Go Back   vb.org Archive > Community Central > Community Lounge
Reload this Page Look what I found on my logs today
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-18-2007, 05:03 PM
mihai11 mihai11 is offline
 
Join Date: Dec 2005
Location: Sibiu - Romania
Posts: 199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Look what I found on my logs today
This is the list of not found pages: (errors of type 404)


Quote:
/impex/ImpExData.php
/showthread.php%3Ft%3D270
/sumthin
/showthread.php%3Ft%3D27
/_vti_inf.html
/vbgsitemap/vbgsitemap-config.php
/_vti_bin/shtml.exe/_vti_rpc
//addpost_newpoll.php
//components/com_performs/performs.php
/clientscript/Mozilla/
//header.php
/chat3//chat/messagesL.php
/mmtixsln.html
/horde-3.0.5//README
///bb_usage_stats/include/bb_usage_stats.php
//README
/mails//README
/chat//chat/messagesL.php
/php/phpmychat//chat/messagesL.php
/mail//README
/lbtrivtj.html
/%20http:/www.360romania.eu/sendmessage.php
/phpMyChat-0.14.5//chat/messagesL.php
/_vti_bin/owssvr.dll
/chats//chat/messagesL.php
/clientscript/console.log('
/chat2//chat/messagesL.php
/clientscript/application/x-www-form-urlencoded
/chat1//chat/messagesL.php
/chatroom//chat/messagesL.php
/oghviqhjousdsta.html
/other-images/july-2007/shark-kayak.jpg
/newmail//README
/cacti/include/config.php
/horde-3.0.8//README
/forum//chat/messagesL.php3
/phpchat//chat/messagesL.php3
/horde3//README
//administrator/components/com_remository/admin.remository.php
/clientscript/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/
/MSOffice/cltreq.asp
/PhpMyChat//chat/messagesL.php
/webmail//README
/kdblxtjxtpvfj.html
/phpMyChat-0.14.2//chat/messagesL.php
/forums//chat/messagesL.php
/community//chat/messagesL.php
//impex/ImpExData.php
/gyxmompskjpovmyu.html
/horde-3.0.9//README
/clientscript/misc.php
/xekizokf.html
/clientscript/help.php
/clientscript/DXImageTransform.Microsoft.alpha
/clientscript/forumdisplay.php
/mailz//README
/sumthin/
/phpMyChat//chat/messagesL.php
/other-images/calin-popa/calin-luca-1.jpg
//bb_usage_stats/include/bb_usage_stats.php
/other-images/imagini-anti-fumat/anti-fumat01.png
/horde-3.0.7//README
/email//README
Somebody worked very hard to break my box. I am thinking to ban their IP address, but I am not sure how to do that. From .htacces file, right ?

What else can I do to stop these people from attacking my server ?



Regards,
Razvan M.
Reply With Quote
  #2  
Old 07-18-2007, 05:15 PM
EnIgMa1234 EnIgMa1234 is offline
 
Join Date: Mar 2006
Location: .:: Ireland ::.
Posts: 1,306
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You can ban I.P from admincp -> vbulletin settings -> banning options
Reply With Quote
  #3  
Old 07-18-2007, 05:30 PM
Attilitus's Avatar
Attilitus Attilitus is offline
 
Join Date: Mar 2005
Posts: 393
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
It would be better to ban then at the root level, not merely from vbulletin. Otherwise they could continue to break through your defences through non-vbulletin scripts on your server.

Check the activity of that IP an see if it was also browsing other pages. If those were the only (or the main) pages that it was visiting, ban it.
Reply With Quote
  #4  
Old 07-18-2007, 05:35 PM
mihai11 mihai11 is offline
 
Join Date: Dec 2005
Location: Sibiu - Romania
Posts: 199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Attilitus View Post
It would be better to ban then at the root level, not merely from vbulletin. Otherwise they could continue to break through your defences through non-vbulletin scripts on your server.

Check the activity of that IP an see if it was also browsing other pages. If those were the only (or the main) pages that it was visiting, ban it.
How can I ban them at the "root" level ?

I am on a VPS with Apache + Free BSD. I don't have CPANEL or stuff like that. To my knowledge, the way to ban IPs is to modify the .htaccess file. Is there any other way ?

More info: on my box there is *only* VB without any hacks. My site is about politics and, frankly, I expected this kind of behavior from people that don't agree with some topics. In that case, is it enough to ban them from VB control panel ?

