Unknown Attack

Posted: Thu Feb 02, 2006 9:50 am

You have been blocked from entering this site.

You have attempted an unknown attack on this site.

All of the following information has been gathered to assist the webmaster should this need to be reported to local or federal law enforcement.

If you think this is a mistake you can contact the site webmaster at admin(at)fryingpantower(dot)com.

User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)
Remote Address: XX.XXX.XXXX
Client IP: none
Forwarded For: XX.XXXX.xxxx
Date Blocked: 2006-02-02 @ 07:19:47 PST GMT -0800
Block expires: Permanent

I have recieved several E-Mails this morning from users with this refrence. Both work of 2 Different City Govs.

3 issues.....

1. which blocker is kicking them?

2. 2 How can I find out why?

3. I do not seem to be logging the IP's or getting E-Mails from the site about them getting blocked.

I have checked the config.....All seems good. E-Mail-Block-Default. The e-mail address is set up in the software. I have checked the /includes, admin/case, admin/links and admin/modules for old sentinial scripts.

What else can I do?

Dawg

Posted: Thu Feb 02, 2006 11:03 am

I have been reading about Chatserv's 2.9 patches. I am on 7.2 with 3.1 patched. I hit a snag when I installed NS. The mainfile changes did not match up to what I had so I tried to include it the best I could make sence of it.

I just did a compare between mine and Chatsev's.....

3.1 had this

Code:




if(defined('FORUM_ADMIN')) {


  define('INCLUDE_PATH', '../../../');


} elseif(defined('INSIDE_MOD')) {


  define('INCLUDE_PATH', '../../');


} else {


  define('INCLUDE_PATH', './');


}





@require_once(INCLUDE_PATH."config.php");


@require_once(INCLUDE_PATH."db/db.php");


@require_once(INCLUDE_PATH."includes/sql_layer.php");

Mine has this....

Code:

if(defined('FORUM_ADMIN')) {


  define('INCLUDE_PATH', '../../../');


} elseif(defined('INSIDE_MOD')) {


  define('INCLUDE_PATH', '../../');


} else {


  define('INCLUDE_PATH', './');


}





@require_once(INCLUDE_PATH."config.php");


@require_once(INCLUDE_PATH."db/db.php");


@require_once(INCLUDE_PATH."includes/sql_layer.php");


@require_once(INCLUDE_PATH."/includes/nukesentinel.php");

the only diff I see is the include for NS....

Then in function online....3.1

Code:

function online() {


  global $user, $cookie, $prefix, $db;


  $ip = $_SERVER['REMOTE_ADDR'];

Mine

Code:

function online() {


  global $nsnst_const, $user, $cookie, $prefix, $db;


  if(!file_exists('includes/nukesentinel.php')) {


    $ip = $_SERVER['REMOTE_ADDR'];


  } else {


    $ip = $nsnst_const['remote_ip'];


  }

This is from the 7.2 Readme for the install of NS....

Code:

#-----[ OPEN ]------------------------------------------


#


mainfile.php





#


#-----[ FIND ]------------------------------------------


#


if (defined('FORUM_ADMIN')) {


    @require_once("../../../config.php");


    @require_once("../../../db/db.php");


    @require_once("../../../includes/sql_layer.php");


} elseif (defined('INSIDE_MOD')) {


    @require_once("../../config.php");


    @require_once("../../db/db.php");


    @require_once("../../includes/sql_layer.php");


} else {


    @require_once("config.php");


    @require_once("db/db.php");


    @require_once("includes/sql_layer.php");


}





#


#-----[ CHANGE TO ]------------------------------------------


#


if (defined('FORUM_ADMIN')) {


    @require_once("../../../config.php");


    @require_once("../../../db/db.php");


    @require_once("../../../includes/sql_layer.php");


    @include_once("../../../includes/nukesentinel.php");


} elseif (defined('INSIDE_MOD')) {


    @require_once("../../config.php");


    @require_once("../../db/db.php");


    @require_once("../../includes/sql_layer.php");


    @include_once("../../includes/nukesentinel.php");


} else {


    @require_once("config.php");


    @require_once("db/db.php");


    @require_once("includes/sql_layer.php");


    @include_once("includes/nukesentinel.php");


}

If you notice mine is diff than the NS file.

Is this what is causing me problems?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Cross reference this thread and see if that helps.
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Thu Feb 02, 2006 2:16 pm

I did cross reference it.....that is how I knew about /includes, admin/case, admin/links, admin/modules and Chat's patches. Could you be a little more specific?

A search term or link?

Dawg

Posted: Thu Feb 02, 2006 2:21 pm

- Sorry about that. It should have had this posted with it. I corrected the post: [ Only registered users can see links on this board! Get registered or login! ]

Posted: Thu Feb 02, 2006 2:42 pm

LOL....and I should have said "Please" and "Thank You" so we are even!!

Just to make sure that I got it all.....and to consoladate all this info into one spot......I came up with three steps from those threads.

I got this one......

Code:

Code: ‹ Select › ‹ Expand ›  


// Posting from other servers in not allowed 


// Fix by Quake 


// Bug found by PeNdEjO 


if ($_SERVER['REQUEST_METHOD'] == "POST") { 


  if (isset($_SERVER['HTTP_REFERER'])) { 


    if (!stripos_clone($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) { 


        die('Posting from another server not allowed!'); 


    } 


  } else { 


    die($posttags); 


  } 


}

I see this one....
Please delete the Abuse folder completely.
Delete includes/nuksentinel.php and includes/sentinel.php (if it exists).
Delete language/nukesentinel folder and sentinel folder if it exists.
Delete admin/nukesentinel folder and sentinel folder if it exists.
Delete admin/modules/nukesentinel.php and admin/modules/sentinel.php if it exists.

Then reftp the NukeSentinel(tm) v2.4.2.

and this one....

It's the () in the titles. This is well documente in the forums here. Use phpMyAdmin and change all () to [] or whatever, but 86 the (). Also, on your script blocker, just set it to email the admin. That's all you really need.

These three steps will correct the issue?

I am just trying to be clear here....I read a LOT of threads today to resolve this and I want to make sure that the next guy in line gets off easy and does not have to bother "Da Master" (Raven) at Work!

Thank You.....

Dawg

New Member Joined: Oct 20, 2006 Posts: 1

Code:




<ST YLE TYPE="text/css">


<!--


.deepsea, .deepsea TD, .deepsea TH


{


background-image: url('deepsea.gif');


background-color:blue;


color:white;


font-family: sans-serif;


font-weight:600; 


}


-->


</ST YLE>