Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

I get too many of this lately...
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
ring_c
Involved
Involved



Joined: Dec 28, 2003
Posts: 276
Location: Israel
PostPosted: Sat Jul 30, 2005 2:31 pm Reply with quote
User Agent: Mozilla/4.0
Query String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Get String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Post String: xxxxxx.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 209.67.215.xxx
Remote Port: 51485
Request Method: GET

Any ides what is it all about?!
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Sat Jul 30, 2005 3:48 pm Reply with quote
Do you have the Santy Worm Protection on in NukeSentinel? If so, try turning it off.
 
View user's profile Send private message
ring_c
PostPosted: Sat Jul 30, 2005 4:03 pm Reply with quote
It's already turned off, as I use Site_Messenger which from time to time is detected as abuse-script as well...

Is the above string malicious?
 
Raven
PostPosted: Sat Jul 30, 2005 4:54 pm Reply with quote
Please supply this part of the email
Code:
Blocked IP: 64.140.49.*


User ID: Anonymous (1)


Reason: Abuse-Harvest


String Match: turnitinbot
 
ring_c
PostPosted: Sat Jul 30, 2005 8:38 pm Reply with quote
Here's the whole mail:

Date & Time: 2005-07-30 16:07:20 EDT GMT -0400
Blocked IP: 209.239.47.138
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0
Query String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Get String: xxxxxx.com/modules.php?name=Forums&file=viewtopic&t=2813&view=previous&highlight=\'.system(getenv(HTTP_PHP)).\'
Post String: xxxxxx.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 209.239.47.138
Remote Port: 55304
Request Method: GET
 
Raven
PostPosted: Sat Jul 30, 2005 8:46 pm Reply with quote
It's being flagged because of the singe quote marks. That's how javascript and other things can be injected.
 
ring_c
PostPosted: Sun Jul 31, 2005 12:33 am Reply with quote
2 questions:
A. Is the original string I've pasted here should be treated as malicious?
B. Re. Site_Messenger - indeed, charcters like " ( ) Sentinel set the alarm abuse-script on. anyway to allow such charcters?
 
ring_c
PostPosted: Wed Aug 03, 2005 4:57 am Reply with quote
Well, no question? Raven?!
 
Raven
PostPosted: Wed Aug 03, 2005 6:31 am Reply with quote
#1 - Yes, it is malicious
#2 - Even if NukeSentinel was turned off, mainfile.php would flag the same charatcers.

See also http://www.ravenphpscripts.com/postx6264-0-0.html
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©