Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
bavarian
Hangin' Around


Joined: Nov 11, 2004
Posts: 25

PostPosted: Sat Feb 19, 2005 12:27 pm Reply with quote

My problem with phpnuke7.6 and Sentinel_760_2.1.3 is still unresolved.

Things start to get weird whenever any of my friends does test my site with an attack like Only registered users can see links on this board! Get registered or login!

WHAT HAPPENS IS THIS :
    1) the internal ip-number of my server (192.168.1.5 on my LAN) is written to the database table of Sentinel (banned_ips)
    2) the same internal ip (192.168.1.5) is also written to the .htaccess file
    3) the computer of my buddie(s) get banned (cannot connect to my site)
    4) i do receive an e-mail message with following content

    Quote:
    Date & Time: 2005-02-17 23:44:25
    Blocked IP: 192.168.1.5
    User ID: Anonymous (1)
    Reason: Abuse-Union
    --------------------
    User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2
    Query String: Only registered users can see links on this board! Get registered or login!
    Forwarded For: none
    Client IP: none
    Remote Address: 192.168.1.5
    Remote Port: 52087
    Request Method: GET
    --------------------
    Who-Is for IP
    192.168.1.5


    5) all computers on my LAN are blocked. none of them can connect to my site any longer
    6) when i remove the Blocked IP: 192.168.1.5 from the "banned_ip" table in my database the block is still there. but is done on serverlevel by the .htaccess file.
    7) when i remove the Blocked IP: 192.168.1.5 from the .htaccess file everything works fine again for me and other users again



BACKGROUND INFORMATION: when installing Sentinel i had a problem with following message "invalid IP used" as described in this topic: Only registered users can see links on this board! Get registered or login! I removed that very same IP range from the reserved_iprange table as the user did as described in that topic and that error message disappeared. otherwise everything is set up on my Sentinel as described hot to install and run it.

ADDITIONAL INFORMATION: I had a similar problem a while ago when testing different modules on another older phpnuke distro.
I installed something called MSA (MS Analysis, I think it was called). The scripts in this module would allow the admin of a phpnuke site to monitor visitors.
What i already did notice at that time, when testing this MSA that it would add visitors with MY ip-number into the database-tables. That hated, unlucky 195.162.1.5, this internal IP on my LAN where my webserver resides. I could not find out either why visitors where not added with their correct ip-adresses to the database.

questions that i simply cannot resolve now and where i really need some help are ....
1 - why is my internal server adress regareded the "offending" one? it is my buddies on completely different ip-numbers that are faking the attack with the above named URL and the Union in it? it's their ip-numbers that are supposed to be banned. so why does Sentinel consider my servers IP, to be the harmful one?
2 - how does Sentinel "grab" the IP? I don't know much about php so i cannot check there
3 - could it be some configuration on my server that's not functioning to grab the correct IP adress of the offender? something that i dont have an IP that can be "reversed to" (my domainname points to the IP adress of my server, but my IP adress does not point back to my domain but to my ISP)
4 - could have something to do how the Logging is done in the Server software? there are several choices from what i can see, like "combined", "common", "referer, agent" ?

ALL INPUT APPRECIATED !
Please help !
 
View user's profile Send private message
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Sun Feb 20, 2005 1:08 am Reply with quote

NukeSentinel gets the ip by going thru a system of checks:
Code:
function get_ip() {

  $client_ip = get_client_ip(); // HTTP_CLIENT_IP
  if (strpos($client_ip, ', ') AND isset($client_ip)) {
    $client_ips = explode(', ', $client_ip);
    if($client_ips[0] != 'unknown' AND $client_ips[0] != 'none' AND $client_ips[0] != '' AND !in_range($client_ips[0])) {
      $client_ip = $client_ips[0];
    } else {
      $client_ip = $client_ips[1];
    }
  }
  $x_forwarded = get_x_forwarded(); // HTTP_X_FORWARDED_FOR
  if (strpos($x_forwarded, ', ') AND isset($x_forwarded)) {
    $x_forwardeds = explode(', ', $x_forwarded);
    if($x_forwardeds[0] != 'unknown' AND $x_forwardeds[0] != 'none' AND $x_forwardeds[0] != '' AND !in_range($x_forwardeds[0])) {
      $x_forwarded = $x_forwardeds[0];
    } else {
      $x_forwarded = $x_forwardeds[1];
    }
  }
  $remote_addr = get_remote_addr(); // REMOTE_ADDR
  if (strpos($remote_addr, ', ') AND isset($remote_addr)) {
    $remote_addrs = explode(', ', $remote_addr);
    if($remote_addrs[0] != 'unknown' AND $remote_addrs[0] != 'none' AND $remote_addrs[0] != '' AND !in_range($remote_addrs[0])) {
      $remote_addr = $remote_addrs[0];
    } else {
      $remote_addr = $remote_addrs[1];
    }
  }
  if (isset($client_ip) && !stristr($client_ip, "none") && !stristr($client_ip, "unknown") AND !in_range($client_ip)) {
    return $client_ip;
  } elseif (isset($x_forwarded) && !stristr($x_forwarded, "none") && !stristr($x_forwarded, "unknown") AND !in_range($x_forwarded)) {
    return $x_forwarded;
  } elseif (isset($remote_addr) && !stristr($remote_addr, "none") && !stristr($remote_addr, "unknown") AND !in_range($remote_addr)) {
    return $remote_addr;
  } else {
    return "none";
  }
}


