New probe caught by Sentinel

registered · Posted: Sat Mar 29, 2008 5:07 pm

I'm seeing these now:

Code:




Date &amp; Time: 2008-03-29 15:44:32 CDT GMT -0500


Blocked IP: 89.149.241.126


User ID: Anonymous (1)


Reason: Abuse-Script


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)


Query String: www.xxx.com/modules.php?name=Forums&file=viewtopic&t=3858&start=210+Result:+captcha+recognized;registered;logged+in;probably,+registration+failed+(activation+code+was+sent+/+there+are+additional+protection+used+on+forum+/+forum+SQL-error+/+...);+Result:+invalid;not+found;no+post+sending+forms+are+found;


Get String: www.xxx.com/modules.php?name=Forums&file=viewtopic&t=3858&start=210 Result: captcha recognized;registered;logged in;probably, registration failed (activation code was sent / there are additional protection used on forum / forum SQL-error / ...); Result: invalid;not found;no post sending forms are found;


Post String: www.xxx.com/modules.php


Forwarded For: none


Client IP: none


Remote Address: 89.149.241.126


Remote Port: 3523


Request Method: GET

Looks like they have a script that analyzes your Nuke/phpBB setup. Either that or their script is really malfunctioning. You wouldn't expect that stuff to get passed in the get string like that, would you?

Posted: Sat Mar 29, 2008 5:42 pm

I have seen similar things but not exact the same in my logs.
However, it not a surprise because there are tools and scripts available for this. Rolling Eyes

Also it doesn´t bring anything to ban the country because they usally use proxies.

Worker Joined: Aug 26, 2007 Posts: 236

I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]

registered · Posted: Sun Mar 30, 2008 1:27 am

Yep I've seen it. Looks like a robot with some errors

Posted: Mon Mar 31, 2008 2:55 pm

I've seen this alot, with my old job. I've not had time to test it, but from what I could tell, it was something that was exploitable in the version of php-nuke that was installed with fantastico.

Who would have thought it. Cpanel and fantastico releasing exploitable scripts Laughing

registered · Posted: Thu Apr 03, 2008 5:30 am

slackervaara, that is an interesting list indeed. I am going to have to mull this list over some more...

Just this list alone might make for interesting discussion. Any thoughts regarding slackervaara's list? Will there be false positives with this list? I.e., some legitimate users blocked?

I am seriously considering adding these, but am interested in community input.

Posted: Thu Apr 03, 2008 5:55 am

I have got only two complaints since I started with this in my .htaccess. One member could not access the site from her job anylonger and the another could not access the site from his health workers office. I guess those computers must be behind a proxy and thus blocked. I got the tip about this from a Norwegian PHP-Nuke site.

Posted: Thu Apr 03, 2008 6:24 am

Yes, that sounds right to me. It was one of my concerns. I have also had folks with various levels of "anonymizers" on their PC (for example, even Norton Internet Security) which can even affect NukeSentinel(tm).

Interesting... let us see what others have to say too. Good discussion.

Posted: Thu Apr 03, 2008 6:42 am

I would be interested to see how those lines affect AOL users.
Anyone here using AOL?

Posted: Thu Apr 03, 2008 1:27 pm

EWWWW, AOL, stay away!!!!

lol, only kidding.

The only problem I do see, is there are many proxy servers out there that dont broadcast that they are proxy servers, which this list looks like it will require they broadcast that they are proxies.

I personally wonder what would happen with custom browsers, like Linux browsers and some Windows browsers.

Posted: Thu Apr 03, 2008 2:33 pm

I have tested in Windows XP with:
Firefox, Explorer, Opera, Safari and all works OK.
in Linux Mandriva 2006:
Firefox, Konqueror, Ephiphany works all OK

I have used this in my .htacces since Jan 25 this year and Sentinel has not caught a single hacker since that start.

Posted: Thu Apr 03, 2008 3:40 pm

There are a few others, but with your testing, I dont think you would have a problem with even those.

I suppose the next question would be, does it block with certain ISP's. which like to add their own headers, AOL being one of those.

Then, can you get visitors from all countries?

Posted: Thu Apr 03, 2008 7:30 pm

I have a Scandinavian site, but there are mainly US IP:s I guess mainly from search engines like Google. There are also rather many visitors from non-Scandinavian countries too. I don't know about AOL and I also have the proxy blocker on in Sentinel, but this in .htaccess seems more effective to me.

Worker Joined: Nov 17, 2006 Posts: 222

slackervaara wrote:

I have not noticed this yet. I have this in my .htaccess that should block 97 % of all proxies. Sentinel have not stopped a single hacker since I added it:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]

many isp is using the proxy thingy if RN add this into here i'll be block out lol i will give a try on these and see the results.

Posted: Fri Apr 04, 2008 3:34 am

RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] what does this mean?

Posted: Fri Apr 04, 2008 5:31 am

redhairz, it means there is no User Agent being passed within the headers.

BTW, if you have that type of proxy situation, why not you two try and test out whether you get blocked from his site or not. That would be a useful test and would be nice to post the results here I think.

Posted: Fri Apr 04, 2008 5:59 am

You can check, if you are blocked from my site if you are behind a proxy:

Posted: Sun Apr 27, 2008 9:39 am

there was no blocking here in RN site. if the sn is set to lite or higher the sn will block it.