion/christian/etc and "PHP-Nuke" and found my site and then attempted to perform a hack. One of these days someone will get through the outer defenses and the results will be devastating.
 
Raven
PostPosted: Sun Dec 26, 2004 8:36 pm Reply with quote

My point was not professionalism or not. It was the fact that phpnuke sites almost never, if ever, have PERL scripts used. So, it's easy to deduce that this is not anyone concerned with professionalism.
 
BohrMe
PostPosted: Sun Dec 26, 2004 8:45 pm Reply with quote

I'm not sure I follow your reasoning. Why would a Nuke site communicate with another Nuke site directly? I thought we were talking about client to server connectivity and user agents. Did I miss something in the conversation? I may have! LOL Smile

FWIW, my site has a very extensive home grown security framework in place that only uses Perl but that is outside the Nuke code. PHP is not my language of choice.
 
Raven
PostPosted: Sun Dec 26, 2004 9:31 pm Reply with quote

Your reference to "Not every one who uses this script is a script kiddie..." - I'm saying that you wouldn't be using this script against a nuke site, in the manner it is, unless it was for non-professional reasons.
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Tue Dec 28, 2004 3:31 pm Reply with quote

Thanks for the .htaccess code, Raven, I'm pondering whether to set the redirect to my hackattempt... it has the deliverance.wav that sixone kindly provided but maybe that wouldn't be professional. Decisions, decisions... Smile
BTW can the RewriteCond be stacked as
Code:


RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial

so as to include different user agents?
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
BohrMe
PostPosted: Tue Dec 28, 2004 4:07 pm Reply with quote

Raven wrote:
Your reference to "Not every one who uses this script is a script kiddie..."


You might want to re-read what I wrote: "Not everyone who uses this module is a script kiddie..."
 
Raven
PostPosted: Tue Dec 28, 2004 5:27 pm Reply with quote

southern wrote:
Thanks for the .htaccess code, Raven, I'm pondering whether to set the redirect to my hackattempt... it has the deliverance.wav that sixone kindly provided but maybe that wouldn't be professional. Decisions, decisions... Smile
BTW can the RewriteCond be stacked as
Code:


RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial

so as to include different user agents?
Instead, use this which will get all user-agents that begin with LWP and the [NC] means ignore the case. Check out the other threads on this and you will find more rewrites for the new strains.

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
 
southern
PostPosted: Tue Dec 28, 2004 7:58 pm Reply with quote

Thanks, I'll put that in my .htaccess and look around for more. Actually I sort of collect .htaccess codes, I find it a fascinating area along with CSS and CGI- a lot can be done with 'em.
 
southern
PostPosted: Tue Dec 28, 2004 8:37 pm Reply with quote

Well, we know it works! I just got an email from my trusty hackattempt from one of those sc ript kid dies, 193.158.85.100, same echo stuff as what Sentinel was catching. Almost makes me feel sorry for him... bing an earful of that Deliverance squeal then bing a billion popups lol It may not be professional of me but it's sure as heck fun. Smile Great stuff, Raven, thanks again. BTW I saw in my logs that one of the IPs Sentinel blocked earlier tried to return but was blocked by 'server configuration'. Persistent varmint.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©