The Arcive of Official vBulletin Modifications Site.

Dave · #11 07-05-2014, 06:58 AM

Quote:

Originally Posted by final kaoss

All someone has to do is get a dns check or a whois check to reveal the sites ip address. Doing a simple ping via the windows command console also reveals the site's ip. At this point you need to look into ddos protection services or get a stronger server and configure a firewall addon for it.

That's not completely true when using Cloudflare, they mask your server's IP address.
Unless, of course, you have DNS records active which still resolve to your server's IP address.

Dave · #12 07-05-2014, 03:06 PM

Quote:

Originally Posted by final kaoss

Watch, let me show you an example.

Yes, but if you resolve that IP address, it resolves to Cloudflare.
http://www.ip-adress.com/ip_tracer/108.162.199.26

MentaL · #13 08-14-2014, 11:16 AM

Use a third party server, like a cheap VPS to send your mail from and then just modify the mail headers of exim to hide the sender ip, that the only IP being shared is that of the vps and not the actual source server (vbulletin) that hosts the mail sending script.

Double up with this www.vbulletin.org/forum/showthread.php?t=313353

thetechgenius · #14 08-15-2014, 12:41 AM

If they are getting your Server IP through Email (Email Headers), why not buy an Email Subscription? Will that work? Because then the attacker will get the Email Service provider IP, correct? Or am I wrong?

If you want to get an Email Subscription, Namecheap's OX Private Mail service is really good. I only have my Domain and Email hosted with Namecheap, and they have a REALLY good Email Service. I have the second package, which costs me about $29 per year, and it comes with One Mail Box, I think 10 Alias's, 10GB Mail Storage, 10GB File Storage, Full Mobile Support, and the server runs on HTTPS/SSL. I use Namecheap's OX Private Mail for my vBulletin forum too, and its great, its a really great service.

RichieBoy67 · #15 08-15-2014, 12:49 AM

How do you know they are getting your ip from your email? That does not make much sense to me really.

final kaoss · #16 08-17-2014, 04:34 AM

A bit like this. Server ip and domain it was sent from is found.

Code:

Received: by 10.64.236.40 with SMTP id ur8csp270236iec;
        Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
X-Received: by 10.236.129.3 with SMTP id g3mr42503511yhi.67.1408251693456;
        Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
Return-Path: <bounce-md_30152195.53f036ff.v1-4a68e3a9c92a4da1abcc77bffb4b1933@mandrillapp.com>
Received: from cloudmail.curse.com (cloudmail.curse.com. [205.201.137.179])
        by mx.google.com with ESMTPS id k26si17311804yhh.188.2014.08.16.22.01.33

CAG CheechDogg · #17 08-17-2014, 04:50 AM

Why do you even think you are getting DDoS attacked?

I have worked on a lot of peoples websites and forums who thought they were getting DDoS attacked and it was never the case. In almost every situation at least that I have dealt with, it was simply bots hitting your website and causing server overloads.

I had this happen on my forums about a year ago maybe and I used Ban Spiders by User Agent along with a few htacces goodies and some ip range blocks to stop bots from terrorizing my forums.

This is more likely what you have and not a DDoS attack. If you were actually getting DDoS attacked and if you are on a shared server, your host would quickly look into it and do something about it because it not only affects your website but a whole lot others as well.

If you want I can take a look for you if that is the case, I would of course need an admin account and access to your cPanel to monitor what is going on throughout the day. Send me a private message if you still need help.

RichieBoy67 · #18 08-17-2014, 12:43 PM

Quote:

Originally Posted by final kaoss

A bit like this. Server ip and domain it was sent from is found.

Code:

Received: by 10.64.236.40 with SMTP id ur8csp270236iec;
        Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
X-Received: by 10.236.129.3 with SMTP id g3mr42503511yhi.67.1408251693456;
        Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
Return-Path: <bounce-md_30152195.53f036ff.v1-4a68e3a9c92a4da1abcc77bffb4b1933@mandrillapp.com>
Received: from cloudmail.curse.com (cloudmail.curse.com. [205.201.137.179])
        by mx.google.com with ESMTPS id k26si17311804yhh.188.2014.08.16.22.01.33

I obviously know the sending server ip can be found in the mail header. My question was not how it is done but how do you know it is being done? It seems a very unlikely way for a site to be attacked.

My first question still stands as well. What does the security log show that represents a ddos attack and what ports are being targeted? My servers and most if not all others are probed hundreds if not thousands of times daily. These do not represent attacks and I am curious if that is what is happening here. And how is email being tied to this? What is the evidence of it?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07928 seconds Memory Usage 2,247KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_code (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (8)post_thanks_box (4)post_thanks_box_bit (8)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (2)post_thanks_postbit (8)post_thanks_postbit_info (8)postbit (8)postbit_onlinestatus (8)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

2 благодарности(ей) от:
Max Taxable, RichieBoy67

2 благодарности(ей) от:
CAG CheechDogg, Max Taxable

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!