News:

Join the Facebook Fan Page.

Main Menu

httpBL

Started by Diego Andrés, February 17, 2010, 03:55:54 PM

Previous topic - Next topic

butchs

Why?  Wireless connects are the most vulnerable on the net.  They need to be cleaned up.  ???
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Omniverse

I installed this mod today because of a recent jump in bots doing brute force password attacks at my site.

Excellent mod, love it so far.


I have noticed only 2 entries in the error log for incorrect entries now, the rest have been caught by this mod. When I checked the IP's at honeypot, they were listed, one has a threat of around 40.

httpBL did not catch this IP however. It isn't listed in its log, just in my forum error log.
Any idea why that would be?

sheryltoo

I would like to install this mod but I'm confused on all the steps necessary in order to do it.
I did register at HoneySpot and told them to generate a script using php 4+. I hope that was right but now I don't know where I'm suppose to put it.
Does this work like a mod?
Then once I add this to my site, the instructions say to ask for my own http: BL AP1 Key and I don't know what that is or what to do with one.

EL34

I created a new folder called HoneyPot under my php folder and put the honey pot stuff is in that new folder.

www.mywebsite/php/Honeypot/yourhoneypotfile.php

now you have a path to the honeypot.php file they gave you.

you ask for a key and enter that in the httpbl setup screen and you are good to go
Forum History -> EZBoard -> YABB -> SMF 1.1.19 -> SMF 2.0.19

sheryltoo

I have a folder called phpBB. Is that where I'd make a new folder called Honeypot?

busterone

You can name your folder anything you want, and put it anywhere you choose within your hosting space. I don't suggest naming it Honeypot either.  The idea for the honeypot is to snare the bots. The spammers already know about Project Honeypot, so they probably avoid anything that has that name in it.

sheryltoo

Once I extracted the files, I realized there were instructions that helped me figure out what to do however they forgot to mention that I shouldn't use honeypot for my folder's name and I already did.
Can I just change the name or do I need to start all over?
I think I read that I can't change the name of the file but I don't remember if they said I couldn't change the name of the folder.

busterone

You can change the folder name either by ftp or by using your file manager in your host's control panel. Or simply just create another folder with a different name, copy all the contents from the previous folder to the new folder, and then delete the old one.

sheryltoo

Ok thanks.
One more question. I don't understand where I'm suppose to put links for the bots to find. That's all very confusing to me.

busterone

I hid them in index.template.php and placed a few hidden links in portal blocks on my home page. They will be seen if the page source is read by the bots, but they are not displayed on the page to be seen by a normal user with a browser.

sheryltoo

Ok, thanks. I'll look into doing that.
I see there's a button in my folder for these files but I don't see it on my site. Is it suppose to show up some place?
I don't think I quite understand how all this works. I'm just hoping I can stop all the incorrect password errors I keep getting.

busterone

If you want tit to stop the incorrect password errors issue, it is probably not going to help much. Most of the IPs that have been reported are clean. Most are not listed in the Honeypot database.  Those are probably innocent users' computers that are infected by the botnet that is carrying out this attack.

The Honeypot project is a very worthwhile cause though, so I do recommend being involved in it.

sheryltoo

Quote from: busterone on February 13, 2011, 10:08:25 PM
If you want tit to stop the incorrect password errors issue, it is probably not going to help much. Most of the IPs that have been reported are clean. Most are not listed in the Honeypot database.  Those are probably innocent users' computers that are infected by the botnet that is carrying out this attack.

The Honeypot project is a very worthwhile cause though, so I do recommend being involved in it.

Is that like a virus? Can it be detected if my members run a virus scan?

sheryltoo

I was going to try and copy some of the suggestions honeypot gave me for various links into my index.template.php file only I don't understand how they work. If I put something there that starts off <a href="   then a web address and end by closing the "a tag", won't the link show up on my site?
Is that what I want? A link to my honeypot page?

busterone

#534
If you place it right after the <body> tag as one example, it will not display. It would need an echo '  preceding it to display in php
I also placed a couple right after the smf and theme copyright in the footer.
Here is an example from my index.template.php
echo '</div>
</div>
</div>
<div id="footerframe">
', theme_copyright(), FFCopyright(),'
<div class="smalltext"><b>BlueLight</b> design by <a href="http://www.blocweb.net">Bloc</a><br>
<a href="http://www.SMF4ME.COM/">SMF Forums Directory</a></div>
<div style="display: none;"><a href="http://www.thedemonsden.com/xxx/xxxxxx.php">cheap-selfsealing</a></div>

I xxx'd out the full link to prevent it from being indexed here.

Yes, the idea is to lead them to the honeypot.
Quote from: sheryltoo on February 14, 2011, 08:24:24 AM
Is that like a virus? Can it be detected if my members run a virus scan?
I could be in some instances, but probably not any of your members.  These bots are part of a directed attack at forums, possibly SMF only. Quite a few of those IPs are coming from the TOR proxy range from what I have seen so far. Whether they are from one person, or a small few using TOR, or from a bunch of infected systems that are unknowing being used and the bots automatically attack through TOR is unknown. 
Who ever they are, it is a new tactic.

sheryltoo

Thank you for showing me how to do that. I'm not sure what echo ' does but I'll add it.

busterone

No, don't add the echo' .  :)  What I meant is that for the link to dispaly to normal users, it needs to be echo'd in php. In your case, you do not want it to display. That is why I added it right after the <body> tag.

Omniverse

Quote from: busterone on February 14, 2011, 04:36:34 PM

   echo '</div>
      </div>
   </div>   
   <div id="footerframe">
      ', theme_copyright(), FFCopyright(),'
      <div class="smalltext"><b>BlueLight</b> design by <a href="http://www.blocweb.net">Bloc</a><br>
      <a href="http://www.SMF4ME.COM/">SMF Forums Directory</a></div>
<div style="display: none;"><a href="http://www.thedemonsden.com/xxx/xxxxxx.php">cheap-selfsealing</a></div>


Actually, from what I can tell from that code snippet, is it being echoed. Echo is closed with a ;

HTML in PHP has to be echoed or you will get an error.

The reason is doesn't show, is the style of the div that link is in. The part that says style="display: none"



busterone

True, that part is. The one I was referring to is adding the link immediately after the <body> tag. It isn't echoed there.

sheryltoo

What happens if I don't put any of those links on my site cause this is sounding way too confusing and over my head?

Advertisement: