IntegraMOD

What is a clike attempt?

I had one on Sept. 23/07

1 62.149.196.204
Unban This IP /forum/links.php?t=search&s..... Clike Attempt 23 Sep 2007 01:05 am Yes

Thought I'd share it with you and maybe you can give me an explanation of what was being done to cause the ban.
For my own education.


Searched IP and got the following:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 62.0.0.0 - 62.255.255.255
CIDR: 62.0.0.0/8
NetName: RIPE-C3
NetHandle: NET-62-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1997-04-25
Updated: 2005-08-03

It is when someone send an URL to your site with an SQL function which obviously should not be there... Usually, if you check the URL that was blocked, it will include a "UNION", for example.

The goal is typically to get the admin password.

This is an old vulnerability, and usually all phpbb boards are relatively well protected against it.

Where did you find the attack report?

sanji

I found the IP in ban control in ACP. (banlist)
I went to ACP>Security and did Quick Search of that IP and it gave the reason for the ban and other info.

1 62.149.196.204
Unban This IP /forum/links.php?t=search&s..... Clike Attempt 23 Sep 2007 01:05 am Yes

OK, so it confirms what I thought: there is no way to have directly all the information on the same page, you need first to copy the IP and then search for it in another menu... Little inconvenient...

sanji


CORRECTION : It is possible, just select Search by IP addresses, select partial match and search without entering any IPs... You will get all tentatives...

You should also check acp > crackertracker > logmanager > Worm & Exploit Protection

And the info from security panel should be found in, Board Navigation > exploit attempts. All bans from that should be logged there.

With the new CT update, I get 10-20 Worm/Exploits a day.

"CaNNon";p="28599" wrote:You should also check acp > crackertracker > logmanager > Worm & Exploit Protection

And the info from security panel should be found in, Board Navigation > exploit attempts. All bans from that should be logged there.

The first part I see, but the second I don't see where you are talking about.

On the security mod you login to the forum and you should see a button in the Board Navigation panel ( you have to log in as admin I think) in the bottom you should see

------------------
admin
exploit attempts <---- shows the attempts page
sync user posts
-----------------

With the new CT update, I get 10-20 Worm/Exploits a day.

If they all use linked .scripts from the ibwww-perl software you can cut it more by adding this to your .htaccess file

Code: Select all

RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]  

if your rewrite engine is on don't add the first line but make sure it's placed after the engine on statement.

Another place to check is your root folder, some hosts will see you have copies/logs placed there and they can help alot. <img>

ok got it - shows exactly the same thing when doing ip search.

Yea, just easer <img>