Welcome to Geeklog, Anonymous Thursday, November 14 2024 @ 10:33 pm EST
Geeklog Forums
Some Kind Of Spam or Hacking Attack - Hundreds of
Page navigation
winnerdk
Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
Mon 05 Dec 2011 05:23:55 COT - Error, invalid username: 'Suisellva'
Mon 05 Dec 2011 05:42:57 COT - Error, invalid username: 'Vfqmetql'
Mon 05 Dec 2011 05:44:18 COT - Error, invalid username: 'blurezelf'
Mon 05 Dec 2011 05:47:38 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 05:51:40 COT - Error, invalid username: 'Mawnrannike'
Mon 05 Dec 2011 06:13:21 COT - Error, invalid username: 'pletchervfo'
Mon 05 Dec 2011 06:23:30 COT - Error, invalid username: 'Reewclesy'
Mon 05 Dec 2011 06:39:28 COT - Error, invalid username: 'hielvebah'
Mon 05 Dec 2011 06:57:03 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 07:29:10 COT - Error, invalid username: 'Cannabispayok'
Mon 05 Dec 2011 07:54:47 COT - Error, invalid username: 'billhornetty'
Mon 05 Dec 2011 08:11:37 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 08:30:12 COT - Error, invalid username: 'Groultytato'
Mon 05 Dec 2011 09:14:24 COT - Error, invalid username: 'inoweseelleks'
Mon 05 Dec 2011 09:22:03 COT - Error, invalid username: 'HeermaJamma'
Mon 05 Dec 2011 10:25:34 COT - Error, invalid username: 'Wariato'
Mon 05 Dec 2011 12:00:42 COT - Error, invalid username: 'layeldemome123'
Mon 05 Dec 2011 12:11:12 COT - Error, invalid username: 'xrumerj'
Mon 05 Dec 2011 12:17:18 COT - Error, invalid username: 'Apocketofeuros'
Mon 05 Dec 2011 12:35:18 COT - Error, invalid username: 'Arequequinose'
Mon 05 Dec 2011 12:46:27 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 12:52:09 COT - Error, invalid username: 'SataInpumma'
Mon 05 Dec 2011 13:07:43 COT - Error, invalid username: 'yiwbtr8'
Mon 05 Dec 2011 13:08:51 COT - Error, invalid username: 'Exterrero'
Mon 05 Dec 2011 13:23:32 COT - Error, invalid username: 'KahTraurb'
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'
None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.
But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.
Don Winner
www.panama-guide.com
Dirk
bye, Dirk
winnerdk
However - it's a different IP every time. So whoever is running this script is coming in from a different angle with every attempt, and therefore it won't do me any good to try to block all of these IP addresses. Is there anything else i can do? I mean, I'm really not all that worried - but I would like to be able to do something to put a big "CLOSED" sign up for this kind of attack.
Don
www.panama-guide.com
Dirk
I don't think there's anything you can do about those, unless you find a pattern in them that lets you identify these types of attempts and separate them from valid login attempts (where somebody made a typo, for example). FWIW, we get those all the time here on geeklog.net and I don't think they ever really accomplished anything (other than being a mild annoyance).
bye, Dirk
winnerdk
Don
www.panama-guide.com
ironmax
Yeah, concur. I already manually approve all of the comments posted due to spammers. I think this is just some script that's looking for a existing user and password combination in order to post a spam link or something. Whatever - I was just hoping for a way to shut it down. Thanks for taking the time, Dirk.
Don
www.panama-guide.com
Don,
You can try using ZBBLOCK from http://www.spambotsecurity.com and watch your log file that it creates, so you can make adjustments as needed to the security. I have used it on the demo.geeklog.net site and many of my other sites for a few months and it cut out an incredible amount of spam and hacking attempts. Give it a try and make sure you setup the logs and email so that users can contact you when they have a problem connecting to your site.
Michael
winnerdk
"POST /users.php HTTP/1.0" 200 54687 "http://www.panama-guide.com/users.php?mode=new"
And the instructions for the ZB Block install says: "Now you must add:
<?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?>
to all the pages you wish to protect, as near as you can to the top as you can, and deffinitely before any MySQL access occurs."
So, in this case, where should I put the ZB Block Script. And I realize this isn't the ZB Block Help Forum, but I'm asking because you're using this on a Geeklog site, so I'm hoping you can steer me a little here. Should I add the ZB Block script to the top of the users.php file?
Don
www.panama-guide.com
winnerdk
Don
www.panama-guide.com
ironmax
Yeah, I just looked at the users.php file, and that's the kind of stuff I normally stay way far away from on Geeklog. Where did you put the ZB Block scripts on the demo site?
Don
www.panama-guide.com
Don,
If your running geeklog version 1.8.1, then in your lib-common.php file open it up and copy that line that had a "GOOD" statement to it to the same location in the lib-common file example below. Should be a starting point line of 127 or so.
exit;
}
include('/www/gd/demo_geeklog/public_html/zbblock/zbblock.php');
// this file can't be used on its own - redirect to index.php
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-common.php') !== false) {
echo COM_refresh($_CONF['site_url'] . '/index.php');
exit;
}
// +---------------------------------------------------------------------------+
// | Library Includes: You shouldn't have to touch anything below here |
// +---------------------------------------------------------------------------+
/**
* If needed, add our PEAR path to the list of include paths
*
Any questions, let me know.
Michael
Laugh
I was looking through the error.log for an unrelated issue, and I noticed there are dozens of "invalid username" entries, about eight or ten at a time;
Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
...
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'
None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.
But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.
Don Winner
www.panama-guide.com
I notice this a while ago as well. I did create a feature request (http://project.geeklog.net/tracking/view.php?id=1382) which would add additional information to the log.
One of the Geeklog Core Developers.
winnerdk
Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php
Please get back to us, and tell us how it went. Zap"
So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?
Thanks.
Don
www.panama-guide.com
winnerdk
Don
www.panama-guide.com
ironmax
@Michael: I'm currently running Geeklog 1.7.1sr1 - would there be any change to your suggestion regarding the placement of the script ZB Block script in the lib-common.php file?
Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php
Please get back to us, and tell us how it went. Zap"
So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?
Thanks.
Don
www.panama-guide.com
Don,
Okay. That line 127 was only a suggestion on where to look in the lib-common file. But yes, it has to be placed in that file in that location so it can protect your entire site.
If you insert that code at the top of the page as they suggest, your site may not even work because it wont allow for any type of interaction on your site from what I can tell.
When they mention that the docs are old, thats the only thing they are saying. Everything else is constantly being updated.
Place the code in the proper place, just above this area in the lib-common file and you'll be just fine.
require('/home/panamax/public_html/zbblock/zbblock.php';
// this file can't be used on its own - redirect to index.php
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-common.php') !== false) {
echo COM_refresh($_CONF['site_url'] . '/index.php');
exit;
}
// +---------------------------------------------------------------------------+
// | Library Includes: You shouldn't have to touch anything below here |
// +---------------------------------------------------------------------------+
Michael
winnerdk
Thanks for helping me get this done.
Don
www.panama-guide.com
winnerdk
Don
www.panama-guide.com
Dirk
bye, Dirk
winnerdk
Don
www.panama-guide.com
winnerdk
Is there anyway I can temporarily disable the CSRF token protection to test and experiment?
Don
Page navigation
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content