The Arcive of Official vBulletin Modifications Site.

MrDJ · #1 06-15-2011, 07:47 PM

ive just noticed on my site a increased amount of unregistered users online over 200+ my site is closed to public and it shows in the who's online part over 200+ visitors/unregistered is this a fault in vb or a virus or what ive not had a problem with v4.1.3 untill this today ??

is there a way to stop this or how to fix it ? any help would be great .

thanks

Videx · #2 06-17-2011, 12:40 AM

I've seen these "guest attacks" too - sometimes 500-600 of them on a forum with rarely 35 concurrent users. AFAIK nobody has figured out what's causing it. Maybe some errant bot software.

tareqbd · #3 06-17-2011, 01:13 PM

Go to Cpanel immediately after site is back to normal. Check the Latest visitors IP ranges and bytes usage. Figure out the IP location. If you can see most of the IPs are from same country. Block that country ranges. I hope it will work fine.

Videx · #4 06-17-2011, 03:42 PM

Yes, by all means if it's that easy then do that. In our case, the guests were from all over - there was no pattern at all to their IP numbers. And they were all doing different things on the forum.

MrDJ · #5 06-18-2011, 08:51 AM

Videx thats the same as i had on mine they was logged in a different times seperate ip's and was viewing diff things on the site so it seemed ..

morgano · #6 06-18-2011, 08:30 PM

I've had this bot crawl also, every bot appears to be viewing an attachment. I guess it's a bot net trying to exploit forums via attachments. I guess it crawls the net. The largest number I had was 200, it starts high and dies off after an hour or so. It takes around 24 hours for the entire botnet to clear the server. I've had the same botnet appear back on the forum multiple times in smaller numbers. Everytime they were doing to the same activity of viewing attachments. Fortunately I haven't seen them for a few weeks and they never disrupted my server whilst they visited.

If your interested all the IPs were dynamic "dynamic.saudi.net" with alternating IP addresses once resolved. Nothing much I could do but ignore them at the time.

final kaoss · #7 06-19-2011, 02:44 PM

Put in htaccess

Code:

