Look what I found on my logs today
 

This is the list of not found pages: (errors of type 404)


Somebody worked very hard to break my box. I am thinking to ban their IP address, but I am not sure how to do that. From .htacces file, right ?

What else can I do to stop these people from attacking my server ?



Regards,
Razvan M.

You can ban I.P from admincp -> vbulletin settings -> banning options

It would be better to ban then at the root level, not merely from vbulletin. Otherwise they could continue to break through your defences through non-vbulletin scripts on your server.

Check the activity of that IP an see if it was also browsing other pages. If those were the only (or the main) pages that it was visiting, ban it.

How can I ban them at the "root" level ?

I am on a VPS with Apache + Free BSD. I don't have CPANEL or stuff like that. To my knowledge, the way to ban IPs is to modify the .htaccess file. Is there any other way ?

More info: on my box there is *only* VB without any hacks. My site is about politics and, frankly, I expected this kind of behavior from people that don't agree with some topics. In that case, is it enough to ban them from VB control panel ?

Update:
There are many IPs.... as much as 20. These people are professionals.



Regards,
Razvan M.

I don't think blocking them with .htaccess is that difficult. Try something like:

in that .htaccess file.

Secondly, yes, it is a hacking attempt, but obviously not much of a good one, and a bit strange that they never tried breaking into the install directory. Try blocking access from those directories in future (install directory and directory where you installed impex).

There are 21 IP addresses from which they attacked by box. Take a look below:

66.249.72.201 = 1
205.134.161.114 = 11
83.16.76.50 = 1
81.177.16.71 = 1
66.35.110.180 = 1
208.99.195.54 = 18
82.199.192.2 = 1
75.126.134.16 = 1
64.131.86.2 = 1
67.99.202.5 = 1
86.121.14.71 = 2
24.83.72.98 = 1
81.3.4.103 = 2
70.87.229.2 = 1
89.120.209.12 = 4
86.35.254.29 = 2
86.124.17.151 = 1
89.42.84.165 = 1
85.54.158.71 = 5
202.88.176.109 = 27
213.203.208.154 = 5


What I mean by the above is this:

[IP address] = [no. of 404 errors]

To be more clear: how many requests they have done from a given IP address.

I only counted requests that were looking for some known vulnerabilities - like the one in "ImpExData.php".

If you will closely analyze the data, you can see that from most IPs there is only 1 request !?!?! Why ? They were anticipating a ban ?

I don't have ImpEx on my board. I did not use it because my board started with VBulletin.

You are right about this: they were not looking for the "install" folder.

If you only have vb installed I would just remove all unnecessary files from your server and sit tight. Make sure you keep frequent backups like all responsible webmonkeys and you'll be fine.

You want to be careful when banning IPs indiscriminently because it is possible that those ips just happened to stumble upon those directories while doing a completely benign web-crawl.

My VB install is already strip-naked. There is not a single hack on my box. I deleted the install folder. There are not any other unnecessary files that I know of. Like I said, my setup only contains a clean VB - nothing else. Also, the admincp and modcp folders are secret. ( I did not used the defaults)

And yes, I am trying to be a good web monkey :) :) :) I do frequent backups :)