| Author |
Message |
ms_combatmedic
New Member
Joined: May 15, 2006
Posts: 12
|
 Posted:
Sun Sep 21, 2008 8:25 am |
 
|
Over the last several weeks I have seen an increase in this manner of hacking - What are they trying for & should I worry?
| Code: | | Date & Time: 2008-09-20 20:33:30 CDT GMT -0500Blocked IP: 61.18.170.*User ID: Anonymous (1)Reason: Abuse-Filter--------------------Referer: noneUser Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; Foxy/1; Foxy/2; SINU/2; InfoPath.1)HTTP Host: mgcclan.comScript Name: /index.phpQuery String: ';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726437572736F72 AS CHAR(4000));EXEC(@S);Get String: \';DECLARE_@S_CHAR(4000);SET_@S=CAST(0x4445434C4152452040542076617 AS CHAR(4000));EXEC(@S);Post String: Not AvailableForwarded For: noneClient IP: noneRemote Address: 61.18.170.114Remote Port: 39762Request Method: GET |
|
Last edited by ms_combatmedic on Sun Sep 21, 2008 9:18 am; edited 1 time in total |
|
 
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3132
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sun Sep 21, 2008 8:44 am |
|
No this isn´t new. Just use the search and maybe try Gremmies .htaccess solution. |
|
|
|
|
|
ms_combatmedic
New Member
Joined: May 15, 2006
Posts: 12
|
| Posted:
Sun Sep 21, 2008 8:47 am |
|
ok, thanks for your rapid reply - what is this script suppose to do if Sentinel didn't block it? |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3132
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sun Sep 21, 2008 8:58 am |
|
This is a mass attack.
Check this:
|
|
|
|
|
|
ms_combatmedic
New Member
Joined: May 15, 2006
Posts: 12
|
| Posted:
Sun Sep 21, 2008 9:19 am |
|
Susann - Am I understanding Gremmie, putting that fix into the .htaccess file? |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3132
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sun Sep 21, 2008 9:23 am |
|
|
|
|
|
ms_combatmedic
New Member
Joined: May 15, 2006
Posts: 12
|
| Posted:
Sun Sep 21, 2008 9:30 am |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6299
Location: Vsetin, Czech Republic
|
| Posted:
Mon Sep 22, 2008 5:22 am |
|
NS should block it but very often you will get two emails per attack as the attack is so fast, NS doesn't have time to execute the 'write the banned IP to htaccess' before the second one gets through.
I got sick of these and now block them at server level with mod_security |
|
|
|
|
ms_combatmedic
New Member
Joined: May 15, 2006
Posts: 12
|
| Posted:
Mon Sep 22, 2008 5:26 am |
|
| Guardian2003 wrote: | | I got sick of these and now block them at server level with mod_security |
How is this done? I tried what Susann suggested yesterday, but this morning I awoke to 4 emails ( 2 attacks ) |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6299
Location: Vsetin, Czech Republic
|
| Posted:
Mon Sep 22, 2008 5:38 am |
|
You need server level access so unless you have your own server or VPS you would not be able to use mod_security
If you do have that sort of access, then you can use
| Code: |
SecFilterSelective REQUEST_URI "DECLARE @S CHAR\(4000\)" |
|
|
|
|
|
|
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1174
|
| Posted:
Wed Oct 08, 2008 7:40 am |
|
Use to get over 100 per day. After adding the blocker to .htaccess I get ZERO now. IT WORKS !!! |
|
|
|
|
|
ms_combatmedic
New Member
Joined: May 15, 2006
Posts: 12
|
| Posted:
Wed Oct 08, 2008 8:51 am |
|
Thanks dad7732! I will try that as well. |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
