String attacks spamming my site

Worker Joined: Feb 18, 2006 Posts: 155 Location: Virginia

The last 3 days, I have had the same string attacks (about 15 a day) from
random ips. Sentinel keeps blocking them. My site keeps going down
and my host thinks they server is going down because of attacks being
launched from my site.

Since the attacks are coming from different ip's, I don't know how to stop
them. Here is a snippett from nukesentinel:

Code:

Reason: Abuse-Filter


--------------------


User Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)


Query String: [ Only registered users can see links on this board! Get registered or login! ]


Get String: [ Only registered users can see links on this board! Get registered or login! ]

Posted: Wed Oct 24, 2007 7:24 am

It appears that your site is being attacked and that Sentinel is blocking the attacks. What evidence does your host have that actual attacks are being launched from your site? You can block the string "amyru" but if the attacker is using proxies he will still get as far as Sentinel before his IP is blocked, then he'll use another IP. Nothing you can do about that.

Just make sure that no "foreign" files have been planted on your site.

Posted: Wed Oct 24, 2007 7:34 am

utssace, if the User Agent for these attacks is always Wget, do a search here in the forums for how you can use .htaccess to stop these requests from ever getting to nuke (it will save you a TON on SQL calls).

Look for "libwww" in your search and you should find something I think.

Posted: Wed Oct 24, 2007 3:51 pm

Thanks for the help. I'll check out the htaccess block idea.

The host has to keep restarting the server after about an hour, it shuts
down again. Probably a security mechanism in the server. Too many logs
to narrow down. Host will be reinstalling OS and everything on the server.

Worker Joined: Aug 26, 2007 Posts: 236

I have looked in my logs and I get similar attacks on my site, but I block them in .htaccess by this:

RewriteEngine on

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

Posted: Wed Oct 24, 2007 7:49 pm

slackervaara, That is definitely another way, but just keep in mind that some scripts will embed [ Only registered users can see links on this board! Get registered or login! ] type addresses in them so if you run into any issues you might have to back this off some.

For example, different versions of nuke and add-ons will allow you to look up referrers or check downloads, etc. using these methods. I believe even Gallery at one point (may still do) uses this for some of its functions.

It will work. Just cautioning others too who read this thread.