Welcome to Geeklog Monday, May 16 2022 @ 11:58 pm EDT

Geeklog Forums

Some Kind Of Spam or Hacking Attack - Hundreds of

Page navigation


Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
I was looking through the error.log for an unrelated issue, and I noticed there are dozens of "invalid username" entries, about eight or ten at a time;

Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
Mon 05 Dec 2011 05:23:55 COT - Error, invalid username: 'Suisellva'
Mon 05 Dec 2011 05:42:57 COT - Error, invalid username: 'Vfqmetql'
Mon 05 Dec 2011 05:44:18 COT - Error, invalid username: 'blurezelf'
Mon 05 Dec 2011 05:47:38 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 05:51:40 COT - Error, invalid username: 'Mawnrannike'
Mon 05 Dec 2011 06:13:21 COT - Error, invalid username: 'pletchervfo'
Mon 05 Dec 2011 06:23:30 COT - Error, invalid username: 'Reewclesy'
Mon 05 Dec 2011 06:39:28 COT - Error, invalid username: 'hielvebah'
Mon 05 Dec 2011 06:57:03 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 07:29:10 COT - Error, invalid username: 'Cannabispayok'
Mon 05 Dec 2011 07:54:47 COT - Error, invalid username: 'billhornetty'
Mon 05 Dec 2011 08:11:37 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 08:30:12 COT - Error, invalid username: 'Groultytato'
Mon 05 Dec 2011 09:14:24 COT - Error, invalid username: 'inoweseelleks'
Mon 05 Dec 2011 09:22:03 COT - Error, invalid username: 'HeermaJamma'
Mon 05 Dec 2011 10:25:34 COT - Error, invalid username: 'Wariato'
Mon 05 Dec 2011 12:00:42 COT - Error, invalid username: 'layeldemome123'
Mon 05 Dec 2011 12:11:12 COT - Error, invalid username: 'xrumerj'
Mon 05 Dec 2011 12:17:18 COT - Error, invalid username: 'Apocketofeuros'
Mon 05 Dec 2011 12:35:18 COT - Error, invalid username: 'Arequequinose'
Mon 05 Dec 2011 12:46:27 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 12:52:09 COT - Error, invalid username: 'SataInpumma'
Mon 05 Dec 2011 13:07:43 COT - Error, invalid username: 'yiwbtr8'
Mon 05 Dec 2011 13:08:51 COT - Error, invalid username: 'Exterrero'
Mon 05 Dec 2011 13:23:32 COT - Error, invalid username: 'KahTraurb'
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'

None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.

But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.

Don Winner
www.panama-guide.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Geeklog doesn't capture the IP address of failed login attempts (maybe we should, at least optionally). You'd have to check your webserver's logfiles for that. Look for POST requests to the users.php and match them up with the timestamps in the error.log

bye, Dirk
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
OK, that worked. The data was contained in the Raw Apache Log on the server (as you described.) And, just as you said, there were POST requests to users.php that matched up perfectly with the error.log entries. So, I started to copy the offending IP addresses and add them to the IP Deny list in CPanel.

However - it's a different IP every time. So whoever is running this script is coming in from a different angle with every attempt, and therefore it won't do me any good to try to block all of these IP addresses. Is there anything else i can do? I mean, I'm really not all that worried - but I would like to be able to do something to put a big "CLOSED" sign up for this kind of attack.

Don
www.panama-guide.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Yeah, if they would all be coming from the same IP address, Geeklog would have blocked - or at least slowed them down - already, since that would have triggered the speed limit for login attempts.

I don't think there's anything you can do about those, unless you find a pattern in them that lets you identify these types of attempts and separate them from valid login attempts (where somebody made a typo, for example). FWIW, we get those all the time here on geeklog.net and I don't think they ever really accomplished anything (other than being a mild annoyance).

bye, Dirk
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
Yeah, concur. I already manually approve all of the comments posted due to spammers. I think this is just some script that's looking for a existing user and password combination in order to post a spam link or something. Whatever - I was just hoping for a way to shut it down. Thanks for taking the time, Dirk.

Don
www.panama-guide.com
 Quote

ironmax

Anonymous
Quote by: winnerdk

Yeah, concur. I already manually approve all of the comments posted due to spammers. I think this is just some script that's looking for a existing user and password combination in order to post a spam link or something. Whatever - I was just hoping for a way to shut it down. Thanks for taking the time, Dirk.

Don
www.panama-guide.com



Don,

You can try using ZBBLOCK from http://www.spambotsecurity.com and watch your log file that it creates, so you can make adjustments as needed to the security. I have used it on the demo.geeklog.net site and many of my other sites for a few months and it cut out an incredible amount of spam and hacking attempts. Give it a try and make sure you setup the logs and email so that users can contact you when they have a problem connecting to your site.

Michael
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
OK, I've downloaded and installed ZB Block. When I checked the Raw Apache Log again, this is an example of the script I'm trying to block;

"POST /users.php HTTP/1.0" 200 54687 "http://www.panama-guide.com/users.php?mode=new"

And the instructions for the ZB Block install says: "Now you must add:

<?php require('/home/panamax/public_html/zbblock/zbblock.php'Wink; ?>

to all the pages you wish to protect, as near as you can to the top as you can, and deffinitely before any MySQL access occurs."

