| Author |
Message |
dssripper
Regular
Joined: Feb 16, 2004
Posts: 69
|
 Posted:
Sun Jan 07, 2007 7:49 am |
 
|
I get a lot of notifications of ip addresses being blocked from my site,
but they are all from the same page.
| Code: | Date & Time: 2007-01-07 02:42:14 MST GMT -0700
Blocked IP: 61.78.216.213
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: larrythecomputerguy.net/modules.php?somlistbox=HTTP://www.larrythecomputerguy.net/modules.php?name=Content&pa=showpage&pid=8
Get String: larrythecomputerguy.net/modules.php?somlistbox=HTTP://www.larrythecomputerguy.net/modules.php?name=Content&pa=showpage&pid=8
Forwarded For: none
Client IP: none
Remote Address: 61.78.216.213
Remote Port: 3692
Request Method: GET |
Every notification refers to the same link.
Any ideas?
Thanks!
Larry |
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sun Jan 07, 2007 1:57 pm |
|
where does the "modules.php?somlistbox" comes from? |
|
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3038
Location: United Kingdom
|
| Posted:
Sun Jan 07, 2007 3:02 pm |
|
Hi Hitwalker, I had a look at his site and I thought it might be coming from the Sommaire menu block, but I can't see any links which match that.
Although there is a list box under 'linux tips' in the Sommaire block which points to the content mentioned above, but it seems to work fine and I don't get blocked. 
This probably doesn't help much, but I thought I would post my thoughts. |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sun Jan 07, 2007 3:05 pm |
|
hi jakec,indeed i saw that and tried a few things but i dont get blocked ...
nothing happens... |
|
|
|
|
|
dssripper
Regular
Joined: Feb 16, 2004
Posts: 69
|
| Posted:
Tue Jan 09, 2007 5:11 am |
|
Thanks hitwalker and jakec for looking.
I am still getting a lot of blocked ip addresses from that same page.
Anymore thoughts?
Thanks again for any input! |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Tue Jan 09, 2007 5:42 am |
|
but what ip's are blocked ?
from members or "just" ip's ? |
|
|
|
|
|
dssripper
Regular
Joined: Feb 16, 2004
Posts: 69
|
| Posted:
Sat Jan 13, 2007 7:00 pm |
|
no members...just ip's in general |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sat Jan 13, 2007 7:22 pm |
|
just check where the ip's come from... |
|
|
|
|
|
Misha
Worker
Joined: Jul 30, 2006
Posts: 203
Location: McLean, VA
|
| Posted:
Mon Jan 29, 2007 2:39 am |
|
Hit, like your new title. So, you sold all children and now have no need for family LOL
Anyway, I got similar block:
| Code: | Date & Time: 2007-01-27 23:57:11 MST GMT -0700
Blocked IP: 141.155.212.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Opera/8.52 (Windows NT 5.1; U; en)
Query String:
funandsafedriving.com/modules.php?name=Amazon&asin=http://www.intel.com?&NSNST_Flood=5c3ec1f32bb97df4756b8d42bbf54bf1
Get String:
funandsafedriving.com/modules.php?name=Amazon&asin=http://www.intel.com?&NSNST_Flood=5c3ec1f32bb97df4756b8d42bbf54bf1
Post String: funandsafedriving.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 141.155.212.210
Remote Port: 3638
Request Method: GET
--------------------
Who-Is for IP
OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
NetRange: 141.149.0.0 - 141.158.255.255
CIDR: 141.149.0.0/16, 141.150.0.0/15, 141.152.0.0/14,
141.156.0.0/15, 141.158.0.0/16
NetName: VIS-141-149
NetHandle: NET-141-149-0-0-1
Parent: NET-141-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
Comment: Please send all abuse reports to .
Comment: DO NOT send e-mail to as it will not
be answered.
RegDate:
Updated: 2006-06-01
OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail:
OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: +1-703-295-4583
OrgTechEmail: |
and kinda wondering what the hell filter abuse is? Any enlightening info on this, please? |
|
|
|
|
Tao_Man
Involved
Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK
|
| Posted:
Mon Jan 29, 2007 12:08 pm |
|
from the Nuke Sentinel manual
FILTER Blocker: Prevents primarily "XSS" type attacks.
xss= cross site scripting
If I understand this right a hacker tries to get a link posted to your site that points to another site that has the actual hacker script. so the link is "clean" no code in it but the link if followed is bad.
BTW I have had the same IP and same attack on my site this weekend, I guess they are testing using Intel.com as it is a "safe" site and if they get that through would come back and post another link |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Mon Jan 29, 2007 1:13 pm |
|
|
|
|
|
Misha
Worker
Joined: Jul 30, 2006
Posts: 203
Location: McLean, VA
|
| Posted:
Mon Jan 29, 2007 2:13 pm |
|
Thanks guys. As always feel stupid for asking when question is answered 
However a follow-up question. Sentinel blocked the range of addresses, while abuse has been done from one of them. Considering this is ISP provider pool (verizon is the biggest phone company in US), would it be better for me to modify the block to block only this specific address? |
|
|
|
|
|
Tao_Man
Involved
Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK
|
| Posted:
Mon Jan 29, 2007 2:21 pm |
|
| Misha wrote: | Thanks guys. As always feel stupid for asking when question is answered
However a follow-up question. Sentinel blocked the range of addresses, while abuse has been done from one of them. Considering this is ISP provider pool (verizon is the biggest phone company in US), would it be better for me to modify the block to block only this specific address? |
Well that is more a mater for you to decide, In practice most IP are dynamic and a hacker wil have more then one ip address over time, but they will tend to be from the same "pool". If you just block the IP then the hack tries again, over time you end up with most of the IP's blocked anyway. Now he may have a more or less static Ip and in that case just blocking the IP is fine and doen't block other users.
I have very few users so I feel ok in more or less broad rages of blocking IP address as the chances a valid user is close to that IP address is almost nill. |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6373
Location: Vsetin, Czech Republic
|
| Posted:
Mon Jan 29, 2007 8:07 pm |
|
Misha - yes that was a cross site scripting attack, I had one yesterday frm the same IP.
dssripper - I still have not figured out what caused the block to occur. There doesnt seem to be anything that would cause it. However, have you tried changing the link in the Sommaire menu to use a relative link e.g. modules.php?xxx rathe than HTTPxxxx |
|
|
|
|
Misha
Worker
Joined: Jul 30, 2006
Posts: 203
Location: McLean, VA
|
| Posted:
Mon Jan 29, 2007 9:14 pm |
|
Thanks guys  |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
