Sub Menu
Links Menu
Online Users

In total there are 314 users online :: 3 registered, 0 hidden and 311 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

Question

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

Question

PostAuthor: .QUACK.Major.Pain » Tue Sep 25, 2007 4:29 pm

What is a clike attempt?

I had one on Sept. 23/07

1 62.149.196.204
Unban This IP /forum/links.php?t=search&s..... Clike Attempt 23 Sep 2007 01:05 am Yes

Thought I'd share it with you and maybe you can give me an explanation of what was being done to cause the ban.
For my own education.


Searched IP and got the following:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 62.0.0.0 - 62.255.255.255
CIDR: 62.0.0.0/8
NetName: RIPE-C3
NetHandle: NET-62-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1997-04-25
Updated: 2005-08-03
Last edited by .QUACK.Major.Pain on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

PostAuthor: sanji » Tue Sep 25, 2007 7:08 pm

It is when someone send an URL to your site with an SQL function which obviously should not be there... Usually, if you check the URL that was blocked, it will include a "UNION", for example.

The goal is typically to get the admin password.

This is an old vulnerability, and usually all phpbb boards are relatively well protected against it.

Where did you find the attack report?

sanji
Last edited by sanji on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[img]http://www.secret-japan.com/forum/images/banners/fuji%20secret-japan%2088x31.gif[/img] [url=http]Secret Japan[/url] : discover Japan off the beaten tracks

sanji
Sr Integra Member
Sr Integra Member
 
Posts: 291
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 8:18 pm
Cash on hand: 0.00

Re: Question

PostAuthor: .QUACK.Major.Pain » Tue Sep 25, 2007 7:58 pm

I found the IP in ban control in ACP. (banlist)
I went to ACP>Security and did Quick Search of that IP and it gave the reason for the ban and other info.

1 62.149.196.204
Unban This IP /forum/links.php?t=search&s..... Clike Attempt 23 Sep 2007 01:05 am Yes
Last edited by .QUACK.Major.Pain on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

PostAuthor: sanji » Tue Sep 25, 2007 10:53 pm

OK, so it confirms what I thought: there is no way to have directly all the information on the same page, you need first to copy the IP and then search for it in another menu... Little inconvenient...

sanji


CORRECTION : It is possible, just select Search by IP addresses, select partial match and search without entering any IPs... You will get all tentatives...
Last edited by sanji on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[img]http://www.secret-japan.com/forum/images/banners/fuji%20secret-japan%2088x31.gif[/img] [url=http]Secret Japan[/url] : discover Japan off the beaten tracks

sanji
Sr Integra Member
Sr Integra Member
 
Posts: 291
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 8:18 pm
Cash on hand: 0.00

Re: Question

PostAuthor: CaNNon » Wed Sep 26, 2007 3:27 am

You should also check acp > crackertracker > logmanager > Worm & Exploit Protection

And the info from security panel should be found in, Board Navigation > exploit attempts. All bans from that should be logged there.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Question

PostAuthor: .QUACK.Major.Pain » Wed Sep 26, 2007 3:31 am

With the new CT update, I get 10-20 Worm/Exploits a day.
Last edited by .QUACK.Major.Pain on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Question

PostAuthor: .QUACK.Major.Pain » Wed Sep 26, 2007 3:33 am

"CaNNon";p="28599" wrote:You should also check acp > crackertracker > logmanager > Worm & Exploit Protection

And the info from security panel should be found in, Board Navigation > exploit attempts. All bans from that should be logged there.


The first part I see, but the second I don't see where you are talking about.
Last edited by .QUACK.Major.Pain on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Question

PostAuthor: CaNNon » Wed Sep 26, 2007 3:48 am

On the security mod you login to the forum and you should see a button in the Board Navigation panel ( you have to log in as admin I think) in the bottom you should see

------------------
admin
exploit attempts <---- shows the attempts page
sync user posts
-----------------

With the new CT update, I get 10-20 Worm/Exploits a day.


If they all use linked .scripts from the ibwww-perl software you can cut it more by adding this to your .htaccess file

Code: Select all
RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]  

if your rewrite engine is on don't add the first line but make sure it's placed after the engine on statement.

Another place to check is your root folder, some hosts will see you have copies/logs placed there and they can help alot. <img>
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Question

PostAuthor: .QUACK.Major.Pain » Wed Sep 26, 2007 11:42 am

ok got it - shows exactly the same thing when doing ip search.
Last edited by .QUACK.Major.Pain on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Question

PostAuthor: CaNNon » Wed Sep 26, 2007 4:56 pm

Yea, just easer <img>
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00


Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot]

cron