The Arcive of Official vBulletin Modifications Site.

DF031 · #1 09-27-2013, 01:58 PM

Good evening all,

In the server logs of our forum we get hundreds of errors like these every hour

I edited the green text and. I especially worry about the red stuff

- - - - - - - - - - - - -
[Thu Sep 26 20:21:12 2013] [error] [client 192.187.125.187] File does not exist: /home/XXXXX/domains/XXXXXX.net/public_html/index.php+++++++++++++++++++++++++++++++Result:+te xt+captcha+decoded;+chosen+nickname+"acensebak";+registered+(registering+only+mode+is+ON);+Result:+chosen+nickname+"Woftod odrurse";+registered+(registering+only+mode+is+ON);, referer: http://www.XXXXX.net/index.php+++++++++++++++++++++++++++++++Result:+te xt+captcha+decoded;+chosen+nickname+%22acensebak%22;+registered+%28registering+only+mode+is+ON%29;+Result:+chosen+nickname+%22Wo ftododrurse%22;+registered+%28registering+only+mode+is+ON%29;
- - - - - - - - - - - - - -

The names Woftododrurse and acensebak are not unique, they are used over and over again.

What is this ? Should I worry ? Should I stop it ? How to stop it ?

Does anyone have any additional about ths ?

DF031 · #2 10-06-2013, 12:00 PM

BUMP

I get hundreds of these a day.

Anyone else getting similair server errors ?

Simon Lloyd · #3 10-07-2013, 09:01 AM

It appears to be an attempt to bypass the registration, the whole string is probably being enetered automatically if that ip address isn't your's then block it!

DF031 · #4 10-07-2013, 05:14 PM

Thanks Simon. But blocking the IP does not help. After a handful server errors the IP changes.

snakes1100 · #5 10-07-2013, 08:58 PM

nvrmind

ozzy47 · #6 10-07-2013, 09:15 PM

You would need to monitor the IP's in the logs and see if there is a pattern, then block the IP range if necessary. Here is info on the ip in your OP.

General IP Information
IP: 192.187.125.187
Decimal: 3233512891
Hostname: 192.187.125.187
ISP: DataShack, LC
Organization: DataShack, LC
Services: Recently reported forum spam source. (344)
Type: Corporate
Assignment: Static IP

nhawk · #7 10-07-2013, 09:21 PM

Personally I'd ban 192.187.125.*

That IP range is all dedicated servers. So, either it's a bot or a proxy. Either way, no big loss if it's totally banned.

If you want to ban everything from Datashack in IP tables, the CIDR is 192.187.96.0/19

--------------- Added [DATE]1381185254[/DATE] at [TIME]1381185254[/TIME] ---------------

I just noticed that the error is a 'File does not exist' error. So hard as they may try, the attempt is doing nothing other than taking up processor power from your site.

If it's a dedicated server, I'd install fail2ban and automatically ban the IP after 2 or 3 'File does not exist' errors.

DF031 · #8 10-11-2013, 10:32 PM

Thanks for ll the info guys !

Quote:

Personally I'd ban 192.187.125.*

I am not sure that is enough. Been tracking for 2 hrs now and besides many hits from China I got these from Datashack. Used http://www.infosniper.net/ to check.

192.187.108.114
192.187.108.242
192.187.110.138
192.187.110.210
192.187.114.156
192.187.122.125
192.187.125.60
192.187.125.195

Quote:

If you want to ban everything from Datashack in IP tables, the CIDR is 192.187.96.0/19

How do I read the / ? What does it mean ?

Would that range include the above mentioned IPs ?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04893 seconds Memory Usage 2,236KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (8)post_thanks_box (3)post_thanks_box_bit (8)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (2)post_thanks_postbit (8)post_thanks_postbit_info (8)postbit (8)postbit_onlinestatus (8)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

2 благодарности(ей) от:
Max Taxable, tbworld

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!