| Author |
Message |
bavarian
Hangin' Around
Joined: Nov 11, 2004
Posts: 25
|
 Posted:
Sat Feb 19, 2005 12:27 pm |
|
My problem with phpnuke7.6 and Sentinel_760_2.1.3 is still unresolved.
Things start to get weird whenever any of my friends does test my site with an attack like
http://www.mysite.xxx/modules.php?name=Downloads&d_op=viewdownloads&sid=-1/*%20*/UNION/*%20*/
WHAT HAPPENS IS THIS :
1) the internal ip-number of my server (192.168.1.5 on my LAN) is written to the database table of Sentinel (banned_ips)
2) the same internal ip (192.168.1.5) is also written to the .htaccess file
3) the computer of my buddie(s) get banned (cannot connect to my site)
4) i do receive an e-mail message with following content
| Quote: | Date & Time: 2005-02-17 23:44:25
Blocked IP: 192.168.1.5
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2
Query String: www.mysite.xxx/modules.php?name=Downloads&d_op=viewdownloads&sid=-1/*%20*/UNION/*%20*/
Forwarded For: none
Client IP: none
Remote Address: 192.168.1.5
Remote Port: 52087
Request Method: GET
--------------------
Who-Is for IP
192.168.1.5 |
5) all computers on my LAN are blocked. none of them can connect to my site any longer
6) when i remove the Blocked IP: 192.168.1.5 from the "banned_ip" table in my database the block is still there. but is done on serverlevel by the .htaccess file.
7) when i remove the Blocked IP: 192.168.1.5 from the .htaccess file everything works fine again for me and other users again
BACKGROUND INFORMATION: when installing Sentinel i had a problem with following message "invalid IP used" as described in this topic: http://www.ravenphpscripts.com/postt4171.html. I removed that very same IP range from the reserved_iprange table as the user did as described in that topic and that error message disappeared. otherwise everything is set up on my Sentinel as described hot to install and run it.
ADDITIONAL INFORMATION: I had a similar problem a while ago when testing different modules on another older phpnuke distro.
I installed something called MSA (MS Analysis, I think it was called). The scripts in this module would allow the admin of a phpnuke site to monitor visitors.
What i already did notice at that time, when testing this MSA that it would add visitors with MY ip-number into the database-tables. That hated, unlucky 195.162.1.5, this internal IP on my LAN where my webserver resides. I could not find out either why visitors where not added with their correct ip-adresses to the database.
questions that i simply cannot resolve now and where i really need some help are ....
1 - why is my internal server adress regareded the "offending" one? it is my buddies on completely different ip-numbers that are faking the attack with the above named URL and the Union in it? it's their ip-numbers that are supposed to be banned. so why does Sentinel consider my servers IP, to be the harmful one?
2 - how does Sentinel "grab" the IP? I don't know much about php so i cannot check there
3 - could it be some configuration on my server that's not functioning to grab the correct IP adress of the offender? something that i dont have an IP that can be "reversed to" (my domainname points to the IP adress of my server, but my IP adress does not point back to my domain but to my ISP)
4 - could have something to do how the Logging is done in the Server software? there are several choices from what i can see, like "combined", "common", "referer, agent" ?
ALL INPUT APPRECIATED !
Please help ! |
| |
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Sun Feb 20, 2005 1:08 am |
|
NukeSentinel gets the ip by going thru a system of checks:Code:function get_ip() {
$client_ip = get_client_ip(); // HTTP_CLIENT_IP
if (strpos($client_ip, ', ') AND isset($client_ip)) {
$client_ips = explode(', ', $client_ip);
if($client_ips[0] != 'unknown' AND $client_ips[0] != 'none' AND $client_ips[0] != '' AND !in_range($client_ips[0])) {
$client_ip = $client_ips[0];
} else {
$client_ip = $client_ips[1];
}
}
$x_forwarded = get_x_forwarded(); // HTTP_X_FORWARDED_FOR
if (strpos($x_forwarded, ', ') AND isset($x_forwarded)) {
$x_forwardeds = explode(', ', $x_forwarded);
if($x_forwardeds[0] != 'unknown' AND $x_forwardeds[0] != 'none' AND $x_forwardeds[0] != '' AND !in_range($x_forwardeds[0])) {
$x_forwarded = $x_forwardeds[0];
} else {
$x_forwarded = $x_forwardeds[1];
}
}
$remote_addr = get_remote_addr(); // REMOTE_ADDR
if (strpos($remote_addr, ', ') AND isset($remote_addr)) {
$remote_addrs = explode(', ', $remote_addr);
if($remote_addrs[0] != 'unknown' AND $remote_addrs[0] != 'none' AND $remote_addrs[0] != '' AND !in_range($remote_addrs[0])) {
$remote_addr = $remote_addrs[0];
} else {
$remote_addr = $remote_addrs[1];
}
}
if (isset($client_ip) && !stristr($client_ip, "none") && !stristr($client_ip, "unknown") AND !in_range($client_ip)) {
return $client_ip;
} elseif (isset($x_forwarded) && !stristr($x_forwarded, "none") && !stristr($x_forwarded, "unknown") AND !in_range($x_forwarded)) {
return $x_forwarded;
} elseif (isset($remote_addr) && !stristr($remote_addr, "none") && !stristr($remote_addr, "unknown") AND !in_range($remote_addr)) {
return $remote_addr;
} else {
return "none";
}
}
|
Now somewhere along the way your LAN is setting your internal ip as one of the above instead of grabbing the users ip. I'm not a server guru so I can't tell you much beyond that  |
_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! |
|
 
|
|
bavarian
|
| Posted:
Sun Feb 20, 2005 2:19 am |
|
Thank you Bob. I have been looking at this part of your code already.
