CLike attempt blocked

Posted: Fri Jan 19, 2007 11:49 pm

Twice today I got this in my email (second time had different IP address):

Quote:

Date & Time: 2007-01-19 18:26:32 CST GMT -0600
Blocked IP: 64.251.10.133
User ID: Anonymous (1)
Reason: Abuse-CLike

User Agent: libwww-perl/5.803
Query String: clanfga.com/modules.php?

name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
Get String: clanfga.com/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors

Post String: clanfga.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 64.251.10.133
Remote Port: 34935
Request Method: GET

Is this something I need to worry about? Never had anyone blocked for Abuse-CLike before.

Posted: Sat Jan 20, 2007 1:15 am

The block occured because someone used a union attack in an atempt to retrieve the admins user/password. Sentinel will protect you from these types of attack.

registered · Posted: Sun Jan 21, 2007 12:51 am

Yep this is a known (old) vulnerablilty. Don't worry about it, if you are up-to-date with patches and Sentinel, you are fine.

Posted: Sat Jan 12, 2008 2:40 pm

Got this one today as well. Our 1st Clike attack Cool

This dude (IP:83.20.148.210, email; ernest@pcprogramy.pl) even registred on our website/forum..

Code:

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/523.15 (KHTML, like Gecko) Version/3.0 Safari/523.15





Query String: website.com/modules.php?name=Search


&type=comments


&query=not123exists


&instory=/* */UNION/* */SELECT/* */0,0,pwd,0,aid/* */FROM/* */nuke_authors





Get String: website.com/modules.php?name=Search


&type=comments


&query=not123exists


&instory=/* */UNION/* */SELECT/* */0,0,pwd,0,aid/* */FROM/* */nuke_authors





Post String: website.com/modules.php

But are these attacks already blocked by a patched php-nuke version?
Cause when installing NS i remembered seeing some 'Union' code in some of the nuke files.

Posted: Sat Jan 12, 2008 11:18 pm

Oh yea this is an old one. It is patched already

Posted: Thu Jun 03, 2010 7:02 am

Is this normal...

These seem to come in clusters of 4 or 5, always happen in the middle of the night, are occurring more and more frequently, and each IP is listed twice when I check my emails every morning.

Last night I had five, and the email notices look like this:

Blocked abuse for 94.198.96*
Blocked abuse for 94.198.96*
Blocked abuse for 209.188.90.*
Blocked abuse for 209.188.90.*
Blocked abuse for 174.123.39.*
Blocked abuse for 174.123.39.*
Blocked abuse for 67.18.167.*
Blocked abuse for 67.18.167.*
Blocked abuse for 74.200.76.*
Blocked abuse for 74.200.76.*

I did a search on the IP's in NukeSintenial and they are in fact all blocked now.

Thanks

Posted: Thu Jun 03, 2010 12:31 pm

Yes it's perfectly normal

Regular Joined: Aug 12, 2008 Posts: 58

5 thats not bad wait till you are getting 100s a week i opened my emails yesterday first time for a week and received over 500 of these in the end my email program had to close the connection to the host and i had to mass delete them then sync my emails again

Posted: Thu Jun 03, 2010 1:57 pm

Thanks Guardian, thanks Snype.

"100s a week" Shocked

, I kinda freaked out when they first started showing up, I feel better now. lol

Posted: Wed Jun 09, 2010 1:12 am

I am getting this

Code:

Script Name: /modules.php


Query String: name=GCalendar&amp;file=viewday&amp;y=2010&amp;m=2&amp;d=25/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ


Get String: name=GCalendar&amp;file=viewday&amp;y=2010&amp;m=2&amp;d=25/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ\0

Code:

Script Name: /modules.php


Query String: name=Video_Stream&d=4/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ


Get String: name=Video_Stream&d=4/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ\0

it looks like they are using the same code attack for any module.

Posted: Wed Jun 09, 2010 6:29 am

yes that's some boneheads trying to attack the wrong gCalendar
http://www.ravenphpscripts.com/postt19021.html

registered · Posted: Sat Jun 12, 2010 7:14 am

School's out for many and so the Script Kiddies are back at it in force. Wink

Posted: Sun Jul 08, 2012 8:23 am

Why would this cause a CLike block?????

Quote:

Reason: Abuse-CLike
Script Name: /rnxhr.php
Query String: name=Your_Account&file=public/userAvailability&ya_username=monkeyove
Get String: &name=Your_Account&file=public/userAvailability&ya_username=monkeyove

Posted: Sun Jul 08, 2012 9:17 am

You are right. I cannot see how this string got flagged as such. Was it a one-off or can you replicate it?

Posted: Mon Jul 09, 2012 6:50 am

I only checked the YA module to make sure it was working properly. This person was blocked a couple times trying to use invalid characters in his name during registration.

I just successfully registered a user with that name. I don't get it.

Posted: Tue Jul 10, 2012 7:27 am

Doulos wrote:

invalid characters in his name

Sounds like he was stopped by that check and maybe the NukeSentinel(tm) block was a different issue? Invalid characters in the name will definitely stop registration.

Posted: Wed Jul 11, 2012 5:46 am

IP tracking doesn't even show the IP address shown in the NS block email. I will check the log to see what I can see.