| Author |
Message |
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2401
Location: Iowa, USA
|
 Posted:
Sat Mar 29, 2008 5:07 pm |
 
|
I'm seeing these now:
| Code: |
Date & Time: 2008-03-29 15:44:32 CDT GMT -0500
Blocked IP: 89.149.241.126
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)
Query String:
Get String: Result: captcha recognized;registered;logged in;probably, registration failed (activation code was sent / there are additional protection used on forum / forum SQL-error / ...); Result: invalid;not found;no post sending forms are found;
Post String:
Forwarded For: none
Client IP: none
Remote Address: 89.149.241.126
Remote Port: 3523
Request Method: GET
|
Looks like they have a script that analyzes your Nuke/phpBB setup. Either that or their script is really malfunctioning. You wouldn't expect that stuff to get passed in the get string like that, would you? |
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 2280
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sat Mar 29, 2008 5:42 pm |
|
I have seen similar things but not exact the same in my logs.
However, it not a surprise because there are tools and scripts available for this. 
Also it doesn´t bring anything to ban the country because they usally use proxies. |
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 112
|
| Posted:
Sat Mar 29, 2008 11:01 pm |
|
I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F] |
|
|
|
|
|
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2847
|
| Posted:
Sun Mar 30, 2008 1:27 am |
|
Yep I've seen it. Looks like a robot with some errors |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Mon Mar 31, 2008 2:55 pm |
|
I've seen this alot, with my old job. I've not had time to test it, but from what I could tell, it was something that was exploitable in the version of php-nuke that was installed with fantastico.
Who would have thought it. Cpanel and fantastico releasing exploitable scripts  |
|
|
  
  |
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7459
Location: Arizona
|
| Posted:
Thu Apr 03, 2008 5:30 am |
|
slackervaara, that is an interesting list indeed. I am going to have to mull this list over some more...
Just this list alone might make for interesting discussion. Any thoughts regarding slackervaara's list? Will there be false positives with this list? I.e., some legitimate users blocked?
I am seriously considering adding these, but am interested in community input. |
|
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 112
|
| Posted:
Thu Apr 03, 2008 5:55 am |
|
I have got only two complaints since I started with this in my .htaccess. One member could not access the site from her job anylonger and the another could not access the site from his health workers office. I guess those computers must be behind a proxy and thus blocked. I got the tip about this from a Norwegian PHP-Nuke site. |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7459
Location: Arizona
|
| Posted:
Thu Apr 03, 2008 6:24 am |
|
Yes, that sounds right to me. It was one of my concerns. I have also had folks with various levels of "anonymizers" on their PC (for example, even Norton Internet Security) which can even affect NukeSentinel(tm).
Interesting... let us see what others have to say too. Good discussion. |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 4824
|
| Posted:
Thu Apr 03, 2008 6:42 am |
|
I would be interested to see how those lines affect AOL users.
Anyone here using AOL? |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Apr 03, 2008 1:27 pm |
|
EWWWW, AOL, stay away!!!!
lol, only kidding.
The only problem I do see, is there are many proxy servers out there that dont broadcast that they are proxy servers, which this list looks like it will require they broadcast that they are proxies.
I personally wonder what would happen with custom browsers, like Linux browsers and some Windows browsers. |
|
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 112
|
| Posted:
Thu Apr 03, 2008 2:33 pm |
|
I have tested in Windows XP with:
Firefox, Explorer, Opera, Safari and all works OK.
in Linux Mandriva 2006:
Firefox, Konqueror, Ephiphany works all OK
I have used this in my .htacces since Jan 25 this year and Sentinel has not caught a single hacker since that start. |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Apr 03, 2008 3:40 pm |
|
There are a few others, but with your testing, I dont think you would have a problem with even those.
I suppose the next question would be, does it block with certain ISP's. which like to add their own headers, AOL being one of those.
Then, can you get visitors from all countries? |
|
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 112
|
| Posted:
Thu Apr 03, 2008 7:30 pm |
|
I have a Scandinavian site, but there are mainly US IP:s I guess mainly from search engines like Google. There are also rather many visitors from non-Scandinavian countries too. I don't know about AOL and I also have the proxy blocker on in Sentinel, but this in .htaccess seems more effective to me. |
|
|
|
|
|
redhairz
Worker
Joined: Nov 17, 2006
Posts: 216
|
| Posted:
Fri Apr 04, 2008 3:31 am |
|
| slackervaara wrote: | I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F] |
many isp is using the proxy thingy if RN add this into here i'll be block out lol i will give a try on these and see the results. |
|
|
|
|
|
redhairz
Worker
Joined: Nov 17, 2006
Posts: 216
|
| Posted:
Fri Apr 04, 2008 3:34 am |
|
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] what does this mean? |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7459
Location: Arizona
|
| Posted:
Fri Apr 04, 2008 5:31 am |
|
redhairz, it means there is no User Agent being passed within the headers.
BTW, if you have that type of proxy situation, why not you two try and test out whether you get blocked from his site or not. That would be a useful test and would be nice to post the results here I think. |
|
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 112
|
| Posted:
Fri Apr 04, 2008 5:59 am |
|
You can check, if you are blocked from my site if you are behind a proxy: |
Last edited by slackervaara on Mon Jun 09, 2008 8:52 pm; edited 1 time in total |
|
|
|
|
redhairz
Worker
Joined: Nov 17, 2006
Posts: 216
|
| Posted:
Sun Apr 27, 2008 9:39 am |
|
there was no blocking here in RN site. if the sn is set to lite or higher the sn will block it. |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
