Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Should I worry?
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.6.x
Author Message
Misha
Worker
Worker



Joined: Jul 30, 2006
Posts: 205
Location: McLean, VA
PostPosted: Tue Dec 21, 2010 11:29 pm Reply with quote
Hi guys, haven't stopped by for a long time, and now got a question. For quite some time already I am getting abuse-filter messages like this:

Quote:
Created By: NukeSentinel(tm) 2.6.01
Date & Time: 2010-12-21 22:20:50 CST GMT -0600
Blocked IP: 209.169.140.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
HTTP Host: www.YYYYYYYY.com
Script Name: /modules.php
Query String: name=http://213.246.61.125:2082/index.html?
Get String: name=http://213.246.61.125:2082/index.html?
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 209.169.140.30
Remote Port: 39982
Request Method: GET
--------------------
Who-Is for IP
Unable to query WhoIs information for 209.169.140.30.


It is always this IP address in the url, or 217.218.225.2:2082, both having CP port and first is actually pointing to a control panel, I checked. It started slowly, but when it got to several cases per week, I changed the Sentinel settings to ban IP ranges (by default there was no action but email). It helped for a while, but then the guy prolly found a proxy service, and for the last couple of days I got several dozens of those.

I don't even understand what he is trying to do, so I came here to ask - should I worry? Thanks Smile

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Thu Dec 23, 2010 9:53 pm Reply with quote
He is (more than likely) trying to perform a session hijacking hack. When it doesn't work everything after the index.html? is truncated. Port 2082 is an unprotected HTTP session. Most cPanel hosts use a setting that redirects all port 2082 queries to port 2083 SSL/HTTPS connection.
 
View user's profile Send private message
Misha
PostPosted: Fri Dec 24, 2010 9:44 am Reply with quote
Thanks Gaylen Smile Though it is not clear how dangerous is it? What are the chances they can break through the Sentinel? I googled it, and looks like I need to stay logged out of admin account as much as possible, right? I logged out, and from now on going to log in only for the amount of time needed to perform admin tasks.

Thanks again - and Merry Christmas! Smile
 
Raven
PostPosted: Fri Dec 24, 2010 4:23 pm Reply with quote
The best way to avoid the session hijacking is to just be sure to always log out Smile. Otherwise, the hijacker becomes - you Shocked !

Have Blessed and Safe Christmas!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.6.x


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©