| Author |
Message |
ring_c
Involved
Joined: Dec 28, 2003
Posts: 276
Location: Israel
|
 Posted:
Mon Jun 20, 2005 11:26 pm |
|
I'm running phpnuke 6.7 with Sentinel 2.3, but this happened with 2.2.1 as well.
My site is using Hebrew mostly, i.e. 99% of the messages in the forums are using Hebrew. Hence, most forums' searches are based on Hebrew. The problem is that when clicking a result, the message the user get is:
Code:Possible Santy Worm Attack!
|
I know I can disable Santy warnings in Sentinel's control panel, but thought this might be fixed by you somehow in future versions or some patch.
Here's an example of a search result causing that message:
Code:http://www.hagigim.com/modules.php?name=Forums&file=viewtopic&t=4765&highlight=%E3%E5%F1%E9%E1%E5%FA
|
You can click that link now safely (is it needed at all?), as I've set off that security alarm, unfortunately. |
| |
|
 
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Jun 21, 2005 12:25 am |
|
If you have access to .htaccess, then don't use the NukeSentinel code. Use this insteadCode:RewriteEngine on
#Check for Santy Worms and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC,OR]
#New one 2-2-2005
RewriteCond %{QUERY_STRING} q=emessenger [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]
|
It's the word "highlight" that sets it off. |
| |
|
|
|
|
ring_c
|
| Posted:
Tue Jun 21, 2005 12:35 am |
|
| Raven wrote: | | It's the word "highlight" that sets it off. |
Oh, thanks!
I have this code in my htaccess
Code:RewriteEngine on
#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
#Redirect - Send worms packing, but NOT to a real web site!
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
|
Should I replace it? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Jun 21, 2005 2:09 am |
|
|
|
|
|
ring_c
|
| Posted:
Tue Jun 21, 2005 5:09 am |
|
| Raven wrote: | | Combine the two. |
Thanks.
What's the diff. between these 2 ?
Code:RewriteRule ^.*$ http://127.0.0.1 [R,L]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
|
Have no idea what the [R,L] or [L] repersents...
Which one should I pick?
PS: My htaccess now look like the following, any comment?
Code:# $Author: zx $
# $Date: 2003/08/17 14:03:21 $
# PHP_FLAG output_buffering On
RewriteEngine on
#Check for Santy Worms and redirect them to a fake page
#Variant-1 May cause problems with CRON jobs set from cPanel.
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
#Variant-2 No reported problems.
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
#Variant-3 No reported problems.
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
#Variant-4 May cause problems with cPanel updates, et cetera.
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*) [NC,OR]
#Redirect - Send worms packing, but NOT to a real web site!
RewriteCond %{QUERY_STRING} q=emessenger [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]
# RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
</FilesMatch>
<Limit GET PUT POST>
Order Allow,Deny
deny from 200.
Allow from all
</Limit>
<Files 403.shtml>
order allow,deny
allow from all
</Files>
|
|
| |
|
|
|
|
Raven
|
| Posted:
Tue Jun 21, 2005 9:07 am |
|
| Quote: | What's the diff. between these 2 ?Code:
RewriteRule ^.*$ http://127.0.0.1 [R,L]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
|
|
The first one redirects them to their own PC and the second to an html page or a dead end. Chances are they use a program anyway, rather than sitting at their PC, so it's really here nor there.
| Quote: | | Have no idea what the [R,L] or [L] repersents... |
http://www.php-editors.com/apache_manual/mod/mod_rewrite.html#rewriterule |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
