Unusual activity

bosswhite · August 20, 2015, 03:52:34 PM

I am unsure where to post this so please move it if I am in the wrong section.

I am running SMF 2.0.10 with Stop Forum Spam mod installed.
Recently I have been getting reports of a particular IP address attempting to access my site using the following:

Code Select

http://www.mysite.com/forum/index.php?action=register+[PLM=0][R]+GET+http://www.mysite.com/forum/index.php?action=register+[0,13634,14259]+-%3E+[R]+POST+http://www.mysite.com/forum/index.php?action=register+[0,17745,2898]+-%3E+[R]+POST+http://www.mysite.com/forum/index.php?action=register2+[18818,0,10343]+-%3E+[L]+GET+http://www.mysite.com/forum/index.php?action=login+[0,6475,11179]+-%3E+[L]+POST+http://www.mysite.com/forum/index.php?action=login2+[18818,0,11277]

Note, I have replaced the name of my site in the text above with mysite.com for obvious reasons.

I don't know enough to understand what is trying to be achieved by this, whether it is a security issue, or if I am able to identify the source (other than the IP address it is coming from) from the content.

Any help or advice would be greatly appreciated. Thank you.

Deaks · August 20, 2015, 04:35:35 PM

I am not an expert at what it all means but I can see why you may have suspicions, first question are you using the latest version of SMF 2.0? If so then from memory of this you should be fine, the other option is google the IP and see if its been listed on sites such as Stop Forum Spam etc

JBlaze · August 20, 2015, 05:19:30 PM

Looks like a bot that is trying to register to your site.

bosswhite · August 20, 2015, 05:22:17 PM

Quote from: Poύνικ on August 20, 2015, 04:35:35 PM
I am not an expert at what it all means but I can see why you may have suspicions, first question are you using the latest version of SMF 2.0? If so then from memory of this you should be fine, the other option is google the IP and see if its been listed on sites such as Stop Forum Spam etc

As mentioned in original post I am using 2.0.10

The IP address is 107.150.36.50 assigned to DataShack, LC in Kansas City, Missouri.
A google search brings up lots of activity including attempting to access administration back end on various sites.

I have banned the IP address but still see several attempts being blocked.

Deaks · August 20, 2015, 06:15:13 PM

chill, i overlooked it, issue is banning from your forum doesnt ban them from the site itself for that you need to research other banning, if you haver cpanel installed on your site then their is a addon in that you can ban an IP that is closest you can get, also notify your host about hack attempts, and secure all your accounts with strong passwords. That is all you can really do and hope the user will move on

Kindred · August 20, 2015, 06:29:14 PM

meh... it's a scriptkiddie trying our a hack which won't actually work on SMF....

we've seen a couple of reports from folks who caught this... doesn't matter - it won't ever do anything because it's not a valid attack on SMF code.

a10 · August 20, 2015, 07:23:24 PM

Am also seeing quite a number of these in the server log here. From 107.150.36.50 & earlier 119.131.136.228
No harm, in practice just a ridiculous url :O)

News:

Unusual activity

bosswhite

Deaks

JBlaze

bosswhite

Deaks

Kindred

a10