The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
We were 'Probed'
I dont know what else to call it, someone or something in hong kong just visited many many times as 100 guests on my site all in the space of 2 mintues, kinda like they were sniffing around looking for a way in (where they should not be)......
Database has just been backed up. Its sticks out because I know when a spider comes along, it has a specific behaviour... it doesnt just hit everything all at once, it moves around page to page one at a time... This thing whatever it was was very different. My site is in development and does not quite get this many non spider hits in a day, let alone 2 minutes. Can anyone tell me if this is expected or unexpected behaviour for a very small forum to have in the usual day to day operations? |
#2
|
|||
|
|||
Its hard to say exactly what they was doing or if it was even a spider, you need to dig up info on the ip for that hostname in the pic.
I would start by banning them in the admincp and using a host deny in a htacess file as well in your public_html dir. |
#3
|
||||
|
||||
Quote:
I had banned them in admincp but didnt think of htaccess, ive now added the range to htaccess as well whilst i look into it further. |
#4
|
|||
|
|||
I have to agree with Snakes in regards to banning all the IP addresses used during that "Probe". The reason I say that is because, at first glance, it looks to me like a "brute force attack". A method of hacking to crack passwords, etc. Generally this only occurs at the login script, but can occur at other areas of page. Perhaps they are trying to exploit a weakness somewhere. Hard to say though.
Definitely ban those IP's. |
#5
|
||||
|
||||
Done
As far as i can tell, its just a miscellaneous range, not a spider. It was weird because the ip was slightly different each time, thus becoming 100 guests. And also, I just discovered the following: Quote:
They will stay banned for good. |
#6
|
||||
|
||||
Quote:
Next time you notice something like that, go to the Who'd Online page and do an IDENT display. (User Agent in the drop down box). Set it to yes, and display. The INDENTs will tell you if they are Spiders. What happened to you could very well have been Spiders. I have that happen quite often. Not 100, but quite a few from the same place hitting all at the same time. |
#7
|
||||
|
||||
If you really wanna filter the bulls**t, the best thing you can do is block ENTIRE chinese and australian IP space. You can find the latest IP blocks for any given country here:
http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn http://www.apnic.net/apnic-bin/ipv4-....pl?country=au Simply add these blocks to your IPtables rules and I GUARANTEE this will eliminate 99.9999% of the spam and foreign attacks. I do this as a rule. I have NO REASON to do business with anyone in China or Australia. A more interactive way to achieve this is to install the GeoIP module for Apache. It looksup every hostname/IP in the GeoIP table and determines the country. You can then set rules based on visitor country. |
#8
|
||||
|
||||
Quote:
LOL, pineapples will grow in space before I filter my own country (Australia ) but I appreciate the advice. |
#9
|
||||
|
||||
The IDENT string can be tricky to read on some spiders. One spider that will always show as a guest is the Accoona spider. It's IDENT string shows as a normal user yet when you resolve the IP it shows up as a spider clear as day. So don't always go by that, just as a general rule.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|