News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

httpBL

Started by Diego Andrés, February 17, 2010, 03:55:54 PM

Previous topic - Next topic

butchs

Quote from: snoopy_virtual on February 18, 2010, 10:03:09 AM
Won't be a bad idea to add that in the next version, but just now I'm leaving them to grow in all my forums, as I want to study the entries later.

There is an idea.  Create statistics?  Take all the IPS from the same host and gather them together. The the admin can go to his cpanel and block the addresses.

For example I am getting a bunch of spammers from "Amsterdam NL" and "FDCservers.net  in Chicago IL".  It would be nice to see all the offending IP's from these two spammers then I can block all of the possible addresses from both of them.  Just an idea...  ;)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: lc62003 on February 18, 2010, 02:46:38 PM
No dice.  Perhaps it will give up in a few days.   :-\

If you have access to cpanel ban the IP of the bot.  Or call your host and ask them to ban the IP of the bot.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

lc62003

Quote from: butchs on February 18, 2010, 10:03:03 PM

If you have access to cpanel ban the IP of the bot.  Or call your host and ask them to ban the IP of the bot.


IP ban was the first thing I did.  But since it was sitting there with the page 'open' and trying to hit the shoutbox, there was no new action to cause the ban to work.  Picture this:  if you're viewing a page, and it changes, you won't see any of those changes until you either refresh or move to another page.  But until that action happens you're still looking at the same old thing.  Does that make sense? 

snoopy_virtual

Yes, That's why I was saying a possible solution will be if you can uninstall just the shoutbox.

That way the page will disappear and the bot will have nothing to hold on to.

But I have never used Simple Portal and I don't know if you can do that without uninstalling the full mod.

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

lc62003

Quote from: snoopy_virtual on February 19, 2010, 04:16:45 AM
Yes, That's why I was saying a possible solution will be if you can uninstall just the shoutbox.

That way the page will disappear and the bot will have nothing to hold on to.




Uninstall would have no effect if the page is never refreshed.   ;)  The SP shoutbox is just a block on the page.  I uninstalled both the MOD and the shoutbox, but they still existed within his page view if that makes sense.   Let's say you put a simple html page on a server.  Someone opens that page in a browser but never navigates away from it.  You take that page off the server within 5 minutes.  The page still exists in the browser indefinitely so long as they don't close the browser, refresh, or follow a link.  Posting a shout in the shoutbox does not refresh the page, nor does it take you to a new one. 

Apparently this was one of those '24 hour' bugs as it stopped 24 hours to the minute.  It actually did attempt to enter the forum, at which time the MOD caught it and he was gone (a new action!!!).   8)

I'm probably doing a poor job explaining what was observed.  I'm not bringing this up to be confrontational at all, just thought it may be a behavior not seen without the use of this mod and it may be diagnostic in prevention.   ;)

snoopy_virtual

Quote from: lc62003 on February 19, 2010, 08:37:50 AM
...
I'm not bringing this up to be confrontational at all, just thought it may be a behavior not seen without the use of this mod and it may be diagnostic in prevention.   ;)

Yes, it's a new behaviour I had never seen before, and yes I interesting to be diagnostic, but I gather from your answer it's already gone.

A pity it was not in one of my forums to do a few more tests with it. I love when this things happen, because you can learn a lot about the way they work.  ;D

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

lc62003

OK, even with a full ban on the IP, no action in 24 hrs, now it's back!   :-\

snoopy_virtual

Quote from: lc62003 on February 19, 2010, 08:24:17 PM
OK, even with a full ban on the IP, no action in 24 hrs, now it's back!   :-\

With all the answers in this post and some googleing on my own and all the information I am getting via PM (thanks butchs, you are saving me lots of hours of googleing) I'm doing a new version of the mod.

Hopefully this problem will be sorted with the new version.

When I release it (don't know yet when, but maybe tomorrow or even later today) try it and tell me what happen.

In the mean time why don't you try to add a link inside your shoutbox to my site? http://www.snoopyvirtualstudio.com/

Robots tend to follow all the links they see too attack as many pages as possible and I would love to study this bast*** better.

