| Author |
Message |
esttecb
Hangin' Around
Joined: Mar 14, 2007
Posts: 37
|
 Posted:
Tue Oct 16, 2007 12:26 pm |
|
Hi, I'm taking a lot of abuse-filter attemps. It's a hacking attemp, really? or I can disable this filter? and what is it exactly?
Thank's |
| |
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
| Posted:
Tue Oct 16, 2007 1:02 pm |
|
It sounds like Sentinel may be doing its job, but we need a bit more information.
Can you post some of the information that NS is giving you when this occurs. |
| |
|
|
|
|
esttecb
|
| Posted:
Tue Oct 16, 2007 2:59 pm |
|
I'm using NukeSentinel(tm) 2.5.13 and this is happening when... I don't know.. The NS is sending E-mails to my account like this:
or this:
thank's |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Tue Oct 16, 2007 3:11 pm |
|
Yes those are just more hack attempts. You should leave the filtering options in Sentinel on. Although all these vulnerabilities are already patched, Sentinel will protect you from many more. |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Wed Oct 17, 2007 5:37 am |
|
And another way of looking at this too is that if these guys are trying these older exploits (so sounds like "script kiddies" to me), then you don't really want them anywhere near your site anyways. So ban away... |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
esttecb
|
| Posted:
Thu Oct 18, 2007 10:51 am |
|
Yes, but I'm giving a lot of IPs banned (four or five per day) and all with "http://mywebsite.com/modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=http://www.somwebesite.com" (the FAQ module) so I think this isn't a real hack attempt. But if you say "Yeah! It's a hack attempt" I'll think this too.
Ok, thank's
Cyas |
| |
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Thu Oct 18, 2007 11:32 am |
|
It is a hack attempt. They are trying to get your PHP-Nuke software to execute a script located on another remote server. That remote script undoubtedly does very bad things to the right PHP-Nuke version. |
_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module |
|
|
|
|
evaders99
|
| Posted:
Thu Oct 18, 2007 3:37 pm |
|
It's called "automated bots"  |
| |
|
|
|
|
safierdrgn
Hangin' Around
Joined: Oct 23, 2006
Posts: 26
|
| Posted:
Thu Nov 22, 2007 9:35 pm |
|
|
|
|
|
montego
|
| Posted:
Sun Nov 25, 2007 10:54 am |
|
To Bob, Raven and many others who have had their hands in NukeSentinel:
 |
| |
|
|
|
|
bobbyg
Worker
Joined: Dec 05, 2007
Posts: 212
Location: Tampa, Florida
|
| Posted:
Sun Dec 23, 2007 9:43 pm |
|
|
|
|
|
Gremmie
|
| Posted:
Sun Dec 23, 2007 9:54 pm |
|
I'm confused by your question. Sentinel did not permit anything, it blocked them. |
| |
|
|
|
|
bobbyg
|
| Posted:
Sun Dec 23, 2007 10:17 pm |
|
Your right it did block them, that I know. However, you can do the query and the get and not get blocked. But if you do all 3 then you will get blocked. The problem could be that information can be obtained through the query and get statements. |
| |
|
|
|
|
Gremmie
|
| Posted:
Sun Dec 23, 2007 11:54 pm |
|
I'm not sure I follow you. Sentinel is just providing a dump of all info it had available to it when it did the block. It isn't showing you 3 separate things that happened. |
| |
|
|
|
|
bobbyg
|
| Posted:
Mon Dec 24, 2007 12:24 am |
|
You are looking at it like Sentinel is looking at it. All 3 commands are issued back to back automatically. However, open up a browser and copy the query or the get command against your site and see if information can be retrieved by a single command. By the way a single command of the query or a single command of the get will not be blocked by Sentinel. |
| |
|
|
|
|
warren-the-ape
Worker
Joined: Nov 19, 2007
Posts: 196
Location: Netherlands
|
| Posted:
Mon Dec 24, 2007 7:46 am |
|
Hey just the thread i was looking for 
| montego wrote: | | And another way of looking at this too is that if these guys are trying these older exploits (so sounds like "script kiddies" to me), then you don't really want them anywhere near your site anyways. So ban away... |
Hmm, an user at our website was blocked cause he used html-tags in his post (he wasnt aware that this wasnt possible) but got blocked for Reason: Abuse-Script but I guess this is part of the; Scripting Blocker Settings?
I did notice a big difference between the nmbr of shameful hackers on your site (Montego) and Raven's but thats probably cause you are blocking those 'hacking attempts' and Raven dont?
