Author |
Message |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Tue Oct 09, 2007 4:02 pm |
  |
Hello, for the last month at least, my website has been swarmed with this two filter attacks...
Here is the Agent:
User Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)
and for the attacks one is
name=http://amyru.h18.ru/images/cs.txt
well, it has my site and some other stuff in there before that, let me know if you need to see that....
the other one is...
name=http://0x0134.lan.io/pb.php
the http on both are usually the same if i'm not mistaken... I have already banned some countries, like AU an NL, and have blocked who knows how many US IP's and have ranged blocked a lot of IP's from Canada....
So, is this a attack on my site, if so, i guess I'll just have to keep banning IP's if not, i'll need to unban some IP's... I have been getting about 100 plus attacks a day... a lot of them are the same IP, but I ban them and it's like they just use another IP.
If you need anymore info, just let me know.
My website is... www.guardiansworlds.com
Thanks for any help anyone can share  |
_________________ www.guardiansworlds.com |
|
    |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Tue Oct 09, 2007 6:44 pm |
  |
Yes these are automated attacks against your site. From what I can tell, they allow spammers to use your site to send out their junk emails.
Mostly these are from compromised systems, I doubt blocking IPs would be that effective. At least Nuke Sentinel seems to be working |
_________________ Helping those that help themselves
Read FIRST or DIE!
"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding |
|
     |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Tue Oct 09, 2007 7:43 pm |
  |
Yeah, it's blocking all of them Hope it stays that way. So, should I unban the IP's i've blocked? |
_________________ www.guardiansworlds.com |
|
    |
 |
Slackervaara
Captain


Joined: Sep 13, 2003
Posts: 355
|
Posted:
Tue Oct 09, 2007 9:21 pm |
  |
I use modrewrite in .htaccess to automatically keep those hacking robots out from my site and instead they get a forbidden 403 page. l like modrewrite because it saves Sentinel from blocking a lot of hacking attempts:
RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]
By the way my site have been attacked by the identical robot I have found out in the logs. |
|
|
   |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Wed Oct 10, 2007 3:32 pm |
  |
Thanks for the info. So, is there any type of filter attacks I should keep an eye out for, or should I just not ban any IP that attacks with a filter? |
_________________ www.guardiansworlds.com |
|
    |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Thu Oct 11, 2007 6:56 pm |
  |
Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks....  |
_________________ www.guardiansworlds.com |
|
    |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Thu Oct 11, 2007 6:57 pm |
  |
Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks....  |
_________________ www.guardiansworlds.com |
|
    |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Thu Oct 11, 2007 6:59 pm |
  |
Well, I have started unblocking the range block IP's and also, I think I removed the country range block also... Because I just got 520 some emails from my website telling me about each attack.... SO..... I'm thinking about going back and blocking some countries... Sad I have to do that, but that is sure a lot of bot attacks....  |
_________________ www.guardiansworlds.com |
|
    |
 |
Slackervaara
Captain


Joined: Sep 13, 2003
Posts: 355
|
Posted:
Thu Oct 11, 2007 9:49 pm |
  |
If you have an .htaccess file use modwrite to block these types of automatic hacker attacks and Sentinel will not block them then, but the hackers will not be succesful with their technique.
This is what I have in .htaccess to stop them:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]
RewriteEngine on
RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F] |
|
|
   |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Fri Oct 12, 2007 4:36 am |
  |
So do I just add that code into my .htaccess file? Or is there a program called modwrite?
Thanks for the info  |
_________________ www.guardiansworlds.com |
|
    |
 |
Slackervaara
Captain


Joined: Sep 13, 2003
Posts: 355
|
Posted:
Fri Oct 12, 2007 9:18 am |
  |
Yes, it is just to add it in .htaccess. Modrewrite is a module in the apache server that fixes this. It must be installed though in order for it to work. |
|
|
   |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Fri Oct 12, 2007 5:17 pm |
  |
I will try and add that in my .htaccess file. Today, I got 850 some emails... My website is running on lunarpages server, so, i'm hoping this will work... I guess I will find out tomorrow...
Thanks for the info,  |
_________________ www.guardiansworlds.com |
|
    |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Sat Oct 13, 2007 7:13 am |
  |
Just want to let you know, that worked Well it seems it has... Because I checked my email today, and no filter attacks have been sent from my site. Thanks big time. So is there a place I can keep check, to see if any new code is needed to be added(like if a new attack comes out)??? Just to make sure I'm up to date.
Thanks again Slackervaara, that code did just the trick  |
_________________ www.guardiansworlds.com |
|
    |
 |
telli
Support Mod


Joined: Aug 21, 2003
Posts: 335
|
Posted:
Tue Oct 16, 2007 10:51 am |
  |
All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.
Code: |
//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
header('Location: http://' . $_SERVER['SERVER_NAME']);
exit;
}
|
|
_________________ [img]http://www.codezwiz.com/extern.php?get=sig[/img]
http://www.codezwiz.com
PHPNuke Themes
$3.99 500 MB Storage & 20 GIG Trans w/ NO limit MYSQL
Click Me |
|
   |
 |
Guardiannknight
Nuke Soldier


Joined: Aug 09, 2005
Posts: 28
|
Posted:
Wed Oct 17, 2007 11:50 am |
  |
telli wrote: |
All of these attacks require loading a file from another server so they have to use a direct link to it. You can block that by simply adding this line of code to your config.php.
Code: |
//http and https should not be used in any query string
if (eregi('http', $_SERVER['QUERY_STRING']) || eregi('https', $_SERVER['QUERY_STRING'])) {
header('Location: http://' . $_SERVER['SERVER_NAME']);
exit;
}
|
|
So, would it be good to use this along with the stuff I have added to the .htacess file? |
_________________ www.guardiansworlds.com |
|
    |
 |
|