Now somewhere along the way your LAN is setting your internal ip as one of the above instead of grabbing the users ip. I'm not a server guru so I can't tell you much beyond that Sad

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
bavarian
PostPosted: Sun Feb 20, 2005 2:19 am Reply with quote

Thank you Bob. I have been looking at this part of your code already.

There are calls to 3 other functions in that part
1) get_client_IP
2) get_x_forwarded
3) get_remote_addr

Isn't it in that part of the code where IPs are retrieved?

Maybe I should sort things out, to reassure I understand correctly
1) HTTP_CLIENT_IP (if everything works fine should bring up the IP adress of my server, right?)
3) REMOTE_ADRESS (if everything works fine should bring up the IP adress of visitor/hacker, right?)

Are HTTP_CLIENT_IP and REMOTE_ADRESS variables that Apache does supply or variables that are supplied by the PHP environment? I could check in my system if I know this, right?
 
bavarian
PostPosted: Sun Feb 20, 2005 6:36 am Reply with quote

phpMyAdmin shows the following when I check for PHP Variables


Code:
_SERVER["HTTP_PC_REMOTE_ADDR"] XX.182.XX.253 (this is my real ip-number)


_SERVER["PATH"] /bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices

_SERVER["REMOTE_ADDR"] 192.168.1.5

_SERVER["REMOTE_PORT"] 63077

_SERVER["SERVER_ADDR"] 192.168.1.5


I am by no means an expert to tell what these lines from phpMyAdmin exactly mean. but maybe could be helpful for the experts around here.
 
bavarian
PostPosted: Sun Feb 20, 2005 4:07 pm Reply with quote

I might have come a bit on the way to resolve this "topic".
If you people care to read Only registered users can see links on this board! Get registered or login!

I have not corrected things yet. But yes, I am running an Mac OS X Server with Apache, and this seems to be the problem here. Before I start correcting I would like to hear if the gurus here agree that this could be the problem in my case? And what they would advice me?

Change all instances of REMOTE_ADDR into HTTP_PC_REMOTE_ADDR in all phpnuke and nukesentinel files? Anything else I should consider before doing this? Any changes in the database to make? Anything important to keep in mind with respect to the writing of ip's to the .htaccess?

('OffTopic')
Sorry for buggering you with Mac-related problems .... but well, I hope this is the solution and will help other Mac-users here to NOT end up in total desperation like i nearly did.
 
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sun Feb 20, 2005 4:29 pm Reply with quote

This is more than likely the exact problem.. I was going to post on this thread a day or 2 ago and got sidetracked.. my apologies.

This is definitely a function of Apache in conjunction with other things like PHP or whatever, and the true remote address is not being properly forwarded along the chain. Somewhere, your internal IP is being bound to everything, which of course is not correct, and would in fact be a fairly large security hole/concern.

You can try the HTTP_PC_REMOTE_ADDR in just one or two places, and if it works, then do a global replacement. But make sure you get together with the Mac/Apache gurus and ensure your server config, port forwarding and addressing are all sound. No use fixing the problem with a fingertip bandage if it is bleeding profusely. I don't run a Mac, so I can't advise you any better than advising you to seek advise from Mac experts! heh Wink

PHrEEk
 
View user's profile Send private message
bavarian
PostPosted: Mon Feb 21, 2005 4:58 am Reply with quote

Things are proceeding slowly here. I started to turn off that "performance cache" on that virtual host and suddenly some things start to work. I had a friend try this Union attack again and it worked, at least from what i can see

Quote:
Date & Time: 2005-02-21 08:32:27
Blocked IP: 2XX.1XX.1XX.2XX
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 2XX.1XX.1XX.2XX
Remote Port: 1517
Request Method: GET


but still confusing me is this
Quote:
Forwarded For: none
Client IP: none


what is meant with FORWARDING FOR and CLIENT IP?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©