If you don't want to break the design of your shoutbox you can put it hidden, so only robots can see it.

For example like this:


<div style="display: none;"><a href="http://www.snoopyvirtualstudio.com/">anything</a></div>

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

lc62003

OK, I'll try the link.  This thing (or is it things?) is/are coming from 4 IPs.  Overnight I have 22 pages in the log.   ::)


Maybe this will help in some way:

Today at 08:38:42 am     216.104.15.134     30     4     Yes         Yes     /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672991;xml     
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:37:29 am    216.104.15.134    30    4    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672931;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:37:24 am    216.104.15.142    30    18    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672901;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:35:53 am    216.104.15.142    30    18    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672811;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:35:53 am    216.104.15.134    30    4    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672751;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:35:28 am    216.104.15.130    30    4    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672781;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:34:14 am    216.104.15.130    30    4    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672721;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:33:54 am    216.104.15.134    30    4    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672691;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error
Today at 08:32:46 am    216.104.15.138    31    4    Yes       Yes    /forum/index.php?action=portal;sa=shoutbox;shoutbox_id=5;time=1266672661;xml    
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)    No error

snoopy_virtual

One thing for sure:

All those IPs are from S. Francisco California.

Maybe a botnet (a lot of computers with a trojan working from inside them) or maybe servers (with or without the owner knowledge)

I can see they use Windows NT 5.1 (and that's not normal for PC, but servers) and Internet Explorer (MSIE) 6.0

One way or another they are taking too much of your server time. I suppose this must be making your site slower, so until I investigate it a little more I have thought about another solution for you.

Stop them completely with "htaccess"

Look inside your root folder (the folder just above /forum/ - Normally it's called /public_html/ or /www/) see if you can find there a file called ".htaccess" (note the "dot" before the word htaccess)

The file ".htaccess" affects not only every file inside the folder where it is, but every file in every folder inside that one.

That's why I told you to use the one in your root folder, but if you want to protect only the forum it's up to you.

Anyway, look if there is a ".htaccess" already there.

If it is, open it with note-pad and add at the end of it these lines:


order allow,deny
allow from all
deny from 216.104.15.134
deny from 216.104.15.142


I have put only 2 IPs. Add all the rest yourself.

You don't need to finish every line with nothing, and you don't need to put anything also at the end of the file. Just as I have written it there.

Then save the file and FTP it to your server.

If there is no ".htaccess" already there, just create one. Open with note-pad a new text document. Put inside it the above lines (no need for anything special at the beginning either. Just the lines)

Save it, rename it .htaccess (remember the dot at the beginning) and FTP it.

More info:

http://vortexmind.net/2006-02-26-apache-htaccess-tweaking-tutorial/

I will continue looking for more information on those IPs.

A pity we cannot yet send an electric shock via internet.  ;D

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

butchs

Hey lc62003, why not look up the IP information and get the host name.  Call the host and complain.  Have the host force them to stop!  8)


You can call:
They are Trend Micro inc:  TRENDMICRO.COM 
OrgName:    TREND MICRO INCORPORATED
OrgID:      TREND-7
Address:    10101 N. De Anza Blvd,
City:       Cupertino
StateProv:  CA
PostalCode: 95014
Country:    US

NetRange:   216.104.0.0 - 216.104.31.255
CIDR:       216.104.0.0/19
OriginAS:   AS16880,  AS36421
NetName:    NET-TRENDMICRO-COM
NetHandle:  NET-216-104-0-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Assignment
NameServer: TMNS5.TRENDMICRO.COM
NameServer: TMNS6.TRENDMICRO.COM
Comment:   
RegDate:    2007-03-01
Updated:    2009-05-06

RAbuseHandle: TCH55-ARIN
RAbuseName:   Chou, Tai-Li
RAbusePhone:  +1-408-863-6403
RAbuseEmail:  [email protected]

RNOCHandle: YCH21-ARIN
RNOCName:   Chang, Yulin
RNOCPhone:  +1-408-850-1012
RNOCEmail:  [email protected]

