| Author |
Message |
HauntedWebby
Involved
Joined: May 19, 2004
Posts: 363
Location: Ogden, UT
|
 Posted:
Sat Sep 25, 2004 4:35 pm |
|
Stuff like this makes me nervious!!!!
Date & Time: 2004-09-25 13:57:54
Blocked IP: 81.213.190.99
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: www.hauntedwebby.com/admin.php?
Forwarded For: 81.213.190.99
Client IP: none
Remote Address: 194.20.144.162
Remote Port: 48661
Request Method: GET
Date & Time: 2004-09-23 17:27:44
Blocked IP: 200.179.100.203
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 9
Query String: www.hauntedwebby.com/admin.php?
Forwarded For: none
Client IP: none
Remote Address: 200.179.100.203
Remote Port: 1304
Request Method: GET
[Edited by Admin  ] |
_________________
--Webby-- |
|
 
|
|
Nukeum66
Life Cycles Becoming CPU Cycles
Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA
|
| Posted:
Sat Sep 25, 2004 4:51 pm |
|
Please remove that Query String: URL or you might get even more hack attempts than you want.. |
_________________
Scott Johnson MIS Ubuntu/Linux 11.10 |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat Sep 25, 2004 5:05 pm |
|
That's the very hack attempt that caused me to write the HTTP Auth script Script kiddies - idiots. Report them to their ISP. Every once in a while it helps. |
| |
|
|
|
|
GeekyGuy
Client
Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio
|
| Posted:
Sat Sep 25, 2004 5:17 pm |
|
And unfortunately, the Script twits are still at it. Fortunately for us, we have NukeSentinel™ to protect our sites. And NukeSentinel™ just keeps getting better. |
_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 |
|
  |
|
HauntedWebby
|
| Posted:
Sun Sep 26, 2004 10:59 am |
|
| Nukeum66 wrote: | | Please remove that Query String: URL or you might get even more hack attempts than you want.. |
Sorry my mouse was acting up .. and then my pc went nuts. Wasn't even sure if the message went through  I wonder if this board thought I was hacking it ... LOL
But I've been getting about one a day of these admin blocks. |
| |
|
|
|
|
blarneystone
Client
Joined: Sep 18, 2004
Posts: 62
|
| Posted:
Sun Sep 26, 2004 7:03 pm |
|
I am new to Nuke Sentinal myself and I had NO idea how often people where trying to hack my site. I got one of those just now where someone tried to create a godmode account.
So Raven, you do really recommend reporting them? I'd be happy to.
What might be a cool enhancement to Nuke sentinal is an email script that let's you email from the sentinal control panel to the ISP in question 
But normal email is good enough if they don't just chuck it in the trash. |
| |
|
|
|
|
blarneystone
|
| Posted:
Sun Sep 26, 2004 7:21 pm |
|
BTW, what do you say to the ISP when you are reporting these hacks? Can you post an example note that I can use to send too?
Thanks |
| |
|
|
|
|
Raven
|
| Posted:
Sun Sep 26, 2004 7:39 pm |
|
Unfortunately, you can't really automate it because some IP ranges are further allocated to other domain controllers and require further investigation. Here is bascially a boiler-plate that I use. I have removed most of the Query String.Code:On May 15, 2004 at approximately 7:33am CST an attempt to break into my web site and obtain user/admin id and passwords was made by IP 172.185.102.16 . The following is information from my logs that should identify the person and the type of hack that was attempted. Can I assume that you will take immediate action to avoid AOL IP's from being blocked altogether from my site and all community sites? Thank you.
REMOTE_ADDR : 172.185.102.16
REMOTE_HOST : acb96610.ipt.aol.com
REMOTE_PORT : 3273
SERVER_ADDR : 65.254.38.234
SERVER_ADMIN : webmaster@yourdomain.com
SERVER_NAME : www.yourdomain.com
SERVER_PORT : 80
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : op=AddAuthor
Your Name,
5/15/2004
|
It is very important that you supply the date, time, and time zone when you report these incidences. |
| |
|
|
|
|
blarneystone
|
| Posted:
Sun Sep 26, 2004 7:41 pm |
|
Thanks! I'm on the report team now.  |
| |
|
|
|
|
blarneystone
|
| Posted:
Tue Sep 28, 2004 8:44 am |
|
Hey, I noticed this morning that there are quite a few blocks on my downloads section.
For instance see below (I am editing out the actual software link so I am not getting false positives)
Code:Date & Time: 2004-09-27 23:18:47
Blocked IP: 24.98.114.102
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10
Query String: www.mysite.com/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=54&ttitle=Achieve-IT!_1.4_(ARM_Devices)_.cab_installer
Forwarded For: none
Client IP: none
Remote Address: 24.98.114.102
Remote Port: 4129
Request Method: GET
|
How can I tell this is really an Abuse script and not a false positive? It looks like the person just went to look at some download details and got blocked/banned... |
| |
|
|
|
|
Raven
|
| Posted:
Tue Sep 28, 2004 9:03 am |
|
The () are forbidden by both Nuke and NukeSentinel. There are several posts about this in the forums. |
| |
|
|
|
|
blarneystone
|
| Posted:
Tue Sep 28, 2004 9:43 am |
|
Are you referring to the (ARM devices) reference or the Anonymous(1) ?
Hey wait a minute!  My downloads section is password protected. How could annonymous(1) get there...hmmmm |
| |
|
|
|
|
Raven
|
| Posted:
Tue Sep 28, 2004 11:08 am |
|
If () is in the Querystring then it gets banned. |
| |
|
|
|
|
blarneystone
|
| Posted:
Tue Oct 05, 2004 8:58 am |
|
Could I ask what String Match: da is?
Also, what exactly is a Union abuse? I am getting lots of those..
thanks! |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 05, 2004 10:34 am |
|
Union abuse is how they try to discover you admin userid's and passwords and also how they can add themselves as an admin. Make sure that you have the HTTP Auth set to on and that won't happen.
'da' is unknown to me and is not added automatically. If there is a 'da' in there then you had to have added it. What the Stringmatch does is to allow you to designate a string within the QueryString to check for and take appropriate action. |
| |
|
|
|
|
blarneystone
|
| Posted:
Tue Oct 05, 2004 11:32 am |
|
| Raven wrote: | | Union abuse is how they try to discover you admin userid's and passwords and also how they can add themselves as an admin. Make sure that you have the HTTP Auth set to on and that won't happen. |
Oh, I meant to say a sentinal is catching a lot of those people
Here are the details of the da thingie...
Date & Time: 2004-10-04 23:26:25
Blocked IP: 208.54.15.1
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: da
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; O2 Xda II;PPC;240x320) Query String: www.mysite.com/modules.php?name=Forums&file=viewtopic&t=2894
Forwarded For: none
Client IP: none
Remote Address: 208.54.15.1
Remote Port: 1042
Request Method: GET
Thanks! |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 05, 2004 12:08 pm |
|
That is an entry in your harvester list and it's to protect against spiders/bots that use DA (Download Accelerator) for raping your downloads. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
