Recent Topics

1 Jun 27, 2006 18:33    

My online forums are visited by suspicious hosts quite regularly and some nasty visitors were trying to get in by the highlight exploit.

I have read about the mod_secure and .htaccess solutions in this forum and just wanted to add a new idea of "defence" to it.

Supposed the spamming host computers are hacked or hijacked in one or the other way, you would not only block the spammer but also the original user.

I am currently testing the reaction to a log experiment. Whenever a host sends an unwanted request, I am simply logging it and present it on a seperate page listing the host name, IP, IP port, date and time as well as the http agent.
http://www.ng-ethernet.com/ethernet_forum/phpBB_exploit.php

The log is steadily filling up and more importantly is visited by people, who have searched google for (their ?) IPs and host names.

What do you think about such a "means of defence" ?

Regards,
Thomas

2 Jun 27, 2006 20:07

OMG! I visited your site unwittingly this morning; I had googled some IPs I saw hitting the forums here :)

I think its a fabulous idea as long as you are confident that that the attacks are as you say they are, ie, that IP actually made "that" request.

I would, in fact, love it if you shared the script, it would sure do me well :)

3 Jun 27, 2006 21:13

You have visited my site today, whoo ? - What a coincidence ;)

Anyhow, I am glad to hear that you find my [url=http://www.ng-ethernet.com/ethernet_forum/]NG Ethernet[/url] / [url=http://www.ng-sdh.com/ng-sdh-forum/]NG SDH[/url] and [url=http://www.transport-mpls.com/t-mpls-forum/]T-MPLS[/url] log useful and I am really considering to post the script lines.

You were concerned of whether I am catching the right IP addresses. Well, I am using the >> $_SERVER["REMOTE_ADDR"] << variable and assume that this gets the IP of the requesting host. Did I make a mistake here ?

I will certainly keep you up-to-date in the [url=http://www.ng-ethernet.com/ethernet_forum/viewtopic.php?t=61]phpBB section[/url] of my forum. This is also the place where I will possibly post [url=http://www.ng-ethernet.com/ethernet_forum/viewtopic.php?t=62]my script[/url] once it is cleaned up and ready for disclosure.

4 Jun 27, 2006 21:33

No, i wasnt concerned about the IP adresses, I was "concerned" about how you are 'catching' the attacks ..

This is also the place where I will possibly post my script..

Im not too sure why you wouldnt make the script public, if the intent is to reduce spam and exploit attempts. If on the other hand, youre merely looking for accolades, well thats another story :P You could always covet it.

5 Jun 27, 2006 21:51

The visitors are "caught" by the URL string. An extended POST version is in work.
However, posting script lines always opens a new and possibly weak spot for further attacks. You see, what I am concerned about.
Believe me or not, there are people around, who are not happy about [url=http://www.ng-ethernet.com/ethernet_forum/phpBB_exploit.php]this page[/url]...

So, give me some days to double check the lines beforehand.

Cheers,
Thomas
P.S. The best accolade would be to [url=http://www.ng-ethernet.com/ethernet_forum/profile.php?mode=register]join my forum[/url] or to support it in some other way...
The Next Generation Ethernet is concerned with highspeed Ethernet links. So, whenever you catch some news about 10G or 100G Ethernet, please drop a line in the [url=http://www.ng-ethernet.com/ethernet_forum/index.php?c=2]forum[/url].

7 Aug 02, 2006 18:00

The forum user "whoo" requested more details about my filter code in order to extend the viewtopic.php file.
Hence, I've uploaded the complete code [url=http://www.ng-ethernet.com/ethernet_forum/viewtopic.php?t=62]there[/url].
Furthermore, I have put my php source online for the page that displays the logged information.
http://www.ng-ethernet.com/ethernet_forum/phpBB_exploit.src.php

Feel free to use this code as long as you keep a link back to the [url=http://www.ng-ethernet.com/ethernet_forum/index.php?c=2]100 Gigabit Ethernet Forum[/url].

Cheers,
Thomas


Form is loading...