| Author |
Message |
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1174
|
 Posted:
Thu May 29, 2008 4:30 am |
 
|
NS 2.5.18
Ok, educate me here please ...
Was CLike attempted FOUR times by the same IP: 89.249.160.180 for you folks that want to add this to your blocker.
What I don't understand is the timing:
1. 0428 CDT
2. 0429 CDT
3. 0429 CDT
4. 0430 CDT
My question is why isn't the IP blocked from attempts 2 thru 4 if the first attempt is "blocked"?? Is it a session thing where the hacker makes 4 quick attempts and THEN is blocked if he returns in a new session?
Cheers, Jay
BTW: Obviously not going to publish the method but it was two different strings that was tried twice each. |
|
|
|
|
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1174
|
| Posted:
Thu May 29, 2008 4:40 am |
|
Ok, I'm back and I think I can answer my own question after some deep thought. 
The first attempt is intercepted because it's a CLike.
The second, third and fourth attempts are actually blocked by IP, not by the CLike string itself.
Is this correct ?
Cheers |
|
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3028
Location: United Kingdom
|
| Posted:
Thu May 29, 2008 5:39 am |
|
What message is Sentinel giving you for each attempt?
Has the IP been written to the .htaccess file?
If the IP has been written to the .htaccess then the subsequent attempts should never get through to Sentinel. |
|
|
|
|
|
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1174
|
| Posted:
Thu May 29, 2008 7:11 am |
|
The message is the same from Sentinel, the only changes are the times and the script tried.
.htaccess
deny from 89.249.160
I'd have to look at the server log to see what actual time the deny was added. If it works correctly it should be on the first attempt. Also, the server log should show the subsequent attempts as well.
Same session attempts? If the hacker closed the session and tried again then the htaccess would deny the access. Dunno, guessing on this one.
Cheers |
|
|
|
|
|
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1174
|
| Posted:
Thu May 29, 2008 7:29 am |
|
Ok, here's your answer from the logs.
The first attempt was at 00:04:29 CDT after which the log shows over 150 attempts the last one being at 00:05:10 CDT
Note: The above are attempts shown in the main server log
The error log shows:
[Thu May 29 00:04:33 2008] [error] [client 89.249.160.180] client denied by server configuration: /[server path]/[my domain]/modules.php
This proves that the htaccess did it's job as the remaining 100 or so attempts showed the same error log entries for each attempt at access.
Also obvious that he was using a script as the attempts are literally fractions of a second apart.
Sentinel did it's job for sure !!!! 
Cheers |
|
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3028
Location: United Kingdom
|
| Posted:
Thu May 29, 2008 1:10 pm |
|
Great analysis. It good to show that Sentinel does its job. |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Thu May 29, 2008 6:20 pm |
|
It is possible that .htaccess hasn't been written to yet, before Apache processes the next 3 requests. Such automated scripts make requests in quick succession, there isn't really anything you can do about it. At least Sentinel is working |
|
|
|
|
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1174
|
| Posted:
Fri May 30, 2008 7:25 am |
|
evaders .. that's exactly it, the time lag. But like I emphasized, NS is working up to snuff.
Cheers |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::