I have been making posts now and again about bandwidth problems with my forum.

Now there is a SERIOUS PROBLEM

I closed the forum but yet there are 5 guests viewing it, this tells me sum1 has hacked it and leaching bandwidth, there is a security problem with the forum sumwhere.

i only have 700 members and my count is 44gb of bandwith this month.

This is now obvious abuse from a proff hacker.

The admin and tech staff need to get involved and help me, also help others who might experience this problem.

It seems that all members are hacked, i know for instance that bad's back is not on the forum but yet according to the image i have attached, he is viewing it.

and so are a heap of people! but yet the forum is closed!

also notice the IP for the guests, its the same, i banned 208.237.238 but yet they are here.

notice how they are viewing avatars, i got a feeling they are refreshing it thousends of times...

i need help now, asap, i cant afford this, i paid for the licence and now hosting is costing me like £300 a month.

Someone, admin, please help.

I have upgraded version 2.2.4 to 2.2.8

But the people are still there, and the person has changed his IP and still viewing avatars as you can see in the attachment.

also apparant bad's back is viewing a forum too, he is sat right next to me and is viewing nothing, how come all these people are viewing things when i have switched the forum off, there is a BIG problem somewhere.

I have also switched off the option in the usergroups so guests cant view the forum full stop... :(

What now?

I deleted misc.php in the meantime so avatars can't be shown

If you are absolutely sure you have closed your forum, then your forum is closed.

When a member tries to access any of the pages of the forum, Who's Online will say that they are looking at that page, but what they are really seeing is the "No Permission" page. So if I was you I wouldn't worry (unless you are certain that your site has been hacked). Even with the forum closed, vB still tells you the number of people who are trying to access each page.

If you're worried, open another window, log out, log in as a registered member on a test account and try any of the pages - see on Who's Online that vB tells you that a member is looking at a page when in reality the member is getting the "No Permission" page.

Originally posted by Rapdis
I deleted misc.php in the meantime so avatars can't be shown

misc.php doesn't deal with displaying avatars, its forum/avatar.php ;)

but if you look carefully, its diff guests with same IP but with one number changed, and they using 44gb a month, so im sure something is wrong, what can i do?

The 2 guests with different IPs could be the same user, if those IPs are proxy's then they may have hopped proxy whislt browsing your site, like AOL does for example.

The best way is to use .htaccess to block avatar.php, attachment.php, .gif, .jpg, .jpeg and .png if you have mod_rewrite enabled on your server.

It is possible to use up 44GB per month...If you don't have GZIP enabled, allow free use of avatars, sigs, attachments, etc.

The main factor would be GZIP...

Same IP means nothing. It could be a popular ISP, with many members of yours using the same proxy server used by that ISP (hence the large bandwidth), so by banning that one IP you are banning all these members.

Originally posted by NTLDR
The 2 guests with different IPs could be the same user, if those IPs are proxy's then they may have hopped proxy whislt browsing your site, like AOL does for example.

The best way is to use .htaccess to block avatar.php, attachment.php, .gif, .jpg, .jpeg and .png if you have mod_rewrite enabled on your server.

I dont have mod_rewrite enabled, what can i do now? i also think people are leaching images of the site, this might be a thing for V3.0, a inbuilt script that changes the name of the images folder and reflects that change across the forum, that would be fantastic.

Originally posted by N9ne
It is possible to use up 44GB per month...If you don't have GZIP enabled, allow free use of avatars, sigs, attachments, etc.

The main factor would be GZIP...

I do have gzip on and the avatars are for people over 1000 posts mainly, the small avatars are for the junior members.

Originally posted by Erwin
Same IP means nothing. It could be a popular ISP, with many members of yours using the same proxy server used by that ISP (hence the large bandwidth), so by banning that one IP you are banning all these members.

There were once 43 guests on the avatar page with the same IP exept one number in a row e.g

1.2.3.4.5
1.2.3.4.6
1.2.3.4.7

I some how think that wasnt just some guests viewing the forum, also all 43 members decided to view that page thouseds of times for 4 days constant, i know my avatars are nice, but not that nice, so now you guys know why im so worried, it definatly abuse by someone, what can i do now?

Originally posted by Erwin
If you are absolutely sure you have closed your forum, then your forum is closed.

When a member tries to access any of the pages of the forum, Who's Online will say that they are looking at that page, but what they are really seeing is the "No Permission" page. So if I was you I wouldn't worry (unless you are certain that your site has been hacked). Even with the forum closed, vB still tells you the number of people who are trying to access each page.

If you're worried, open another window, log out, log in as a registered member on a test account and try any of the pages - see on Who's Online that vB tells you that a member is looking at a page when in reality the member is getting the "No Permission" page.

Bare in mind, according to whos online, some members where browsing the forum, juming from thread to thread when them members were sat right next to me, according to them, they werent logged in.

What explains that?

Originally posted by Rapdis


Bare in mind, according to whos online, some members where browsing the forum, juming from thread to thread when them members were sat right next to me, according to them, they werent logged in.

What explains that?

That means that these member's accounts have been compromised. Looks like someone has gotten passwords. Have you got 2.2.8 installed, with the new global.php which prevent the cross-scripting password bug? Look in the vB.com Announcement forum for the fix. I have posted a link the Lounge forum here, on the second or third page.

I do have 2.2.8 installed.

Have you applied the global.php fix?

Satan

i did what it sed, run the four upgrade files, i dont know if i did the global thing, how do i do that?

I posted about the fix here:

https://vborg.vbsupport.ru/showthread.php?s=&threadid=44846

<a href="http://www.vbulletin.com/forum/showthread.php?s=&threadid=57203" target="_blank">http://www.vbulletin.com/forum/showt...threadid=57203</a>

Satan