So, in this case, where should I put the ZB Block Script. And I realize this isn't the ZB Block Help Forum, but I'm asking because you're using this on a Geeklog site, so I'm hoping you can steer me a little here. Should I add the ZB Block script to the top of the users.php file?

Don
www.panama-guide.com
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
Yeah, I just looked at the users.php file, and that's the kind of stuff I normally stay way far away from on Geeklog. Where did you put the ZB Block scripts on the demo site?

Don
www.panama-guide.com
 Quote

ironmax

Anonymous
Quote by: winnerdk

Yeah, I just looked at the users.php file, and that's the kind of stuff I normally stay way far away from on Geeklog. Where did you put the ZB Block scripts on the demo site?

Don
www.panama-guide.com



Don,

If your running geeklog version 1.8.1, then in your lib-common.php file open it up and copy that line that had a "GOOD" statement to it to the same location in the lib-common file example below. Should be a starting point line of 127 or so.

PHP Formatted Code

    exit;
}

include('/www/gd/demo_geeklog/public_html/zbblock/zbblock.php');

// this file can't be used on its own - redirect to index.php
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-common.php') !== false) {
    echo COM_refresh($_CONF['site_url'] . '/index.php');
    exit;
}


// +---------------------------------------------------------------------------+
// | Library Includes: You shouldn't have to touch anything below here         |
// +---------------------------------------------------------------------------+

/**
* If needed, add our PEAR path to the list of include paths
*


Any questions, let me know.

Michael
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 27/09/05
Posts: 1442
Quote by: winnerdk

I was looking through the error.log for an unrelated issue, and I noticed there are dozens of "invalid username" entries, about eight or ten at a time;

Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
...
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'

None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.

But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.

Don Winner
www.panama-guide.com



I notice this a while ago as well. I did create a feature request (http://project.geeklog.net/tracking/view.php?id=1382) which would add additional information to the log.
One of the Geeklog Core Developers.
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
@Michael: I'm currently running Geeklog 1.7.1sr1 - would there be any change to your suggestion regarding the placement of the script ZB Block script in the lib-common.php file?

Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php

Please get back to us, and tell us how it went. Zap"

So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?

Thanks.

Don
www.panama-guide.com
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
One more thing that I almost forgot. When the guys as ZB Block said "the manual is old and outdated" my confidence level dropped to damn near zero...

Don
www.panama-guide.com
 Quote

ironmax

Anonymous
Quote by: winnerdk

@Michael: I'm currently running Geeklog 1.7.1sr1 - would there be any change to your suggestion regarding the placement of the script ZB Block script in the lib-common.php file?

Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php

Please get back to us, and tell us how it went. Zap"

So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?

Thanks.

Don
www.panama-guide.com



Don,

Okay. That line 127 was only a suggestion on where to look in the lib-common file. But yes, it has to be placed in that file in that location so it can protect your entire site.

If you insert that code at the top of the page as they suggest, your site may not even work because it wont allow for any type of interaction on your site from what I can tell.

When they mention that the docs are old, thats the only thing they are saying. Everything else is constantly being updated.

Place the code in the proper place, just above this area in the lib-common file and you'll be just fine.

PHP Formatted Code

require('/home/panamax/public_html/zbblock/zbblock.php';

// this file can't be used on its own - redirect to index.php
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-common.php') !== false) {
    echo COM_refresh($_CONF['site_url'] . '/index.php');
    exit;
}


// +---------------------------------------------------------------------------+
// | Library Includes: You shouldn't have to touch anything below here         |
// +---------------------------------------------------------------------------+

 


Michael

 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
OK, thanks for getting back to me. I'll put it in there, and see how it works....

Don
www.panama-guide.com
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
Perfect. I now have ZB Block up and running on my website, and it immediately started heading off these kinds of attacks and probes. I was running for just about 15 minutes, and it's already stopped a bunch of spammers from China and Brazil who are on known banned lists. And yes, that's exactly what they are doing, probing for weakness in security to find websites where they can toss up spam. This program seems to be doing the trick, and the website seems to be running just fine, with no problems. So far, I'm a happy camper.

Thanks for helping me get this done.

Don
www.panama-guide.com
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
Ah, I just went and checked the error.log file. Remember those hundreds of attempts to gain access to the website using bogus user names that were the original reason why I started this thread? They stopped cold, the instant I activated the ZB Block program. So, it looks like it's working as advertised.

Don
www.panama-guide.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Just wanted to mention that we had ZBBLOCK running on the Geeklog demo site for a while and it did seem to occasionally block legit users. Here's one who complained about it on our bugtracker.

bye, Dirk
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
Nope, I have to take it all back. ZB Block seems to be working well while I surfed the site, but when I tried to post a new article it identified ME as a spammer. Now trying to tweak the settings and figure it out.

Don
www.panama-guide.com
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
OK, it seems like the CSRF token protection is somehow screwing up ZB Blocker. Everything is working fine until I get to the "authentication required" screen, and them as soon as that call goes out the ZB Blocker kicks in and identifies me as a spammer.

Is there anyway I can temporarily disable the CSRF token protection to test and experiment?

Don
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 24/04/05
Posts: 339
Location:Panama City, Republic of Panama
Never mind. I chucked it. Goodbye, ZB Block experiment. It seemed to be working just fine, except for the part about making my website inaccessible, to me...

Don
 Quote

Page navigation

All times are EDT. The time is now 11:58 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content