vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Dissecting server error log - text+captcha+decoded (https://vborg.vbsupport.ru/showthread.php?t=302716)

DF031 09-27-2013 01:58 PM
Dissecting server error log - text+captcha+decoded
 
Good evening all,

In the server logs of our forum we get hundreds of errors like these every hour

I edited the green text and. I especially worry about the red stuff

- - - - - - - - - - - - -
[Thu Sep 26 20:21:12 2013] [error] [client 192.187.125.187] File does not exist: /home/XXXXX/domains/XXXXXX.net/public_html/index.php+++++++++++++++++++++++++++++++Result:+te xt+captcha+decoded;+chosen+nickname+"acensebak";+registered+(registering+only+mode+is+ON);+Result:+chosen+nickname+"Woftod odrurse";+registered+(registering+only+mode+is+ON);, referer: http://www.XXXXX.net/index.php+++++++++++++++++++++++++++++++Result:+te xt+captcha+decoded;+chosen+nickname+%22acensebak%22;+registered+%28registering+only+mode+is+ON%29;+Result:+chosen+nickname+%22Wo ftododrurse%22;+registered+%28registering+only+mode+is+ON%29;
- - - - - - - - - - - - - -

The names Woftododrurse and acensebak are not unique, they are used over and over again.

What is this ? Should I worry ? Should I stop it ? How to stop it ?

Does anyone have any additional about ths ?

DF031 10-06-2013 12:00 PM
BUMP

I get hundreds of these a day.

Anyone else getting similair server errors ?

Simon Lloyd 10-07-2013 09:01 AM
It appears to be an attempt to bypass the registration, the whole string is probably being enetered automatically if that ip address isn't your's then block it!

DF031 10-07-2013 05:14 PM
Thanks Simon. But blocking the IP does not help. After a handful server errors the IP changes.

snakes1100 10-07-2013 08:58 PM
nvrmind

ozzy47 10-07-2013 09:15 PM
You would need to monitor the IP's in the logs and see if there is a pattern, then block the IP range if necessary. Here is info on the ip in your OP.

General IP Information
IP: 192.187.125.187
Decimal: 3233512891
Hostname: 192.187.125.187
ISP: DataShack, LC
Organization: DataShack, LC
Services: Recently reported forum spam source. (344)
Type: Corporate
Assignment: Static IP

nhawk 10-07-2013 09:21 PM
Personally I'd ban 192.187.125.*

That IP range is all dedicated servers. So, either it's a bot or a proxy. Either way, no big loss if it's totally banned.

If you want to ban everything from Datashack in IP tables, the CIDR is 192.187.96.0/19

--------------- Added [DATE]1381185254[/DATE] at [TIME]1381185254[/TIME] ---------------

I just noticed that the error is a 'File does not exist' error. So hard as they may try, the attempt is doing nothing other than taking up processor power from your site.

If it's a dedicated server, I'd install fail2ban and automatically ban the IP after 2 or 3 'File does not exist' errors.

DF031 10-11-2013 10:32 PM
Thanks for ll the info guys !

Quote:
Personally I'd ban 192.187.125.*
I am not sure that is enough. Been tracking for 2 hrs now and besides many hits from China I got these from Datashack. Used http://www.infosniper.net/ to check.

192.187.108.114
192.187.108.242
192.187.110.138
192.187.110.210
192.187.114.156
192.187.122.125
192.187.125.60
192.187.125.195

Quote:
If you want to ban everything from Datashack in IP tables, the CIDR is 192.187.96.0/19
How do I read the / ? What does it mean ?

Would that range include the above mentioned IPs ?


All times are GMT. The time now is 09:19 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01074 seconds
  • Memory Usage 1,723KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete