Is your Server log filling up with this )%252echr(79)%252ech

Raven · Posted: Fri Dec 24, 2004 2:42 pm

The kiddies are at play, once again. NukeSentinel will block them but I didn't even want to see them after I got about 200 today. So, add this to your .htaccess (if you are running Apache)

RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off

Now you can set the Rewrite Rule to direct them wherever you want.

newbie · Regular Joined: May 03, 2004 Posts: 62 Location: USA

Thanks Raven,

I contacted Six about this EARLY this morning after I got the first 150 or so notices.

You guys are awesome here. I always know where to come in crisis Wink

Happy Holidays!

newbie · Regular Joined: May 03, 2004 Posts: 62 Location: USA

Raven,

I added

Code:

RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteRule ^.*$ ScriptViolation.php [L]
RewriteEngine Off

to my .htaccess ... but just got another 200+ messages?

Thanks in advance for your help.

Raven · Posted: Fri Dec 24, 2004 3:59 pm

Check what user agent is in your messages. Maybe they are using another user agent. That's the code I use except I don't turn the engine off. You can try deleting that line.

newbie · Regular Joined: May 03, 2004 Posts: 62 Location: USA

Hi Raven,

It's: User Agent: lwp-trivial/1.41

But I also added that as:

Code:

RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial
RewriteRule ^.*$ScriptViolation.php [L]
RewriteEngine Off

Did I screw that up? Wink

Raven · Posted: Fri Dec 24, 2004 4:39 pm

Make it case insensitive

RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]

newbie · Regular Joined: May 03, 2004 Posts: 62 Location: USA

Thanks!

Will let ya know.

BohrMe · Posted: Fri Dec 24, 2004 5:14 pm

As long as you don't ban an IP based on someone's Perl script I would think it's ok. The

Only registered users can see links on this board!
Get registered or login to the forums!

Perl module is extremely common on the net. Not everyone who uses this module is a script kiddie so try to be professional in your alternative page. A simple message such as this should be sufficient:

Quote:

Access to <Name of your website> by way of scripts is not permitted. Please use a properly configured web browser.

Thank you.

VinDSL · Posted: Sun Dec 26, 2004 12:06 am

newbie wrote:

It's: User Agent: lwp-trivial/1.41...

BohrMe wrote:

LWP::Simple Perl module is extremely common on the net...

I just poured over a 295MB log file (thank God for the Intel P4) and the only LWP::Simple UA's I saw were harvesters and worms. Humans used 'lwp-trivial'... Wink

Raven · Posted: Sun Dec 26, 2004 8:12 am

BohrMe wrote:

As long as you don't ban an IP based on someone's Perl script I would think it's ok. The

Only registered users can see links on this board!
Get registered or login to the forums!

Perl module is extremely common on the net. Not everyone who uses this module is a script kiddie so try to be professional in your alternative page. A simple message such as this should be sufficient:

Quote:

Access to <Name of your website> by way of scripts is not permitted. Please use a properly configured web browser.

Thank you.

And also, why would all of a sudden, out of the clear blue sky, woul hundreds or even thousands of nuke sites be seeing this? Let's do the math here Wink

BohrMe · Posted: Sun Dec 26, 2004 8:33 pm

So what's the difference, other than mine being a little more professional, in my method and your method? Both methods redirect to another page at the server level. Taunting a would-be cracker will just draw attention to your site as a future target. I'm not one of those "try your best to hack me" morons. Of course, keeping the label "PHP-Nuke" or "phpBB" on your website also identifies your site as a potential target as well. Those labels are about to be commented out on my website because I'm tired of seeing REFERER entries in my logs where someone did a Google search for religion/abortion/christian/etc and "PHP-Nuke" and found my site and then attempted to perform a hack. One of these days someone will get through the outer defenses and the results will be devastating.

Raven · Posted: Sun Dec 26, 2004 8:36 pm

My point was not professionalism or not. It was the fact that phpnuke sites almost never, if ever, have PERL scripts used. So, it's easy to deduce that this is not anyone concerned with professionalism.

BohrMe · Posted: Sun Dec 26, 2004 8:45 pm

I'm not sure I follow your reasoning. Why would a Nuke site communicate with another Nuke site directly? I thought we were talking about client to server connectivity and user agents. Did I miss something in the conversation? I may have! LOL Smile

FWIW, my site has a very extensive home grown security framework in place that only uses Perl but that is outside the Nuke code. PHP is not my language of choice.

Raven · Posted: Sun Dec 26, 2004 9:31 pm

Your reference to "Not every one who uses this script is a script kiddie..." - I'm saying that you wouldn't be using this script against a nuke site, in the manner it is, unless it was for non-professional reasons.

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Thanks for the .htaccess code, Raven, I'm pondering whether to set the redirect to my hackattempt... it has the deliverance.wav that sixone kindly provided but maybe that wouldn't be professional. Decisions, decisions... Smile

BTW can the RewriteCond be stacked as

Code:

RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial

so as to include different user agents?

BohrMe · Posted: Tue Dec 28, 2004 4:07 pm

Raven wrote:

Your reference to "Not every one who uses this script is a script kiddie..."

You might want to re-read what I wrote: "Not everyone who uses this module is a script kiddie..."

Raven · Posted: Tue Dec 28, 2004 5:27 pm

southern wrote:

Thanks for the .htaccess code, Raven, I'm pondering whether to set the redirect to my hackattempt... it has the deliverance.wav that sixone kindly provided but maybe that wouldn't be professional. Decisions, decisions... Smile

BTW can the RewriteCond be stacked as

Code:

RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial

so as to include different user agents?

Instead, use this which will get all user-agents that begin with LWP and the [NC] means ignore the case. Check out the other threads on this and you will find more rewrites for the new strains.

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Thanks, I'll put that in my .htaccess and look around for more. Actually I sort of collect .htaccess codes, I find it a fascinating area along with CSS and CGI- a lot can be done with 'em.

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Well, we know it works! I just got an email from my trusty hackattempt from one of those sc ript kid dies, 193.158.85.100, same echo stuff as what Sentinel was catching. Almost makes me feel sorry for him... bing an earful of that Deliverance squeal then bing a billion popups lol It may not be professional of me but it's sure as heck fun. Smile

Great stuff, Raven, thanks again. BTW I saw in my logs that one of the IPs Sentinel blocked earlier tried to return but was blocked by 'server configuration'. Persistent varmint.