| Author |
Message |
magnum
Client
Joined: Jun 23, 2006
Posts: 83
|
 Posted:
Wed Sep 27, 2006 11:48 pm |
|
i had a person trying to register on my page and sentinel kept saying it was a santy worm attack now after reading further i found the the word rush in his name was setting it off. now i turned santy worm off in sentinel and he was able to register now . now my question is if i turn the santy worm back on in sentinel will he be blocked from loging on ? or should i leave it off? is the page at risk if its left off? thank you |
_________________
Nukes real friend is a big cup of Java with a valium stirred in. www.islandtitanz.org |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Sep 28, 2006 5:55 am |
|
When those attacks were being made, people were trying to stop it with .htaccess directives. Several folks posted these for stop Santy and possibly other attacks:
Code:
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)$ [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)$ [NC,OR]
#Variant-X
RewriteCond %{REQUEST_URI} ^(.*)cgi-bin(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*)$ [NC,OR]
RewriteRule ^.*$ http://127.0.0.1 [R,L]
|
This is probably overkill. It is also possible that the whole issue has been resolved already with phpBB, but not sure. You can see the "rush=" line? |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
technocrat
Life Cycles Becoming CPU Cycles
Joined: Jul 07, 2005
Posts: 511
|
| Posted:
Thu Sep 28, 2006 9:14 am |
|
The sanity attack is pretty much old news. There really isnt a reason to continue to block against. Even more so if you have been keeping up on your forum patches. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! |
|
|
|
|
magnum
|
| Posted:
Thu Sep 28, 2006 10:32 am |
|
thanks very much  |
| |
|
|
|
|
montego
|
| Posted:
Thu Sep 28, 2006 8:05 pm |
|
|
|
|
|
Doulos
Life Cycles Becoming CPU Cycles
Joined: Jun 06, 2005
Posts: 732
|
| Posted:
Sat Apr 12, 2008 9:28 pm |
|
I am getting the same issue with the name Soul_Crusher.
This user keeps getting this message when he tries to log in: | Quote: | | Possible Santy Worm Attack! |
The weird thing is if after getting the above warning, he just types in our URL, it goes to our home page and he is logged in.
Soul_Crusher is not in my htaccess file, the only instance that is remotely similar is one of "Conecrusher"
Turned off Santy Worm protection. |
| |
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
| Posted:
Sun Apr 13, 2008 4:42 am |
|
What settings did you have for the blocker? It may not have been set to permanently block.
Anyway by the sounds of it you should not be at risk anymore if you disable the blocker, if you are running the latest patches etc. |
| |
|
|
|
|
Doulos
|
| Posted:
Sun Apr 13, 2008 9:24 am |
|
I don't even know if there are settings I can change. I just had the Santy Worm Protection set to ON, in the NS admin main page. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
