Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
mds
Client


Joined: Dec 24, 2004
Posts: 194
Location: Michigan

PostPosted: Fri Dec 24, 2004 8:04 pm Reply with quote

What do i do or can i do to fix this i have 300 emails of blocked IP's since 9am this morning what is going on ?????
here is the info can someone explain it to me PLEASE ..as far as i can tell sentinal is doing a great job by blocking these ......also as you can see dnsstuff.com wont even offer any other info unless you go to there website and enter the ip addy i had 9 ip's blocked at 2am eastern now i have 308 and still going....Thanks for any help...running nuke 7.4 with sentinal 2.1.1 and forums are 2.0.11

Date & Time: 2004-12-24 18:01:09
Blocked IP: 61.56.202.78
User ID: (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.65
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 61.56.202.78
Remote Port: 58910
Request Method: GET
--------------------
DNSStuffDNSStuffSorry, you have triggered our rate limiting system.
Please try again later. If you are reading this in a web browser, we
apologize -- we want you to use the site as much as you like. What we do
not like is when people use automated programs with our free service.
We have the addresses Only registered users can see links on this board! Get registered or login! and Only registered users can see links on this board! Get registered or login! here in case
spammers are harvesting addresses from our site. If you are not
automatically removed within a few minutes, you can contact us (using our info@
address at the domain in the URL you are at; please refer to 43ddeb42) to
get access again more quickly. Thanks!
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Dec 24, 2004 8:37 pm Reply with quote

Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
mds
PostPosted: Fri Dec 24, 2004 8:45 pm Reply with quote

thanks so much for the point i added now waiting to see what happens MERRY CHRISTMAS..

P.S

is there anything else i should be worried about with that query or should i be ok ?
 
Raven
PostPosted: Fri Dec 24, 2004 8:49 pm Reply with quote

If you have updated phpbb then it won't hurt you anyway, but, that code in .htaccess will not even allow it to reach your site. We have discovered that they are altering the agent too, so you might want to do more of a wildcard, like


RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
 
mds
PostPosted: Fri Dec 24, 2004 8:54 pm Reply with quote

ok now is that only going to block the specific user agent ? so should i addin each additional thats different ?

and what happens if this executed ?

sorry for being a pest just trying to learn
 
Raven
PostPosted: Fri Dec 24, 2004 10:27 pm Reply with quote

That will stop any user agent that begins with LWP (case insensitive)
 
mds
PostPosted: Fri Dec 24, 2004 10:34 pm Reply with quote

OK i have added both uppercase and lowercase as individual/seperate entries and im still getting the blocked emails tho not as frequent

heres is what is in my .htaccess

Options -Indexes
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
 
Raven
PostPosted: Sat Dec 25, 2004 12:59 am Reply with quote

Replace that with this.

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]

That's all you need. The [NC] means ignore the case, so LwP==lWp
The last line can be replaced by your own page. If others get through, then check the user agent and add it if it is different.
 
cprompt
Regular
Regular


Joined: Jun 08, 2004
Posts: 64

PostPosted: Sat Dec 25, 2004 9:24 am Reply with quote

It appears a couple of my sitres are getting bombarded as well by this agent.
I have added the suggested lines to my htaccess but for some reason, the agent is still gettign trhu. I am gettign at least one hack attempt every 5 minutes.

User Agent: LWP::Simple/5.76

the /5.76 has varied, but the LWP::Simple is the same.
 
View user's profile Send private message
Raven
PostPosted: Sat Dec 25, 2004 10:48 am Reply with quote

It should be working. It's working here and in other sites too. Make sure it's typed exactly as shown.
 
Viper-
New Member
New Member


Joined: Dec 24, 2004
Posts: 5

PostPosted: Sat Dec 25, 2004 11:18 am Reply with quote

Hey guys,

I can verify that it is working.

cprompt, do you have the line that Raven added above? RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

I received well over 500 e-mails from Sentinel banning this in less than 24 hours. At one point I was getting around 5 a minute Sad

Merry Christmas everyone, I hope all of you have a terrific and blessed day.

_________________
Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
cprompt
PostPosted: Sat Dec 25, 2004 10:31 pm Reply with quote

Viper- wrote:
Hey guys,

I can verify that it is working.

cprompt, do you have the line that Raven added above? RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

I received well over 500 e-mails from Sentinel banning this in less than 24 hours. At one point I was getting around 5 a minute Sad

Merry Christmas everyone, I hope all of you have a terrific and blessed day.


darn..I have the EXACT same lines. I have now gotten 85 more hack attempts by
User Agent: LWP::Simple/5.803
/version number varies.


Here is what I have in my htaccess.
Code:
RewriteEngine on

#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off



Please advise. This is becoming a headache.
 