And are those sites in those queries compromised? Cause some of them look pretty innocent 
Edit: got 23 blocked filter abuses within 3 days  |
| |
|
|
|
|
montego
|
| Posted:
Mon Dec 24, 2007 7:57 am |
|
| Quote: |
I did notice a big difference between the nmbr of shameful hackers on your site (Montego) and Raven's but thats probably cause you are blocking those 'hacking attempts' and Raven dont?
|
No, that is not the reason. Raven is more "forgiving" than I am.  Just kidding. What I really mean is that he, on occasion, will clear all his blocks. It has been a long time since I've done that because I have added a lot of manual blocks due to another script that I have which notifies me of certain "things".
| Quote: |
And are those sites in those queries compromised? Cause some of them look pretty innocent
|
They are absolutely NOT "innocent". Anything which attacks phpbb_root_path is far from innocent and I will not go into the explanation of why. phpBB has since plugged this particular hole (yes, RN has that "plug"), so these are old exploits. Just remember too that just because a file has .txt as an extension does not mean that is truly what the nature of the file is. It could even be PHP script or a binary etc. To answer your question, it is very possible that those sites were hacked and now being used to try and attack others. |
| |
|
|
|
|
warren-the-ape
|
| Posted:
Mon Dec 24, 2007 8:05 am |
|
Yep can understand that it needs a bit of caution when you entered a nmbr of bans manually. But a lot of those abuse-filter blocks are pretty unique, in that they try once and never come back.
Thnx for the thorough explanation montego Didnt know that those .txt queries could be 'disguised' in some way.
But does php-nuke even has that 'phpbb_root_path' ? Thought it was nuke_bb* ?
| montego wrote: | | To answer your question, it is very possible that those sites were hacked and now being used to try and attack others. |
Aah okay, yes thats indeed what i ment to say 
I got 3 blocks all from the same IP > some Chinese apple sirop company |
| |
|
|
|
|
montego
|
| Posted:
Mon Dec 24, 2007 8:19 am |
|
phpBB is integrated into PHP-Nuke, so, yes, that path is in there. |
| |
|
|
|
|
Gremmie
|
| Posted:
Mon Dec 24, 2007 11:25 am |
|
| bobbyg wrote: | | You are looking at it like Sentinel is looking at it. All 3 commands are issued back to back automatically. However, open up a browser and copy the query or the get command against your site and see if information can be retrieved by a single command. By the way a single command of the query or a single command of the get will not be blocked by Sentinel. |
No, there aren't 3 commands. Sentinel is just showing you the contents of the get query string and the post query string at the time of the block. It will block if either is bad.
Are you sure you aren't logged in as admin when you copy / paste the string? |
| |
|
|
|
|
Gremmie
|
| Posted:
Mon Dec 24, 2007 12:57 pm |
|
If you log completely out of admin, clearing cookies if you have to, and copy/paste that string into your browser and you don't get a block then something is wrong. (Just be prepared to clear your IP out of .htacess, if applicable, and Sentinel's table if you attempt this). |
| |
|
|
|
|
bobbyg
|
| Posted:
Mon Dec 24, 2007 5:42 pm |
|
| Gremmie wrote: | | If you log completely out of admin, clearing cookies if you have to, and copy/paste that string into your browser and you don't get a block then something is wrong. (Just be prepared to clear your IP out of .htacess, if applicable, and Sentinel's table if you attempt this). |
I was logged in under admin when I first tried that and I got the list of moderators (which I have none). I made sure I was completely logged out and tried again. I got a "white page" and ip was added to the blocked ip database. It did not put in the .htaccess though. |
| |
|
|
|
|
FireATST
RavenNuke(tm) Development Team
Joined: Jun 12, 2004
Posts: 654
Location: Ohio
|
| Posted:
Mon Dec 24, 2007 6:37 pm |
|
Under your blocker settings in NukeSentinel do you have it set to write to the htaccess? |
| |
|
  |
|
bobbyg
|
| Posted:
Mon Dec 24, 2007 6:57 pm |
|
| FireATST wrote: | | Under your blocker settings in NukeSentinel do you have it set to write to the htaccess? |
Any time I am on the site and do something that causes an ip ban it logs the ip in both the database and the .htaccess. |
| |
|
|
|
|
FireATST
|
| Posted:
Tue Dec 25, 2007 9:17 am |
|
Ok, that is why I asked if you had it setup in NukeSentinel under the blocker configuration settings to automatically write the blocked ip into the htaccess file? There is a check box under the blocker settings that if you check it, it writes the ip also to the htaccess file. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