RTechHandle: YCH21-ARIN
RTechName:   Chang, Yulin
RTechPhone:  +1-408-850-1012
RTechEmail:  [email protected]

RTechHandle: WWA18-ARIN
RTechName:   Wang, Wen-Chi
RTechPhone:  +1-408-863-6408
RTechEmail:  [email protected]

OrgTechHandle: YCH21-ARIN
OrgTechName:   Chang, Yulin
OrgTechPhone:  +1-408-850-1012
OrgTechEmail:  [email protected]


Call and or email Alex, Yulin & Terry, ask for the IT department.  If the ask why tell them why.  I believe either they have an employee who is bothering you or they were hacked!

Report the abuse.  I have done it before and it works.   Get them back!!!    8)

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

lc62003

Now that's a heck of an idea!  Thanks!  An interesting thing regarding the IP location....everywhere I've checked resulted in a different location.  Try Honey Pot, and a couple of others.  HP says Spring, TX.   ;D


And now to (another) downside of shared servers......my server doesn't allow .files, so no .htaccess.    :-[  Or if it does I don't know how to do it.   :-\

butchs

Use this whois to search the IP's in USA:  http://www.networksolutions.com/whois/

Make sure you select the IP address button.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

snoopy_virtual

My server is shared and I can do that and a lot more.

But then again, my hosting company is the best.  ;D

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

snoopy_virtual

Quote from: butchs on February 20, 2010, 12:31:20 PM
Use this whois to search the IP's in USA:  http://www.networksolutions.com/whois/

Make sure you select the IP address button.

That whois is a lot better than the one I was using.

Filed for future whois searches.

Thanks

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

snoopy_virtual

BTW, to find the country and even the city an IP is coming from I normally use:

http://www.geobytes.com/IpLocator.htm?GetLocation

If it fails I try others, but usually is always right.

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

butchs

I heard that some people that were really mad at this sorta stuff too further action.  They would look up his property on the real-estate databases and send him a picture of his house as a reminder that they were not messing around.  Not that I know how to do that or know anyone who has done it.   ???
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

julieo

Sorry for newbie question...I'm amazed I've gotten this far. My forum is hosted on hostmonster.

I read and followed your tutorial but still confused. Registered at Honeypot. Got Honeypot, keyword and BL access key. Installed httpBL but don't know PHP and can't figure out what to do with the BL access key. You mention index.template.php on SMF mods page but can't find it anywhere. I use 1stPage for my web editor and have looked at the source but don't can't tell what I am supposed to change for my honeypot and BL access key from the comments in it.

snoopy_virtual

Quote from: julieo on February 22, 2010, 03:04:28 AM
...
Registered at Honeypot. Got Honeypot, keyword and BL access key. Installed httpBL
...

If you have already mod httpBL installed, just go to the settings page. (See pictures attached)

Fill all the fields, enable the mod and save.

Forget for now the file index.template.php The mod works better if you do the changes there, but without that it works as well and it's too long to explain.

You can do that when I finish the tutorial.

==================

BTW, I want to answer here a lot of messages I got, so I don't need to answer them one by one:

There was a mistake in my site yesterday (as I am changing the mod doing the new version and I was testing it on my site) and nobody was able to enter. Almost everybody was redirected to my warning page.

The problem was I couldn't sort it because just when I was doing it we had in Spain the worst storm I have seen in my life and I have been with no electricity, no telephone, etc for ages.

Just got power back a few minutes ago.

That's also the reason why I couldn't continue with the new version, the tutorial, etc.

Sorry.

===============

PS: If I ever hear somebody again saying the weather is not changing and it's all an invention of us anarchist hippies people I'm going to get really mad.

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

snoopy_virtual

Quote from: snoopy_virtual on February 22, 2010, 04:43:28 AM
...
Forget for now the file index.template.php The mod works better if you do the changes there, but without that it works as well and it's too long to explain.

You can do that when I finish the tutorial.
...

Anybody who already knows how to do it:

Can any of you explain it to julieo?

I have too many things to do now that I have electricity again (before it goes off again).

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

Advertisement: