SpamBot or what

Ron G4GWC · March 12, 2013, 08:59:11 AM

Hi My SMF is under attack, the forum has only been in use for about a month but has been under constant attack by Bots for about 10 days
I am concerned, the attacks use up to 29 I.P.s up to seven at a time. they call every file in SMF directory and lots of PHPSESSID=XXXXXX
Any Ideas how to stop this attack, What is going on, why is it so relentless, about 3 tries per minute currently.

Deaks · March 12, 2013, 09:11:15 AM

phpsessid is default SMF, this could simply be bots indexing your site, if you go to your who is online list, click on one of the IP's, in most cases a search site is highlighted, click that if not click any (may have to go through them 1 by 1) and that will tell you if its a bot or not, but this sounds like normal behaviour for them. Not all bots are bad and so far nothing worries me (but im not an expert on bots)

Ron G4GWC · March 12, 2013, 09:21:48 AM

Hi thanks for the response is it normal for them to pesist for 10 days or more I get little info from I.P. lookup no site urls I closed down the directory for 2 days, they are still there trying, they are 99.9% of the traffic to my forum, before I tightened up registration they posted 3000+
Medics ad posts on the site, Mad

Deaks · March 12, 2013, 09:38:11 AM

Ah you never mentioned they were posting

this is not normal then

A few questions then (sorry but need to set a baseline of what you have or dont have)

Do you have any registration option enabled such as security questions, captcha etc?
Do you have your forum as automatic registration and not activated by email or admin?
Have you looked at any of these mods?
http://custom.simplemachines.org/mods/index.php?action=search;type=13;approved=1

Ron G4GWC · March 12, 2013, 09:54:11 AM

Thanks again i have included Captcha and and activation by admin or email registration
This has stopped the spurious registrations an posts after about 2 days. but has not stopped the attacks,
I am worried about the impact on the server and database of these relentless attempts is there a security risk from Injecting session info in the Forum URL.
Regards

MrPhil · March 12, 2013, 10:04:47 AM

So they're not able to register, but they're still pounding on your server, apparently trying to find some security hole to exploit (or just a plain DDoS attack)? If you can see a reasonably small set of IP addresses being used, you can deny (block) them in your /.htaccess file. That will relieve some of the load on your server. You might also want to alert your host so they can do some blocking further upstream. With luck, when these script kiddies find they can't do anything to you, they'll wander off to mess with someone else and leave you alone. Then you/your host might be able to open up those IP addresses again (especially if you had to block off huge chunks of the Internet).

If it's an unwieldy number of IP addresses to try blocking (even by range), consult with your host. With hosting comes the responsibility to try to protect your systems from mass DoS attacks.

Deaks · March 12, 2013, 10:09:46 AM

captcha isnt the best try looking at using the questions, keep them specific to the topic of your site (captcha is easily broken), unfortunatley im not an expert at this never faced this issue myself i will try and pester someone who know more on this to help you further.

NanoSector · March 12, 2013, 10:12:37 AM

I believe there's also settings in cPanel which may help you with DDOS attacks and similar.

Ron G4GWC · March 12, 2013, 10:23:30 AM

Thank you all,
Can't understand a DOS attack on a small club forum, trouble is I'm not on an Apache Server, will have to do more
research and boning up, Not as easy as it used to be, (getting old). Only once mentioned the forum URL on Yahoo Groups
think that may have started it. thanks again.
Ron

waris · March 12, 2013, 11:30:14 AM

Reinforce your forum with Bad Behaviour MOD and Forum Firewall.

http://custom.simplemachines.org/mods/index.php?action=search;type=19

So far I have had 100% success with the above combination.

Others may have a different opinion.

Kindred · March 12, 2013, 11:44:07 AM

neither BB nor ForumFirewall will protect from a DOS attack

Ron G4GWC · March 14, 2013, 07:00:15 AM

on the error log the requests and responses are listed with the first 3 lies with a magnify glass icon
Can anyone specify exactly what each one means
also what do the lines below these 3 mean
especiall the last line that starts with
File: then a long path
Regards

kat · March 14, 2013, 07:37:24 AM

Can you give us more detail about those messages? Copy/paste, perhaps?

Ron G4GWC · March 14, 2013, 07:46:42 AM

Yes i will do that but at this time I just need to know what they are and where they come from on a line by line basis The SMF produces these element from requests etc specially on the ban log
lines producesed by banned I.P. Lines produced by unsuccessfull attemps to login etc.
Best Regards

kat · March 14, 2013, 07:55:41 AM

Without actually seeing them, we can't even guess, really.

Ron G4GWC · March 14, 2013, 08:29:41 AM

ok I will send some examples as soon as I can.
My SMF is diabling the copy facility on the presented error logs I will sort that and get back.

Regards

Kindred · March 14, 2013, 08:55:37 AM

to answer your first question:

Code Select


http://www.yoursite.com//index.php?action=affiliates;sa=editLink;affid=1
8: Undefined variable: txt
File: /home/sitename/www/Sources/Affiliates.php
Line: 376

Line1 = the action which triggered the error
Line 2 = the type of error (undefined are usually the most common, with mods)
Line 3 = The file which triggered the error.
(note: If there is an (eval?) listed anywhere in the error, then this file is NOT the actual problem. You will need to turn OFF Eval in the smf admin > server settings
Line 4 - The line number of code in the file listed in Line 3 which casused the error

the magnifying glasses allow you to filter all other errors and only show errors which match the filter you have selected.

Ron G4GWC · March 15, 2013, 05:05:52 AM

Guest
66.249.76.172
Today at 03:56:31 AM
d9046810a829f70453a1edd5b8163f1a
Type of error: Undefined
http://g4bp.co.uk/smf2/index.php?topic=925.new8: Undefined index: login_with_forumFile: /content/sites/g/4/g4bp.co.uk/web/smf2/Themes/default/Login.template.php (kick_guest sub template - eval?)
Line: 103

Hi The Above is part of an error log resulting from an attempt to login or damage my site or furum service
Could You explain what this enquiry is trying to do ?.
I get a great deal of these invasive "attacks" from what seems to be an unlimited I.P. list

Regards Ron

Ron G4GWC · March 15, 2013, 06:50:43 AM

Just to add a few of the problems these attacks seem to be causing
1 ERROR BAR ALONG top of page with link "theme address wrong click here to correct
2 little changes in my theme colour changes on menu Items
3 horizontal menus changed to verticle on main menu and admin menu.

are these attacks corrupting my CSS

Ron G4GWC · March 15, 2013, 06:58:50 AM

Quote from: Kindred on March 14, 2013, 08:55:37 AM
to answer your first question:

Code Select Expand
http://www.yoursite.com//index.php?action=affiliates;sa=editLink;affid=1 8: Undefined variable: txt File: /home/sitename/www/Sources/Affiliates.php Line: 376

Line1 = the action which triggered the error
Line 2 = the type of error (undefined are usually the most common, with mods)
Line 3 = The file which triggered the error.
(note: If there is an (eval?) listed anywhere in the error, then this file is NOT the actual problem. You will need to turn OFF Eval in the smf admin > server settings
Line 4 - The line number of code in the file listed in Line 3 which casused the error

the magnifying glasses allow you to filter all other errors and only show errors which match the filter you have selected.

Many thanks for the response I will turn EVAL off regards Ron

News:

SpamBot or what

MrPhil

kat

kat