Raven
PostPosted: Sat Dec 25, 2004 10:39 pm Reply with quote

I don't know what to tell you. I was getting hundreds a day and now - ZERO. Try dropping the rewriteEngine Off, although I can't believe that would matter. Make sure that you still have mod_rewrite installed. Maybe your host recompiled Apache and didn't include it? Also, make sure it's at the beginning of your .htaccess so that nothing else impedes it.
 
mds
PostPosted: Sat Dec 25, 2004 11:17 pm Reply with quote

REPLACED this :
Options -Indexes
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off

WITH COPY AND PASTE OF THIS :
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
and moved the Options -Indexes that preceded this to beneath it with a couple spaces in between

im up to 633 total blocked now as of time of post

i do appreciate the help very much hope you all had an enjoyable christmas day


Last edited by mds on Mon Dec 27, 2004 12:40 am; edited 1 time in total 
mds
PostPosted: Sun Dec 26, 2004 1:48 am Reply with quote

well so far i have no new emails dated for 12-26 so the adjustments that were made looks for now as if it did the trick....thanks a million much appreciated
 
cprompt
PostPosted: Sun Dec 26, 2004 7:23 am Reply with quote

Thanks!
Once I moved my Options -Indexes line below the other lines, it seems to be working.

Thank you ALL!

Merry Christmas
 
Raven
PostPosted: Sun Dec 26, 2004 8:10 am Reply with quote

Thanks mds! I've said in a few posts that the best place to put this is at the very top. To recap from all the posts, we have:

.htaccess only applies to Apache
mod_rewrite must be compiled in Apache
The lines to add at the top of .htaccess are (YOUR-REDIRECT-PAGE needs to be replaced with a real redirect page) - The new code is from VinDSL Smile
Code:
#Check for Santy Worms and redirect them to a fake page 

#Variant -1
RewriteCond %{HTTP_USER_AGENT} ^LWP             [NC,OR]
#Variant -2
RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR]
#Variant -3
RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC]
RewriteRule ^.*$ emailsforyou.php [L]


This assumes that the user-agent does begin with LWP. If yours is different then make the needed adjustments.

VinDSL has contributed this also. He has found 2 other variants, so


Last edited by Raven on Sun Dec 26, 2004 9:14 am; edited 1 time in total 
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Sun Dec 26, 2004 8:29 am Reply with quote

Thanks Raven

One more question, I see in some posts people have Options - Indexes in their htaccess file, and that they put this line below the third line of code above.

I dont have that in mine, if it should be there, do I put it under the third line of code, and is there anything else that should be below it apart from 2 or 3 empty lines then the list of banned ip's?

Sorry see there's new code now to replace the 3 line code (you must have edited your post as I posted lol sorry)

So do I need Options - Indexes as asked in the first paragraph of this post?

_________________
Classic Mini rules the bends & bends the rules!
[img]

Last edited by Muffin on Sun Dec 26, 2004 8:33 am; edited 1 time in total 
View user's profile Send private message
Raven
PostPosted: Sun Dec 26, 2004 8:31 am Reply with quote

Not necessarily. Just put the protection at the top and leave everything else alone Smile
 
Muffin
PostPosted: Sun Dec 26, 2004 8:35 am Reply with quote

Thank you

so it's safe to replace the rewrite 3 line code with this new one then.
 
Raven
PostPosted: Sun Dec 26, 2004 8:36 am Reply with quote

Yep.
 
Muffin
PostPosted: Sun Dec 26, 2004 8:43 am Reply with quote

Thank you Raven (and VinDSL)

where you say : YOUR-REDIRECT-PAGE needs to be replaced with a real redirect page

and the first line says : #Check for Santy Worms and redirect them to a fake page

I dont understand what to do.

I'm really sorry to be a pain but it's very confusing for non techy people like myself.
 
Raven
PostPosted: Sun Dec 26, 2004 8:44 am Reply with quote

It can be a fake page but then you will get errors in your server error log. I think what we are trying to say is that you just redirect them away from the intended attack.
 
Muffin
PostPosted: Sun Dec 26, 2004 8:51 am Reply with quote

OIC

Is that a bad thing to have errors in the server error log?

ermm where's my redirect page and how do I make a new one?

and can I redirect them to a custom made page specially for this purpose out of my nuke folder?

or do I just alter this : #Check for Santy Worms and redirect them to a fake page

to something like this: #Check for Santy Worms and redirect them to Only registered users can see links on this board! Get registered or login!

Thank you for your patience.
 
Raven
PostPosted: Sun Dec 26, 2004 8:56 am Reply with quote

Exactly!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©