HACKED with sentinal 2.2.0 installed

Raven · Posted: Tue Jun 07, 2005 11:08 pm

mds, Thanks! And keep in mind there's a good chance that he spoofed the IP, but I always send the reports in anyway Wink

persona_non_grata · Joined: Posts: 0

well it all depends to what kind of connection he has,dyn or static..
and believe me...if they are good enough to hack your site they wont be stupid enough to use their own ip.

good step is to set the proxy blocker to on.
but also has consequences...

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

Raven wrote:

mds, Thanks! And keep in mind there's a good chance that he spoofed the IP, but I always send the reports in anyway Wink

right, i thought of this as well..

persona_non_grata wrote:

well it all depends to what kind of connection he has,dyn or static..
and believe me...if they are good enough to hack your site they wont be stupid enough to use their own ip.

good step is to set the proxy blocker to on.
but also has consequences...

can you give me an example of the consequences ?

also , i know its off topic from the rest of the thread but as of bbtonuke version 2.0.13 or so, wasnt the update supposed to take the forum version out of the footer / copyright area ? mine still shows...2.0.14....

persona_non_grata · Joined: Posts: 0

well some people without any bad things in mind use a procy or its simple the provider...
as for turning the proxy on will result in banning the person or redirecting them.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

Ok, will addeing the IP to the protected list cure this ?

persona_non_grata · Joined: Posts: 0

probably...im not 100 percent sure...
atleast you can try....

64bitguy · Posted: Wed Jun 08, 2005 12:16 pm

No! You don't want to add the IP to the protected list, you want to add it to the banned list.

persona_non_grata · Joined: Posts: 0

yeah something like that...
i think its the sun.. Laughing

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

64bitguy wrote:

No! You don't want to add the IP to the protected list, you want to add it to the banned list.

lol no not the IP of the hacker of course that 1 goes to the ban list

the IP if a person is blocked because of sentinal proxy protection

TheLoneInventor · Posted: Thu Jun 09, 2005 2:22 am

No problem. Yea, after finding that IP I was aware of being visited frequently in the past by the same guy... Doh! Had I only known... lol

Oh well, live and learn I guess.

EDIT: Oops, missed this second page! lol Yea, the IP could easily be spoofed, although I have recieved about 50 hits on my banned page redirect setup from those IPs already, so...

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

i agree but thanks to raven we have a resource of very knowlegable people who can can help us RavensScripts

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

well it looks like they tried to hack again heres the email and the ip lookup info this they were caught and blocked RavensScripts

:

Date & Time: 2005-06-10 12:08:50 PDT GMT -0700
Blocked IP: 81.215.140.100
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Get String:

Only registered users can see links on this board!
Get registered or login to the forums!

Post String:
www.XXX.com/admin.php?admin=eCcgVU5JT04gU0VMRUNUIDEvKjox&add_radminsuper=1&op=mod_authors&Submit=Display
Forwarded For: none
Client IP: none
Remote Address: 81.215.140.100
Remote Port: 1229
Request Method: POST

Location: Turkey (high)

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
%

Only registered users can see links on this board!
Get registered or login to the forums!

% for more details.
%
% Rights restricted by copyright.
% See

Only registered users can see links on this board!
Get registered or login to the forums!

% Information related to '81.215.128.0 - 81.215.143.255'

inetnum: 81.215.128.0 - 81.215.143.255
netname: TurkTelekom
descr: ADSL-MET-Acibadem-Dynamic Pool
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@turktelekom.com.tr
changed: ***@turktelekom.com.tr 20050425
source: RIPE

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: *****@ttnet.net.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: ZA196-RIPE
tech-c: LA109-RIPE
tech-c: NO638-RIPE
nic-hdl: TTBA1-RIPE
notify: ***@turktelekom.com.tr
mnt-by: AS9121-MNT
changed: ***@telekom.gov.tr 20000608
changed: ***@telekom.gov.tr 20001020
changed: ***@telekom.gov.tr 20010615
changed: ***@turktelekom.com.tr 20040903
source: RIPE

% Information related to '81.215.128.0/17AS9121'

route: 81.215.128.0/17
descr: TurkTelecom
origin: AS9121
mnt-by: AS9121-MNT
changed: ***@turktelekom.com.tr 20040927
source: RIPE

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

and tried again

Date & Time: 2005-06-12 02:44:31 PDT GMT -0700
Blocked IP: 85.96.71.187
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
FunWebProducts)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

pm.privmsgs_type=-99 UNION SELECT
aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM nuke_authors WHERE radminsuper=1 LIMIT 1/*
Get String:

Only registered users can see links on this board!
Get registered or login to the forums!

pm.privmsgs_type=-99 UNION SELECT
aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM nuke_authors WHERE radminsuper=1 LIMIT 1/*
Post String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: 85.96.71.187
Remote Port: 3061
Request Method: GET

christianb · Posted: Wed Jun 15, 2005 1:11 pm

TheLoneInventor wrote:

65.19.134.2 - is the one I believe was used to hack the site, through the forums by the look of it. 2608 URLs were hit by this IP from the kralkayra username.

That IP is familiar...
65.19.169.235 was used on my site

Code:

IP Address Last Viewed Hits

65.19.169.235 2005-05-27 @ 01:59:10 2169

all pretty much within an hour's time.

Susann · Posted: Thu Jun 23, 2005 7:30 am

65.19.169.235 OmniExplorer_Bot/1.07 (+http://www.omni-explorer.com) Internet Categorizer is one of the bad bots doesn´t read robots.txt using different Ip´s and I heard also about different User Agent Strings.

VinDSL · Posted: Thu Jun 23, 2005 12:12 pm

...I caught Iranians trying to hack my site this morning.

They were trying to breach admin.php with a SQL exploit on an ODP (Open Directory Project) module I'm developing.

If you're in a 'banning' mood, here's their URL: 217.219.194.163

If you'd like send 'em an E-card, their addy is

Only registered users can see links on this board!
Get registered or login to the forums!