Odd IP issue

New Member Joined: Mar 18, 2004 Posts: 10

Running Nuke 7.6 - 7.8 on various sites and have Sentinel on all of them updated to pl9.

This morning someone attempted to hack one of the sites, below is the info.

Quote:

Date & Time: 2006-06-23 05:48:15 PDT GMT -0700
Blocked IP: 1.0 servidor.primatec:3128 (squid/2.5
User ID: Anonymous (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Query String: XXX.XXXXXX.com/modules.php?name=Downloads&ampd_op=viewsdownload&a mpsid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
Get String: XXX.XXXXXX.com/modules.php?name=Downloads&ampd_op=viewsdownload&a_mpsid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
Post String: XXX.XXXXXX.com/modules.php
Forwarded For: XXX.XXX.X.XX
Client IP: 1.0 servidor.primatec:3128 (squid/2.5.STABLE11)
Remote Address: 201.21.216.142
Remote Port: 53704
Request Method: GET
--------------------
Unable to query WhoIs information for 1.0 servidor.primatec:3128 (squid/2.5.STABLE11).

Which everything looks as if the user was blocked like normal, when the block was written to the .httaccess it caused an internal server error, causeing the site not to load.

Quote:

deny from 1.0 servidor.primatec:3128 (squid/2.5

My question is, Is there any way to keep this from happening?

Sells PC To Pay For Divorce Joined: Posts: 5661

well what i could find as extra info is that its a server,probably from brazilian developers,i could be wrong but thats what i could find...
http://ftp.tiscali.nl/conectiva/servidor-1.0/

Posted: Fri Jun 23, 2006 5:37 pm

Quote:

--------------------
User Agent: Combine/3 http://combine.it.lth.se/
Query String: xxx.xxxxxx.com/index.php?none
Get String: xxx.xxxxxx.com/index.php
Post String: xxx.xxxxxx.com/index.php
Forwarded For: xxx.x.xxx.xx
Client IP: 1.1 u1-gw-v1.k-net.ro:6665 (squid/2.5.STABLE10)
Remote Address: 86.55.12.98
Remote Port: 48199
Request Method: GET
--------------------
Unable to query WhoIs information for 1.1 u1-gw-v1.k-net.ro:6665 (squid/2.5.STABLE10).

Well the second one today, same result, once it writes to the .htaccess file the site is down for internal server errors. I remove the line it added and all is fine.

Posted: Fri Jun 23, 2006 5:44 pm

ok i did some digging and im positive that these are proxy servers...
but why it puts the name init instead of the ip i dont know...
for now set your proxy settings in sentinel on....as in not allowed...
see if that helps..

registered · Posted: Sat Jun 24, 2006 2:36 pm

Looks like I need to add some code to make sure the ip is numberic and not alphanumberic. These are anonymizing proxies that are passing the string in place of the ip.

Posted: Sat Jun 24, 2006 3:32 pm

very good idea bob....

Posted: Sat Jun 24, 2006 3:43 pm

Depending on your version of NukeSentinel(tm) add the following:

Code:

if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }


if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }


if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }


if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }

just after:

Code:

// Load constant vars


$nsnst_const['server_ip'] = get_server_ip();


$nsnst_const['client_ip'] = get_client_ip();


$nsnst_const['forward_ip'] = get_x_forwarded();


$nsnst_const['remote_addr'] = get_remote_addr();


$nsnst_const['remote_ip'] = get_ip();


$nsnst_const['remote_long'] = sprintf("%u", ip2long($nsnst_const['remote_ip']));


$nsnst_const['remote_port'] = get_remote_port();


$nsnst_const['request_method'] = get_request_method();


$nsnst_const['script_name'] = get_script_name();


$nsnst_const['http_host'] = get_http_host();


$nsnst_const['query_string'] = st_clean_string(get_query_string());


$nsnst_const['get_string'] = st_clean_string(get_get_string());


$nsnst_const['post_string'] = st_clean_string(get_post_string());


$nsnst_const['query_string_base64'] = st_clean_string(base64_decode($nsnst_const['query_string']));


$nsnst_const['get_string_base64'] = st_clean_string(base64_decode($nsnst_const['get_string']));


$nsnst_const['post_string_base64'] = st_clean_string(base64_decode($nsnst_const['post_string']));


$nsnst_const['user_agent'] = get_user_agent();


$nsnst_const['referer'] = get_referer();


$nsnst_const['ban_time'] = time();


$nsnst_const['ban_ip'] = "";

This should casue NS to display the "Invalid IP" message.

Posted: Sat Jun 24, 2006 3:50 pm

this is going to be in the next update?

Posted: Sat Jun 24, 2006 5:30 pm

In the 2.5.00 version that is nearing completion. Currently being tested by the devs.

Posted: Sat Jun 24, 2006 6:09 pm

Thanks Bob,

I got it on two of my sites at the moment. Will let you know the outcome.

Posted: Mon Jul 31, 2006 8:21 am

Hey guys and gals.

I have this same exact problem. Every day for the last 4 days this has been blocked and added to my htaccess.
deny from 1.1 sfc-cache.ai3.net:3128 (squid/2

I am running Nuke 7.5 with Sentinel 2.5.00

Has the above fix by Bob been added to the 2.5.00 version? If so, then my problem must be something different. And what files is that code change in..It is never specified.

Posted: Mon Jul 31, 2006 11:04 am

Hi myrtletrees, I think that would be in inlcudes/nukesentinel.php

Posted: Mon Jul 31, 2006 11:43 am

Thanks, found it. I had the most recent version but just for giggles I uploaded all nuke sentinel files again, overwriting my exisiting ones. We'll see if this little issue pops up for me again or not.

Posted: Mon Jul 31, 2006 1:12 pm

Yes, please let me know Smile