You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: GuardiannknightPostPosted: Wed Oct 17, 2007 11:50 am    Post subject:

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: Evaders99PostPosted: Tue Oct 09, 2007 6:44 pm    Post subject:

Yes these are automated attacks against your site. From what I can tell, they allow spammers to use your site to send out their junk emails.

Mostly these are from compromised systems, I doubt blocking IPs would be that effective. At least Nuke Sentinel seems to be working

Author: GuardiannknightPostPosted: Tue Oct 09, 2007 7:43 pm    Post subject:

Yeah, it's blocking all of them Smile Hope it stays that way. So, should I unban the IP's i've blocked?

Author: SlackervaaraPostPosted: Tue Oct 09, 2007 9:21 pm    Post subject:

I use modrewrite in .htaccess to automatically keep those hacking robots out from my site and instead they get a forbidden 403 page. l like modrewrite because it saves Sentinel from blocking a lot of hacking attempts:

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

By the way my site have been attacked by the identical robot I have found out in the logs.

Author: GuardiannknightPostPosted: Wed Oct 10, 2007 3:32 pm    Post subject:

Thanks for the info. Smile So, is there any type of filter attacks I should keep an eye out for, or should I just not ban any IP that attacks with a filter?

Author: GuardiannknightPostPosted: Thu Oct 11, 2007 6:56 pm    Post subject:

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... Rolling Eyes SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks.... Shocked

Author: GuardiannknightPostPosted: Thu Oct 11, 2007 6:57 pm    Post subject:

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... Rolling Eyes SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks.... Shocked

Author: GuardiannknightPostPosted: Thu Oct 11, 2007 6:59 pm    Post subject:

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... Rolling Eyes SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks.... Shocked

Author: SlackervaaraPostPosted: Thu Oct 11, 2007 9:49 pm    Post subject:

If you have an .htaccess file use modwrite to block these types of automatic hacker attacks and Sentinel will not block them then, but the hackers will not be succesful with their technique.

This is what I have in .htaccess to stop them:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]

RewriteEngine on

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

Author: GuardiannknightPostPosted: Fri Oct 12, 2007 4:36 am    Post subject:

So do I just add that code into my .htaccess file? Or is there a program called modwrite?

Thanks for the info Smile

Author: SlackervaaraPostPosted: Fri Oct 12, 2007 9:18 am    Post subject:

Yes, it is just to add it in .htaccess. Modrewrite is a module in the apache server that fixes this. It must be installed though in order for it to work.

Author: GuardiannknightPostPosted: Fri Oct 12, 2007 5:17 pm    Post subject:

I will try and add that in my .htaccess file. Today, I got 850 some emails... Rolling Eyes My website is running on lunarpages server, so, i'm hoping this will work... I guess I will find out tomorrow...

Thanks for the info, Smile

Author: GuardiannknightPostPosted: Sat Oct 13, 2007 7:13 am    Post subject:

Just want to let you know, that worked Smile Well it seems it has... Very Happy Because I checked my email today, and no filter attacks have been sent from my site. Thanks big time. Smile So is there a place I can keep check, to see if any new code is needed to be added(like if a new attack comes out)??? Just to make sure I'm up to date.

Thanks again Slackervaara, that code did just the trick Smile

Author: telliPostPosted: Tue Oct 16, 2007 10:51 am    Post subject:

All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 286 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Is this an attack?? Is this an attack??
Goto page 1, 2  Next  :| |:
Nuke Cops -> Nuke Security

Author: Guardiannknight PostPosted: Tue Oct 09, 2007 4:02 pm    Post subject: Is this an attack??

Hello, for the last month at least, my website has been swarmed with this two filter attacks...

Here is the Agent:

User Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)

and for the attacks one is

name=http://amyru.h18.ru/images/cs.txt

well, it has my site and some other stuff in there before that, let me know if you need to see that....

the other one is...

name=http://0x0134.lan.io/pb.php


the http on both are usually the same if i'm not mistaken... I have already banned some countries, like AU an NL, and have blocked who knows how many US IP's and have ranged blocked a lot of IP's from Canada....

So, is this a attack on my site, if so, i guess I'll just have to keep banning IP's if not, i'll need to unban some IP's... I have been getting about 100 plus attacks a day... Sad a lot of them are the same IP, but I ban them and it's like they just use another IP.

If you need anymore info, just let me know.

My website is... www.guardiansworlds.com

Thanks for any help anyone can share Smile
Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
   header('Location: http://' . $_SERVER['SERVER_NAME']);
   exit;
}
telli wrote:
All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
   header('Location: http://' . $_SERVER['SERVER_NAME']);
   exit;
}





So, would it be good to use this along with the stuff I have added to the .htacess file?



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Goto page 1, 2  Next  :| |:
Page 1 of 2

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.341 Seconds - 316 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::