| Author |
Message |
killing-hours
RavenNuke(tm) Development Team
Joined: Oct 01, 2010
Posts: 438
Location: Houston, Tx
|
 Posted:
Mon Nov 01, 2010 9:30 am |
|
Hey all-
Got on my site this morning and noticed someone messing around a so I started to look around and noticed this line...
in my tracked refer page. Is this normal or something I should be concerned about. Just curious as the ip address doesn't belong to me but it's pointing back to my admin.php. Thanks. |
_________________
Money is the measurement of time - Me
"You can all go to hell…I’m going to Texas" -Davy Crockett |
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Mon Nov 01, 2010 3:51 pm |
|
I could be wrong but this looks like a cross site scripting attack - the initial IP even has a port number so it looks like that site is hosting 'tools' for the purpose or has been compromised. |
| |
|
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA
|
| Posted:
Mon Nov 01, 2010 4:27 pm |
|
Not sure how you noticed someone was messing around but if you got some sort of message from Sentinel your probably ok. If you want extra security, I added these to my htaccess some time ago, seems to block alot of attacks before they even get to sentinel
Code:RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^libwww [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR
RewriteRule ^.* - [F,L]
RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]
|
this last part will cause issues with some legit admin functions; like verify weblinks, downloads, and maybe others... but blocks alot of XSS attacks as well
Code:RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]
|
I also use a large list of user agent blocks in .htaccess, but it's kinda old, maybe someone else has an updated one.?? |
| |
|
|
|
Guardian2003
|
| Posted:
Mon Nov 01, 2010 5:04 pm |
|
I have some BIG user-agent and referrer lists but they are in a custom delimited file for use with Spam Stopper, which I'm hoping to revive again now I have developed a fully functioning remote update service (including for the module itself). |
| |
|
|
|
|
spasticdonkey
|
| Posted:
Mon Nov 01, 2010 5:28 pm |
|
well that sounds very cool  |
| |
|
|
|
|
killing-hours
|
| Posted:
Tue Nov 02, 2010 7:30 am |
|
well... I noticed it because I keep a very close eye on the ip's on the site. "Generally" speaking... I don't have many people on at one time... but when I do (I drink dos XX's) ... usually the IP address is either directly allocated to their company (so the ip lookup works most of the time) or it's to an individual.
I also try to keep a close eye on the tracked ip page as I like to see what my clients are using the most and usually I can spot errors with my site pretty quick if they are hitting error pages for w/e reason.
@Spastic... thanks for providing that! Does it need to be above/below anything in particular? (Sent. is writing the ip's to the .htaccess)
@Guardian... Man... that thing sounds great... any time frame? |
| |
|
|
|
|
spasticdonkey
|
| Posted:
Tue Nov 02, 2010 8:51 am |
|
I would just place it after the shortlinks (if you are using) before the </IfModule> tag. If you are not using shortlinks make sure to have @ the top RewriteEngine on
The bot list I'm using is 3yr old  but you can see here
http://www.ravenphpscripts.com/postt12777.html
I think 64bitguy and others have posted some more added security via htaccess examples, but I can't seem to find them atm.
Also, if you have setup your Admin HTTPAuth / Admin CGIAuth correctly I wouldn't worry to much about that tracked referrer |
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue Nov 02, 2010 9:32 am |
|
@ killing-hours - sorry. no time frame as I already have enough to keep me busy till 2011 with some projects that are overdue.
Good point regarding the HTTP Auth set up!! |
| |
|
|
|
|
killing-hours
|
| Posted:
Tue Nov 02, 2010 11:26 am |
|
Ah ha... I knew at some point I would make it back to this question.
What is the "HTTPAuth / Admin CGIAuth" and how should I set it up "correctly". At this point I don't have that setup precisly because I don't know how to set it up right but I would LOVE to get it going if it will make my site that much more secure. I think I played with it at one point but it blocked me from my own site so i've never really played with it since. Thanks guys!! Learn something new everday.
----------
Edit**** Tried setting it up but I got an attack of the 500. Brought my site down right in the middle of the biz day...whoops... had to get the original .htaccess that came with RN to get my site back online. I'll wait for a more detailed answer before playing with this again.  |
| |
|
|
|
|
killing-hours
|
| Posted:
Tue Nov 02, 2010 12:18 pm |
|
BTW... HTTPAuth is not available. |
| |
|
|
|
|
spasticdonkey
|
| Posted:
Tue Nov 02, 2010 5:27 pm |
|
|
|
|
|
killing-hours
|
| Posted:
Tue Nov 02, 2010 5:34 pm |
|
Right.... I found a folder with all the pre-wiki .htmls. Got one problem though... the "HTTPAuth" link in the admin panel is not clickable. Wouldn't happen to know why would you? Thanks for the help.
-------
Edit*** NVM... "when all else fails...  ". Forgot which admin account I was on. |
| |
|
|
|
|
killing-hours
|
| Posted:
Tue Nov 02, 2010 6:13 pm |
|
Got it setup correctly... thanks for the advice and guidance. Much appreciated!! |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Nov 02, 2010 8:00 pm |
|
|
|
|
|
killing-hours
|
| Posted:
Tue Nov 02, 2010 8:14 pm |
|
yessir... you guys rock!! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