There are calls to 3 other functions in that part
1) get_client_IP
2) get_x_forwarded
3) get_remote_addr
Isn't it in that part of the code where IPs are retrieved?
Maybe I should sort things out, to reassure I understand correctly
1) HTTP_CLIENT_IP (if everything works fine should bring up the IP adress of my server, right?)
3) REMOTE_ADRESS (if everything works fine should bring up the IP adress of visitor/hacker, right?)
Are HTTP_CLIENT_IP and REMOTE_ADRESS variables that Apache does supply or variables that are supplied by the PHP environment? I could check in my system if I know this, right? |
| |
|
|
|
|
bavarian
|
| Posted:
Sun Feb 20, 2005 6:36 am |
|
phpMyAdmin shows the following when I check for PHP Variables
Code:_SERVER["HTTP_PC_REMOTE_ADDR"] XX.182.XX.253 (this is my real ip-number)
_SERVER["PATH"] /bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices
_SERVER["REMOTE_ADDR"] 192.168.1.5
_SERVER["REMOTE_PORT"] 63077
_SERVER["SERVER_ADDR"] 192.168.1.5
|
I am by no means an expert to tell what these lines from phpMyAdmin exactly mean. but maybe could be helpful for the experts around here. |
| |
|
|
|
|
bavarian
|
| Posted:
Sun Feb 20, 2005 4:07 pm |
|
I might have come a bit on the way to resolve this "topic".
If you people care to read http://www.entropy.ch/phpbb2/viewtopic.php?t=1221&view=previous&sid=c9cce27c9e5530daaafebc692f45bb1c
I have not corrected things yet. But yes, I am running an Mac OS X Server with Apache, and this seems to be the problem here. Before I start correcting I would like to hear if the gurus here agree that this could be the problem in my case? And what they would advice me?
Change all instances of REMOTE_ADDR into HTTP_PC_REMOTE_ADDR in all phpnuke and nukesentinel files? Anything else I should consider before doing this? Any changes in the database to make? Anything important to keep in mind with respect to the writing of ip's to the .htaccess?
(' ')
Sorry for buggering you with Mac-related problems .... but well, I hope this is the solution and will help other Mac-users here to NOT end up in total desperation like i nearly did. |
| |
|
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sun Feb 20, 2005 4:29 pm |
|
This is more than likely the exact problem.. I was going to post on this thread a day or 2 ago and got sidetracked.. my apologies.
This is definitely a function of Apache in conjunction with other things like PHP or whatever, and the true remote address is not being properly forwarded along the chain. Somewhere, your internal IP is being bound to everything, which of course is not correct, and would in fact be a fairly large security hole/concern.
You can try the HTTP_PC_REMOTE_ADDR in just one or two places, and if it works, then do a global replacement. But make sure you get together with the Mac/Apache gurus and ensure your server config, port forwarding and addressing are all sound. No use fixing the problem with a fingertip bandage if it is bleeding profusely. I don't run a Mac, so I can't advise you any better than advising you to seek advise from Mac experts! heh 
PHrEEk |
| |
|
|
|
|
bavarian
|
| Posted:
Mon Feb 21, 2005 4:58 am |
|
Things are proceeding slowly here. I started to turn off that "performance cache" on that virtual host and suddenly some things start to work. I had a friend try this Union attack again and it worked, at least from what i can see
| Quote: | Date & Time: 2005-02-21 08:32:27
Blocked IP: 2XX.1XX.1XX.2XX
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: www.mysite.xxx/modules.php?name=Downloads&d_op=viewdownloads&sid=-1/*%20*/UNION/*%20*/
Forwarded For: none
Client IP: none
Remote Address: 2XX.1XX.1XX.2XX
Remote Port: 1517
Request Method: GET |
but still confusing me is this
| Quote: | Forwarded For: none
Client IP: none |
what is meant with FORWARDING FOR and CLIENT IP? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
