Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-03-2008, 01:30 PM
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Location: Australia
Posts: 143
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default We were 'Probed'

I dont know what else to call it, someone or something in hong kong just visited many many times as 100 guests on my site all in the space of 2 mintues, kinda like they were sniffing around looking for a way in (where they should not be)......

Database has just been backed up.

Its sticks out because I know when a spider comes along, it has a specific behaviour... it doesnt just hit everything all at once, it moves around page to page one at a time... This thing whatever it was was very different.

My site is in development and does not quite get this many non spider hits in a day, let alone 2 minutes. Can anyone tell me if this is expected or unexpected behaviour for a very small forum to have in the usual day to day operations?
Attached Images
File Type: jpg what the.jpg (41.0 KB, 0 views)
Reply With Quote
  #2  
Old 03-03-2008, 01:32 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Its hard to say exactly what they was doing or if it was even a spider, you need to dig up info on the ip for that hostname in the pic.

I would start by banning them in the admincp and using a host deny in a htacess file as well in your public_html dir.
Reply With Quote
  #3  
Old 03-03-2008, 01:42 PM
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Location: Australia
Posts: 143
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by snakes1100 View Post
Its hard to say exactly what they was doing or if it was even a spider, you need to dig up info on the ip for that hostname in the pic.

I would start by banning them in the admincp and using a host deny in a htacess file as well in your public_html dir.
Thanks for the advice.

I had banned them in admincp but didnt think of htaccess, ive now added the range to htaccess as well whilst i look into it further.
Reply With Quote
  #4  
Old 03-03-2008, 01:52 PM
illithid illithid is offline
 
Join Date: Sep 2007
Posts: 22
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have to agree with Snakes in regards to banning all the IP addresses used during that "Probe". The reason I say that is because, at first glance, it looks to me like a "brute force attack". A method of hacking to crack passwords, etc. Generally this only occurs at the login script, but can occur at other areas of page. Perhaps they are trying to exploit a weakness somewhere. Hard to say though.

Definitely ban those IP's.
Reply With Quote
  #5  
Old 03-03-2008, 01:58 PM
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Location: Australia
Posts: 143
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by illithid View Post
Definitely ban those IP's.
Done

As far as i can tell, its just a miscellaneous range, not a spider. It was weird because the ip was slightly different each time, thus becoming 100 guests.

And also, I just discovered the following:

Quote:
Called with DO = 'a russian url ive removed (because when i went there Kaspersky found malware)'
The site was a Chinese site written in English and hosted in Russia... it was weird.

They will stay banned for good.
Reply With Quote
  #6  
Old 03-03-2008, 02:53 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by NeuroLancer View Post
I dont know what else to call it, someone or something in hong kong just visited many many times as 100 guests on my site all in the space of 2 mintues, kinda like they were sniffing around looking for a way in (where they should not be)......

Database has just been backed up.

Its sticks out because I know when a spider comes along, it has a specific behaviour... it doesnt just hit everything all at once, it moves around page to page one at a time... This thing whatever it was was very different.

My site is in development and does not quite get this many non spider hits in a day, let alone 2 minutes. Can anyone tell me if this is expected or unexpected behaviour for a very small forum to have in the usual day to day operations?

Next time you notice something like that, go to the Who'd Online page and do an IDENT display. (User Agent in the drop down box). Set it to yes, and display. The INDENTs will tell you if they are Spiders.

What happened to you could very well have been Spiders. I have that happen quite often. Not 100, but quite a few from the same place hitting all at the same time.
Reply With Quote
  #7  
Old 03-03-2008, 09:31 PM
DivisionByZero's Avatar
DivisionByZero DivisionByZero is offline
 
Join Date: Dec 2002
Location: South Bend, Indiana
Posts: 485
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you really wanna filter the bulls**t, the best thing you can do is block ENTIRE chinese and australian IP space. You can find the latest IP blocks for any given country here:

http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn
http://www.apnic.net/apnic-bin/ipv4-....pl?country=au

Simply add these blocks to your IPtables rules and I GUARANTEE this will eliminate 99.9999% of the spam and foreign attacks. I do this as a rule. I have NO REASON to do business with anyone in China or Australia.

A more interactive way to achieve this is to install the GeoIP module for Apache. It looksup every hostname/IP in the GeoIP table and determines the country. You can then set rules based on visitor country.
Reply With Quote
  #8  
Old 03-03-2008, 10:52 PM
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Location: Australia
Posts: 143
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo View Post
Next time you notice something like that, go to the Who'd Online page and do an IDENT display. (User Agent in the drop down box). Set it to yes, and display. The INDENTs will tell you if they are Spiders.
Thanks boofo I did do that, they resolved as what appears to be a standard internet user.

Quote:
Originally Posted by MisterPopularity View Post
If you really wanna filter the bulls**t, the best thing you can do is block ENTIRE chinese and australian IP space.
LOL, pineapples will grow in space before I filter my own country (Australia ) but I appreciate the advice.
Reply With Quote
  #9  
Old 03-03-2008, 10:57 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The IDENT string can be tricky to read on some spiders. One spider that will always show as a guest is the Accoona spider. It's IDENT string shows as a normal user yet when you resolve the IP it shows up as a spider clear as day. So don't always go by that, just as a general rule.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:22 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04972 seconds
  • Memory Usage 2,269KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (1)postbit_attachment
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete