Sentinel going crazy...im being attacked

Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

What do i do or can i do to fix this i have 300 emails of blocked IP's since 9am this morning what is going on ?????
here is the info can someone explain it to me PLEASE ..as far as i can tell sentinal is doing a great job by blocking these ......also as you can see dnsstuff.com wont even offer any other info unless you go to there website and enter the ip addy i had 9 ip's blocked at 2am eastern now i have 308 and still going....Thanks for any help...running nuke 7.4 with sentinal 2.1.1 and forums are 2.0.11

Date & Time: 2004-12-24 18:01:09
Blocked IP: 61.56.202.78
User ID: (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.65
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 61.56.202.78
Remote Port: 58910
Request Method: GET
--------------------
DNSStuffDNSStuffSorry, you have triggered our rate limiting system.
Please try again later. If you are reading this in a web browser, we
apologize -- we want you to use the site as much as you like. What we do
not like is when people use automated programs with our free service.
We have the addresses [ Only registered users can see links on this board! Get registered or login! ] and [ Only registered users can see links on this board! Get registered or login! ] here in case
spammers are harvesting addresses from our site. If you are not
automatically removed within a few minutes, you can contact us (using our info@
address at the domain in the URL you are at; please refer to 43ddeb42) to
get access again more quickly. Thanks!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

[ Only registered users can see links on this board! Get registered or login! ]

Posted: Fri Dec 24, 2004 8:45 pm

thanks so much for the point i added now waiting to see what happens MERRY CHRISTMAS..

P.S

is there anything else i should be worried about with that query or should i be ok ?

Posted: Fri Dec 24, 2004 8:49 pm

If you have updated phpbb then it won't hurt you anyway, but, that code in .htaccess will not even allow it to reach your site. We have discovered that they are altering the agent too, so you might want to do more of a wildcard, like

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

Posted: Fri Dec 24, 2004 8:54 pm

ok now is that only going to block the specific user agent ? so should i addin each additional thats different ?

and what happens if this executed ?

sorry for being a pest just trying to learn

Posted: Fri Dec 24, 2004 10:27 pm

That will stop any user agent that begins with LWP (case insensitive)

Posted: Fri Dec 24, 2004 10:34 pm

OK i have added both uppercase and lowercase as individual/seperate entries and im still getting the blocked emails tho not as frequent

heres is what is in my .htaccess

Options -Indexes
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off

Posted: Sat Dec 25, 2004 12:59 am

Replace that with this.

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]

That's all you need. The [NC] means ignore the case, so LwP==lWp
The last line can be replaced by your own page. If others get through, then check the user agent and add it if it is different.

Regular Joined: Jun 08, 2004 Posts: 64

It appears a couple of my sitres are getting bombarded as well by this agent.
I have added the suggested lines to my htaccess but for some reason, the agent is still gettign trhu. I am gettign at least one hack attempt every 5 minutes.

User Agent: LWP::Simple/5.76

the /5.76 has varied, but the LWP::Simple is the same.

Posted: Sat Dec 25, 2004 10:48 am

It should be working. It's working here and in other sites too. Make sure it's typed exactly as shown.

registered · New Member Joined: Dec 24, 2004 Posts: 5

Hey guys,

I can verify that it is working.

cprompt, do you have the line that Raven added above? RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

I received well over 500 e-mails from Sentinel banning this in less than 24 hours. At one point I was getting around 5 a minute Sad

Merry Christmas everyone, I hope all of you have a terrific and blessed day.

Posted: Sat Dec 25, 2004 10:31 pm

Viper- wrote:

Hey guys,

I can verify that it is working.

cprompt, do you have the line that Raven added above? RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]

I received well over 500 e-mails from Sentinel banning this in less than 24 hours. At one point I was getting around 5 a minute Sad

Merry Christmas everyone, I hope all of you have a terrific and blessed day.

darn..I have the EXACT same lines. I have now gotten 85 more hack attempts by
User Agent: LWP::Simple/5.803
/version number varies.

Here is what I have in my htaccess.

Code:

RewriteEngine on


#The next lines check for Spammers Robots and redirect them to a fake page


RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]


RewriteRule ^.*$ emailsforyou.php [L]


RewriteEngine Off

Please advise. This is becoming a headache.

Posted: Sat Dec 25, 2004 10:39 pm

I don't know what to tell you. I was getting hundreds a day and now - ZERO. Try dropping the rewriteEngine Off, although I can't believe that would matter. Make sure that you still have mod_rewrite installed. Maybe your host recompiled Apache and didn't include it? Also, make sure it's at the beginning of your .htaccess so that nothing else impedes it.

Posted: Sat Dec 25, 2004 11:17 pm

REPLACED this :
Options -Indexes
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^lwp [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off
RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off

WITH COPY AND PASTE OF THIS :
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
and moved the Options -Indexes that preceded this to beneath it with a couple spaces in between

im up to 633 total blocked now as of time of post

i do appreciate the help very much hope you all had an enjoyable christmas day

Posted: Sun Dec 26, 2004 1:48 am

well so far i have no new emails dated for 12-26 so the adjustments that were made looks for now as if it did the trick....thanks a million much appreciated

Posted: Sun Dec 26, 2004 7:23 am

Thanks!
Once I moved my Options -Indexes line below the other lines, it seems to be working.

Thank you ALL!

Merry Christmas

Posted: Sun Dec 26, 2004 8:10 am

Thanks mds! I've said in a few posts that the best place to put this is at the very top. To recap from all the posts, we have:

.htaccess only applies to Apache
mod_rewrite must be compiled in Apache
The lines to add at the top of .htaccess are (YOUR-REDIRECT-PAGE needs to be replaced with a real redirect page) - The new code is from VinDSL Smile

Code:

#Check for Santy Worms and redirect them to a fake page 


#Variant -1 


RewriteCond %{HTTP_USER_AGENT} ^LWP             [NC,OR] 


#Variant -2 


RewriteCond %{REQUEST_URI} ^visualcoders                [NC,OR] 


#Variant -3 


RewriteCond %{QUERY_STRING} rush=([^&]+)                [NC] 


RewriteRule ^.*$ emailsforyou.php [L]

This assumes that the user-agent does begin with LWP. If yours is different then make the needed adjustments.

VinDSL has contributed this also. He has found 2 other variants, so

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Thanks Raven

One more question, I see in some posts people have Options - Indexes in their htaccess file, and that they put this line below the third line of code above.

I dont have that in mine, if it should be there, do I put it under the third line of code, and is there anything else that should be below it apart from 2 or 3 empty lines then the list of banned ip's?

Sorry see there's new code now to replace the 3 line code (you must have edited your post as I posted lol sorry)

So do I need Options - Indexes as asked in the first paragraph of this post?

Posted: Sun Dec 26, 2004 8:31 am

Not necessarily. Just put the protection at the top and leave everything else alone Smile

Posted: Sun Dec 26, 2004 8:35 am

Thank you

so it's safe to replace the rewrite 3 line code with this new one then.

Posted: Sun Dec 26, 2004 8:36 am

Yep.

Posted: Sun Dec 26, 2004 8:43 am

Thank you Raven (and VinDSL)

where you say : YOUR-REDIRECT-PAGE needs to be replaced with a real redirect page

and the first line says : #Check for Santy Worms and redirect them to a fake page

I dont understand what to do.

I'm really sorry to be a pain but it's very confusing for non techy people like myself.

Posted: Sun Dec 26, 2004 8:44 am

It can be a fake page but then you will get errors in your server error log. I think what we are trying to say is that you just redirect them away from the intended attack.

Posted: Sun Dec 26, 2004 8:51 am

OIC

Is that a bad thing to have errors in the server error log?

ermm where's my redirect page and how do I make a new one?

and can I redirect them to a custom made page specially for this purpose out of my nuke folder?

or do I just alter this : #Check for Santy Worms and redirect them to a fake page

to something like this: #Check for Santy Worms and redirect them to [ Only registered users can see links on this board! Get registered or login! ]

Thank you for your patience.

Posted: Sun Dec 26, 2004 8:56 am

Exactly!