<Limit GET HEAD POST>
order allow,deny
# Country: SAUDI ARABIA
# ISO Code: SA
# Total Networks: 208
# Total Subnets:  4,215,040
deny from 2.88.0.0/14
deny from 31.24.224.0/21
deny from 31.166.0.0/15
deny from 46.18.160.0/21
deny from 46.29.80.0/21
deny from 46.38.64.0/19
deny from 46.44.64.0/18
deny from 46.52.0.0/17
deny from 46.151.208.0/21
deny from 46.152.0.0/15
deny from 46.184.0.0/17
deny from 46.230.0.0/17
deny from 46.235.88.0/21
deny from 46.240.0.0/17
deny from 46.251.128.0/19
deny from 62.3.0.0/19
deny from 62.3.32.0/19
deny from 62.120.0.0/16
deny from 62.149.64.0/18
deny from 77.30.0.0/15
deny from 77.64.0.0/17
deny from 77.73.192.0/21
deny from 77.95.216.0/21
deny from 77.221.96.0/19
deny from 77.232.96.0/19
deny from 77.240.80.0/20
deny from 77.240.128.0/20
deny from 78.93.0.0/16
deny from 78.110.0.0/20
deny from 78.138.192.0/18
deny from 79.98.184.0/21
deny from 79.170.0.0/21
deny from 79.170.48.0/21
deny from 79.172.128.0/18
deny from 80.74.80.0/20
deny from 80.240.64.0/20
deny from 81.16.208.0/20
deny from 81.21.48.0/20
deny from 82.118.160.0/19
deny from 82.147.192.0/19
deny from 82.167.0.0/16
deny from 82.205.128.0/17
deny from 83.101.128.0/17
deny from 84.22.224.0/19
deny from 84.23.96.0/19
deny from 84.235.0.0/17
deny from 85.129.128.0/17
deny from 85.194.64.0/18
deny from 85.208.0.0/15
deny from 85.237.128.0/19
deny from 86.51.0.0/16
deny from 86.60.0.0/17
deny from 86.111.192.0/21
deny from 87.101.128.0/17
deny from 87.109.0.0/16
deny from 87.230.128.0/17
deny from 88.81.0.0/19
deny from 88.84.96.0/19
deny from 88.85.224.0/19
deny from 88.213.0.0/18
deny from 88.213.64.0/18
deny from 89.4.0.0/15
deny from 89.108.0.0/18
deny from 89.144.64.0/18
deny from 89.147.0.0/18
deny from 89.188.64.0/19
deny from 89.189.224.0/19
deny from 89.237.128.0/18
deny from 90.148.0.0/16
deny from 91.102.16.0/21
deny from 91.147.128.0/18
deny from 91.151.160.0/20
deny from 91.195.88.0/23
deny from 91.197.200.0/22
deny from 91.198.62.0/24
deny from 91.198.102.0/24
deny from 91.198.251.0/24
deny from 91.199.107.0/24
deny from 91.199.187.0/24
deny from 91.206.134.0/23
deny from 91.207.12.0/23
deny from 91.208.4.0/24
deny from 91.208.128.0/24
deny from 91.208.156.0/24
deny from 91.209.215.0/24
deny from 91.209.253.0/24
deny from 91.212.67.0/24
deny from 91.213.18.0/24
deny from 91.213.205.0/24
deny from 91.213.213.0/24
deny from 91.221.22.0/23
deny from 91.221.184.0/23
deny from 91.221.202.0/23
deny from 91.222.200.0/22
deny from 91.223.210.0/24
deny from 91.227.22.0/24
deny from 91.227.24.0/23
deny from 91.229.32.0/23
deny from 92.43.168.0/21
deny from 92.48.0.0/18
deny from 93.98.0.0/16
deny from 93.178.0.0/18
deny from 93.189.96.0/21
deny from 93.189.192.0/21
deny from 94.77.192.0/18
deny from 94.96.0.0/14
deny from 94.143.224.0/21
deny from 95.129.8.0/21
deny from 109.82.0.0/15
deny from 109.171.128.0/17
deny from 176.16.0.0/14
deny from 176.44.0.0/15
deny from 178.20.144.0/21
deny from 178.73.64.0/18
deny from 178.248.112.0/21
deny from 188.48.0.0/13
deny from 188.95.160.0/21
deny from 188.117.64.0/18
deny from 188.119.64.0/18
deny from 188.132.0.0/17
deny from 188.139.0.0/17
deny from 188.248.0.0/15
deny from 192.162.72.0/22
deny from 193.8.250.0/24
deny from 193.19.90.0/23
deny from 193.22.249.0/24
deny from 193.23.180.0/24
deny from 193.27.7.0/24
deny from 193.28.9.0/24
deny from 193.28.10.0/24
deny from 193.28.94.0/24
deny from 193.29.50.0/24
deny from 193.37.143.0/24
deny from 193.42.215.0/24
deny from 193.42.220.0/24
deny from 193.47.102.0/24
deny from 193.104.204.0/24
deny from 193.105.89.0/24
deny from 193.109.218.0/24
deny from 193.142.222.0/24
deny from 193.169.190.0/23
deny from 193.200.247.0/24
deny from 193.227.127.0/24
deny from 194.0.15.0/24
deny from 194.36.164.0/24
deny from 194.50.35.0/24
deny from 194.110.72.0/24
deny from 194.126.231.0/24
deny from 195.10.197.0/24
deny from 195.14.19.0/24
deny from 195.34.68.0/23
deny from 195.43.137.0/24
deny from 195.47.234.0/24
deny from 195.66.100.0/24
deny from 195.66.128.0/23
deny from 195.85.224.0/24
deny from 195.88.244.0/23
deny from 195.114.106.0/23
deny from 195.128.131.0/24
deny from 195.130.206.0/24
deny from 195.149.65.0/24
deny from 195.149.91.0/24
deny from 195.170.180.0/24
deny from 195.177.194.0/23
deny from 195.182.31.0/24
deny from 195.189.212.0/23
deny from 195.191.6.0/23
deny from 195.242.177.0/24
deny from 195.242.188.0/24
deny from 195.242.196.0/22
deny from 195.246.104.0/23
deny from 212.11.160.0/19
deny from 212.12.160.0/19
deny from 212.24.224.0/19
deny from 212.26.0.0/19
deny from 212.26.32.0/19
deny from 212.26.64.0/18
deny from 212.33.160.0/19
deny from 212.46.32.0/19
deny from 212.57.192.0/19
deny from 212.62.96.0/19
deny from 212.70.32.0/19
deny from 212.71.32.0/19
deny from 212.76.64.0/19
deny from 212.93.160.0/19
deny from 212.93.192.0/19
deny from 212.100.192.0/19
deny from 212.102.0.0/19
deny from 212.107.96.0/19
deny from 212.116.192.0/19
deny from 212.118.96.0/19
deny from 212.118.128.0/19
deny from 212.119.64.0/19
deny from 212.138.0.0/16
deny from 212.162.128.0/19
deny from 212.215.128.0/17
deny from 213.5.168.0/21
deny from 213.136.192.0/19
deny from 213.166.128.0/19
deny from 213.181.160.0/19
deny from 213.184.160.0/19
deny from 213.210.192.0/18
deny from 213.230.0.0/19
deny from 213.236.32.0/19
deny from 217.8.64.0/20
deny from 217.12.224.0/20
deny from 217.145.240.0/20
deny from 217.173.80.0/20
#
allow from all
</Limit>

Masked Crusader · #8 06-19-2011, 03:08 PM

Yeah I have been running into this as well. It never gets over 100-150 Guests though so I have to wonder if it is the same problem exactly.

Has anyone tried the .htaccess solution from the user above?

Thanks!

final kaoss · #9 06-19-2011, 03:12 PM

Can block any country like that with this site
http://www.countryipblocks.net/

Videx · #10 06-19-2011, 03:50 PM

Global forums can't block entire countries. And nobody wants to block dynamic 'pool' IPs which could be used by legitimate people tomorrow.

Ours is a local forum, so we've got entire swaths of the planet blocked - like most of Africa and the far east. But as I said, that's not effective against this latest phenomena which seem to come from all over. Oh and no, ours weren't all looking at attachments - they were all doing different things.

But I agree it seems to have slowed down because I haven't seen any of the really huge server-killing attacks for a couple months. Recently they seem to top out at 200 or so, which is still annoying because I have to reset the "most online" counter manually.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07048 seconds Memory Usage 2,252KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!