Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Invalid Content when hacked
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
Daave
New Member
New Member



Joined: Mar 05, 2005
Posts: 2
PostPosted: Sat Mar 05, 2005 12:53 am Reply with quote
I installed Fortress some time ago and occasionally I would get hack attempt emails. Lately it's become a regular occurance and today I was getting 20/hr. I decided to install Sentinel, which seemed to go just fine.

I left Fortress in there as a backup, and the hacks stopped triggering Fortress. Then I figured I'd just check it to make sure it was working and to see what the hacker would see.

When I hit my site using the exact same hack URL that Fortress gave me earlier, all I see is "Invalid Content", that's it. When I check the blocked IP list, there's nothing there. I pulled out Fortress, and there's no difference.

It seems to be blocking the attacks, but I'm guessing the "Invalid Content" is an error message. Anyone have an idea on what's going on?

Thanks,

Daave


P.S - Thanks for using my NukeTreasury mod!
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Sat Mar 05, 2005 8:27 am Reply with quote
Before digging too deeply, I would remove one or the other. For the sake of this reply, let's assume you will remove Fortress since you have just added NukeSentinel. Make sure that you remove all references to Fortress and even the security code that Chat adds to his fix packs, usually at the top of the code. NukeSentinel handles thoes too. That "Illegal Content" is coming from one of those two places.
 
View user's profile Send private message
Daave
PostPosted: Tue Mar 08, 2005 8:27 am Reply with quote
I'm confused on this. I had already disabled Fortress, so that's not it, but regardless. This is the code which causes the "Invalid Content"

$bad_uri_content="rush,perl,chr(,pillar,visualcoder,sess_";
global $REQUEST_URI;
$tmp=explode(",",$bad_uri_content);
while(list($id,$uri_content)=each($tmp)) {
if (strpos($REQUEST_URI,$uri_content)) {
die("Illegal Content");
}
}

Any URI that contains any one of the words in $bad_uri_content will cause die("Illegal Content");

What's confusing is why this is an isolated test and it doesn't engage Sentinel. The attack that I was experiencing (at about 20 attacks per hour) included the words "rush", "perl", and "sess_". That's what triggered the Invalid Content message. I'll PM you the hack URL. It seems to me that this hack should've engaged Sentinel so it could block the IP's and send me an email notification. This is what Fortress was doing.

Daave
 
Raven
PostPosted: Tue Mar 08, 2005 8:31 am Reply with quote
First of all, It DIES before NukeSentinel is called. Second of all, the Santy Worm protection is NOT recommended that you use Sentinel. Use the separate .htaccess code disussed in the other thread. Lastly, Sentinel introduced the Santy code in 2.1.3, I believe. Is that the version you're using?
 
California
Hangin' Around



Joined: Mar 24, 2005
Posts: 28
PostPosted: Fri Apr 08, 2005 1:08 pm Reply with quote
I just upgraded to Nuke Sentinel 2.1.3 and am now getting the same "Illegal Content" error. It happens every time you click a result after searching the forums on my site.

Note: This is the first thread I read after searching so please excuse me if this has been addressed and resolved, I will go read the other search results next.
 
View user's profile Send private message
California
PostPosted: Mon Apr 11, 2005 11:04 pm Reply with quote
Raven wrote:
NukeSentinel does not issue any "Illegal Content" messages. So, try what is discussed in this thread.
My bad... I must be using some other form of protection called Sentinel although I thought it was yours. Is there more than one? (the copyright link goes to another site and I know there are also NSN products I may be confusing with yours). Sorry, did not mean to offend you or your excellent products.

I found the problem in sentinel.php, I had to remove the "highlight"

Code:
// Stop Santy Worm


$bad_uri_content="rush,highlight,perl,chr(,pillar,visualcoder,sess_";


global $REQUEST_URI;


$tmp=explode(",",$bad_uri_content);


while(list($snid,$uri_content)=each($tmp)) {


if (strpos($REQUEST_URI,$uri_content)) {


die("Illegal Content");


}


}
 
Raven
PostPosted: Mon Apr 11, 2005 11:22 pm Reply with quote
No, my bad Laughing - Sorry - this was addressed up above though Wink


Last edited by Raven on Tue Apr 12, 2005 3:28 am; edited 1 time in total 
California
PostPosted: Tue Apr 12, 2005 1:50 am Reply with quote
I am not trying to start something however I was just pointing out that I had a "highlight" in my code that was also causing this Illegal Content error with my search result links. I know it is a variation of the problem above where the main discussion is about a hacking attempt. I should not have posted. lesson learned.

The first code did not contain the "highlight" so I only posted what I did to hopefully help someone who searches for "Illegal Content" and finds this thread with the same problem.
 
Raven
PostPosted: Tue Apr 12, 2005 3:27 am Reply with quote
You're not starting anything and it is appreciated and welcomed. Thanks!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©