Update:
There are many IPs.... as much as 20. These people are professionals.



Regards,
Razvan M.
Reply With Quote
  #5  
Old 07-18-2007, 06:00 PM
cheat-master30's Avatar
cheat-master30 cheat-master30 is offline
 
Join Date: Mar 2007
Location: Information Classified
Posts: 1,715
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by mihai11 View Post
How can I ban them at the "root" level ?

I am on a VPS with Apache + Free BSD. I don't have CPANEL or stuff like that. To my knowledge, the way to ban IPs is to modify the .htaccess file. Is there any other way ?

More info: on my box there is *only* VB without any hacks. My site is about politics and, frankly, I expected this kind of behavior from people that don't agree with some topics. In that case, is it enough to ban them from VB control panel ?

Update:
There are many IPs.... as much as 20. These people are professionals.



Regards,
Razvan M.
I don't think blocking them with .htaccess is that difficult. Try something like:

Code:
deny from [their ip here]
in that .htaccess file.

Secondly, yes, it is a hacking attempt, but obviously not much of a good one, and a bit strange that they never tried breaking into the install directory. Try blocking access from those directories in future (install directory and directory where you installed impex).
Reply With Quote
  #6  
Old 07-18-2007, 06:02 PM
mihai11 mihai11 is offline
 
Join Date: Dec 2005
Location: Sibiu - Romania
Posts: 199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
There are 21 IP addresses from which they attacked by box. Take a look below:

66.249.72.201 = 1
205.134.161.114 = 11
83.16.76.50 = 1
81.177.16.71 = 1
66.35.110.180 = 1
208.99.195.54 = 18
82.199.192.2 = 1
75.126.134.16 = 1
64.131.86.2 = 1
67.99.202.5 = 1
86.121.14.71 = 2
24.83.72.98 = 1
81.3.4.103 = 2
70.87.229.2 = 1
89.120.209.12 = 4
86.35.254.29 = 2
86.124.17.151 = 1
89.42.84.165 = 1
85.54.158.71 = 5
202.88.176.109 = 27
213.203.208.154 = 5


What I mean by the above is this:

[IP address] = [no. of 404 errors]

To be more clear: how many requests they have done from a given IP address.

I only counted requests that were looking for some known vulnerabilities - like the one in "ImpExData.php".

If you will closely analyze the data, you can see that from most IPs there is only 1 request !?!?! Why ? They were anticipating a ban ?

Quote:
Originally Posted by cheat-master30 View Post
I don't think blocking them with .htaccess is that difficult. Try something like:

Code:
deny from [their ip here]
in that .htaccess file.

Secondly, yes, it is a hacking attempt, but obviously not much of a good one, and a bit strange that they never tried breaking into the install directory. Try blocking access from those directories in future (install directory and directory where you installed impex).
I don't have ImpEx on my board. I did not use it because my board started with VBulletin.

You are right about this: they were not looking for the "install" folder.
Reply With Quote
  #7  
Old 07-18-2007, 06:34 PM
Attilitus's Avatar
Attilitus Attilitus is offline
 
Join Date: Mar 2005
Posts: 393
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If you only have vb installed I would just remove all unnecessary files from your server and sit tight. Make sure you keep frequent backups like all responsible webmonkeys and you'll be fine.

You want to be careful when banning IPs indiscriminently because it is possible that those ips just happened to stumble upon those directories while doing a completely benign web-crawl.
Reply With Quote
  #8  
Old 07-18-2007, 06:39 PM
mihai11 mihai11 is offline
 
Join Date: Dec 2005
Location: Sibiu - Romania
Posts: 199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Attilitus View Post
If you only have vb installed I would just remove all unnecessary files from your server and sit tight. Make sure you keep frequent backups like all responsible webmonkeys and you'll be fine.

You want to be careful when banning IPs indiscriminently because it is possible that those ips just happened to stumble upon those directories while doing a completely benign web-crawl.
My VB install is already strip-naked. There is not a single hack on my box. I deleted the install folder. There are not any other unnecessary files that I know of. Like I said, my setup only contains a clean VB - nothing else. Also, the admincp and modcp folders are secret. ( I did not used the defaults)

And yes, I am trying to be a good web monkey I do frequent backups
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:08 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03838 seconds
  • Memory Usage 2,240KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete