PDA

View Full Version : Dissecting server error log - text+captcha+decoded

DF031
09-27-2013, 01:58 PM
Good evening all,

In the server logs of our forum we get hundreds of errors like these every hour

I edited the green text and. I especially worry about the red stuff

- - - - - - - - - - - - -
[Thu Sep 26 20:21:12 2013] [error] [client 192.187.125.187] File does not exist: /home/XXXXX/domains/XXXXXX.net/public_html/index.php+++++++++++++++++++++++++++++++Result:+te xt+captcha+decoded;+chosen+nickname+"acensebak";+registered+(registering+only+mode+is+ON);+Result :+chosen+nickname+"Woftododrurse";+registered+(registering+only+mode+is+ON);, referer: http://www.XXXXX.net/index.php+++++++++++++++++++++++++++++++Result:+te xt+captcha+decoded;+chosen+nickname+%22acensebak%2 2;+registered+%28registering+only+mode+is+ON%29;+R esult:+chosen+nickname+%22Woftododrurse%22;+regist ered+%28registering+only+mode+is+ON%29;
- - - - - - - - - - - - - -

The names Woftododrurse and acensebak are not unique, they are used over and over again.

What is this ? Should I worry ? Should I stop it ? How to stop it ?

Does anyone have any additional about ths ?
DF031
10-06-2013, 12:00 PM
BUMP

I get hundreds of these a day.

Anyone else getting similair server errors ?
Simon Lloyd
10-07-2013, 09:01 AM
It appears to be an attempt to bypass the registration, the whole string is probably being enetered automatically if that ip address isn't your's then block it!
DF031
10-07-2013, 05:14 PM
Thanks Simon. But blocking the IP does not help. After a handful server errors the IP changes.
snakes1100
10-07-2013, 08:58 PM
nvrmind
ozzy47
10-07-2013, 09:15 PM
You would need to monitor the IP's in the logs and see if there is a pattern, then block the IP range if necessary. Here is info on the ip in your OP.

General IP Information
IP: 192.187.125.187
Decimal: 3233512891
Hostname: 192.187.125.187
ISP: DataShack, LC
Organization: DataShack, LC
Services: Recently reported forum spam source. (344)
Type: Corporate
Assignment: Static IP
nhawk
10-07-2013, 09:21 PM
Personally I'd ban 192.187.125.*

That IP range is all dedicated servers. So, either it's a bot or a proxy. Either way, no big loss if it's totally banned.

If you want to ban everything from Datashack in IP tables, the CIDR is 192.187.96.0/19

--------------- Added 1381185254 at 1381185254 ---------------

I just noticed that the error is a 'File does not exist' error. So hard as they may try, the attempt is doing nothing other than taking up processor power from your site.

If it's a dedicated server, I'd install fail2ban and automatically ban the IP after 2 or 3 'File does not exist' errors.
DF031
10-11-2013, 10:32 PM
Thanks for ll the info guys !

Personally I'd ban 192.187.125.*

I am not sure that is enough. Been tracking for 2 hrs now and besides many hits from China I got these from Datashack. Used http://www.infosniper.net/ to check.

192.187.108.114
192.187.108.242
192.187.110.138
192.187.110.210
192.187.114.156
192.187.122.125
192.187.125.60
192.187.125.195

If you want to ban everything from Datashack in IP tables, the CIDR is 192.187.96.0/19

How do I read the / ? What does it mean ?

Would that range include the above mentioned IPs ?