Customizing SMF > Modifications and Packages
Bad Behavior mod - The Web's premier link spam killer (Now with SMF 2 httpBL)
butchs:
Just because they are in your log it does not make them errors.
The first ip "131.253.41.246" clearly does not belong to MSN.
For the google webpreview bots try leaving "Engine DNS" unchecked.
djkimmel:
I think I've always had Search Engine DNS unchecked. It was unchecked when I upgraded from 1.5.9 to 1.5.11. Looking through my records to see if I made a note of that or not. I'm still going through the ~800 pages of Bad Behavior rejected requests and the ~800 pages of forum errors that go with them to figure out what could have happened. Almost all my Google, Yahoo and Bing search engine traffic went from response 200 (including the entire 131.253.38-47 Microsoft range) to 403 on ~8/30/2012. Also those Google and Bing Preview user agents started getting rejected. I usually have ~110 pages of Bad Behavior rejections per week, not 800 pages in 1 1/2 days.
I usually have 12 to 18 pages of my old "Database Error: No database selected
File: /home/djkimmel/public_html/forum/Sources/bad-behavior/BadBehavior-SMF.php
Line: 74" per day (never did get that issue figured out) not ~800 pages in one day! Something changed. Since I'm seeing a mix of good RDNS and bad RDNS, and IP addresses in the Bad Behavior search engine file and IP addresses not in the Bad Behavior search engine file all rejected along with the preview user agents starting the morning of 8/30/2012 I have not figured out any pattern yet. Especially considering the 131.253.41 (and .40) that you think don't belong to MSN were all going through Bad Behavior from 8/1/2012 until 8/29/2012 without a problem?
I'm also seeing my normal smattering of these type that Bad Behavior normally did a really good job of rejecting starting about the same time - 202.57.0.19 2012-08-31 21:25:57 /?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../..//proc/self/environ%0000 all ending up in PERMITTED #00000000 instead. I've only had 4 of them during this time but they were all permitted. I normally did not see that in the past.
Not seeing any file changes on my server I didn't make. Not seeing any unauthorized FTP or even a root connection by anyone other than me during this time (including none from my host). I added the search engine IP ranges I wanted to the Bad Behavior whitelist to get them to stop getting 403. I wish I could figure out why almost all the search engine traffic started getting rejected by Bad Behavior all of sudden? Just can't see a pattern. Of course I barely know how Bad Behavior works.
Kindred:
Probably because it's not real search engine traffic... You seem to have made it onto some spammer or hacker list.
butchs:
--- Quote from: djkimmel on September 01, 2012, 04:47:06 AM ---I usually have 12 to 18 pages of my old "Database Error: No database selected
File: /home/djkimmel/public_html/forum/Sources/bad-behavior/BadBehavior-SMF.php
Line: 74" per day (never did get that issue figured out) not ~800 pages in one day! Something changed.
--- End quote ---
I reviewed the mod and as far as I know there was no change there. This could be an error in your settings or a bot. The mod uses $db_prefix. I am interested in eliminating this error. Start by looking at your "Settings.php" in your root directory and insure that $db_prefix is correctly defined. You may want to try repair settings.
butchs:
--- Quote from: Kindred on September 01, 2012, 08:43:25 AM ---Probably because it's not real search engine traffic... You seem to have made it onto some spammer or hacker list.
--- End quote ---
I subscribe myself to that list. ;)
Now I must admit there was an error in older versions of Bad Behavior for SMF performed a reverse DNS test wether or not "Search Engine DNS" was checked. This was a bug fix after the Core Author bashed me about it's existence. The latest version of BB for SMF obeys the check mark.
If you wish to return to the way the last version worked check "Search Engine DNS".
I have been watching "google web preview" with "Search Engine DNS" checked. So far, I found only one way to duplicate the visit on my site. I forced it by logging in the google web-masters site and previewed my own site. Attachment1 is the result.
Note attachement1 has only one X-Forwarded_for address.
Lets look more closely at some who failed. See attachment2.
Notice Cf-Connecting-Ip: 209.85.224.99 "far right of x-forwarded-for". This is actually the last ip in a proxy list: X-Forwarded-For: 68.35.128.190,209.85.224.99.
There are two Ip addresses are from the list. This is a ip spoof attempt where the first address is the client. The first address has a project honey-pot threat rating of 17 (http://www.projecthoneypot.org/ip_68.35.128.190). More important it is not a google address.
Bad Behavior only tests the proxy address on the far right of the "X-Forwarded-For" list. Anyone in this list can have access to your site.
Lets look at attachmnet3. Cf-Connecting-Ip: 74.125.178.86 "far right". This is actually the last ip in a proxy list: X-Forwarded-For: 108.50.185.118,74.125.178.86
This is a ip spoof attempt where the first address is the client. 108.50.185.118 is from the UNKNON REALM of the internet.
After some research I was able to go to google web-masters and duplicated the error. Google did not report the error in their log. I validated and tried to preview my site and to get error in attachement4.
The first "censored" address in the X-Forwarded-For is mine. The second is google. The mod blocked it because, when it performed the reverse DNS it found my address/ host, NOT Google. The preview image was blocked.
It only happens when I visit the home page of web-master tools where my domain names are listed.
Google reports no 403 errors. I have full ability to use the tools as I wish.
I can neither confirm nor deny without a shadow of a doubt that the "google web preview" visits are bad guys. I believe they are after reading djkimmel's posts.
The detriment I see when the "Search Engine DNS" feature works correctly on a non-Ubuntu Server run site is that you can block yourself from google web-masters preview.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version