SpamBot or what

[Ron G4GWC]

Hi My SMF is under attack, the forum has only been in use for about a month but has been under constant attack by Bots for about 10 days
I am concerned, the attacks use up to 29 I.P.s up to seven at a time. they call every file in SMF directory and lots of PHPSESSID=XXXXXX
Any Ideas how to stop this attack, What is going on, why is it so relentless, about 3 tries per minute currently.

[Deaks]

phpsessid is default SMF, this could simply be bots indexing your site, if you go to your who is online list, click on one of the IP's, in most cases a search site is highlighted, click that if not click any (may have to go through them 1 by 1) and that will tell you if its a bot or not, but this sounds like normal behaviour for them.  Not all bots are bad and so far nothing worries me (but im not an expert on bots)

[Ron G4GWC]

Hi thanks for the response is it normal for them to pesist for 10 days or more I get little info from I.P. lookup no site urls I closed down the directory for 2 days, they are still there trying, they are 99.9% of the traffic to my forum, before I tightened up registration they posted 3000+
Medics ad posts on the site, Mad

[Deaks]

Ah you never mentioned they were posting this is not normal then

A few questions then (sorry but need to set a baseline of what you have or dont have)

Do you have any registration option enabled such as security questions, captcha etc?
Do you have your forum as automatic registration and not activated by email or admin?
Have you looked at any of these mods?
http://custom.simplemachines.org/mods/index.php?action=search;type=13;approved=1

[Ron G4GWC]

Thanks again i have included Captcha and and activation by admin or email registration
This has stopped the spurious registrations an posts after about 2 days. but has not stopped the attacks,
I am worried about the impact on the server and database of these relentless attempts is there a security risk from Injecting session info in the Forum URL.
Regards

[MrPhil]

So they're not able to register, but they're still pounding on your server, apparently trying to find some security hole to exploit (or just a plain DDoS attack)? If you can see a reasonably small set of IP addresses being used, you can deny (block) them in your /.htaccess file. That will relieve some of the load on your server. You might also want to alert your host so they can do some blocking further upstream. With luck, when these script kiddies find they can't do anything to you, they'll wander off to mess with someone else and leave you alone. Then you/your host might be able to open up those IP addresses again (especially if you had to block off huge chunks of the Internet).

If it's an unwieldy number of IP addresses to try blocking (even by range), consult with your host. With hosting comes the responsibility to try to protect your systems from mass DoS attacks.

[Deaks]

captcha isnt the best try looking at using the questions, keep them specific to the topic of your site (captcha is easily broken), unfortunatley im not an expert at this never faced this issue myself i will try and  pester someone who know more on this to help you further.

[NanoSector]

I believe there's also settings in cPanel which may help you with DDOS attacks and similar.

[Ron G4GWC]

Thank you all,
Can't understand a DOS attack on a small club forum, trouble is I'm not on an Apache  Server, will have to do more
research and boning up,  Not as easy as it used to be, (getting old). Only once mentioned the forum URL on Yahoo Groups
think that may have started it.  thanks again.
Ron

[waris]

Reinforce your forum with Bad Behaviour MOD and Forum Firewall.

http://custom.simplemachines.org/mods/index.php?action=search;type=19

So far I have had 100% success with the above combination.

Others may have a different opinion.

[Kindred]

neither BB nor ForumFirewall will protect from a DOS attack

[Ron G4GWC]

on the error log  the requests and responses are listed with the first 3 lies with a magnify glass icon
Can anyone specify exactly what each one means
also what do the lines below these 3 mean
especiall the last line that starts with
File: then a long path
Regards

[kat]

Can you give us more detail about those messages? Copy/paste, perhaps?

[Ron G4GWC]

Yes i will do that but at this time I just need to know what they are and where they come from on a line by line basis The SMF produces these element from requests etc specially on the ban log
lines producesed by banned I.P. Lines produced by unsuccessfull attemps to login etc.
Best Regards

[kat]

Without actually seeing them, we can't even guess, really.

[Ron G4GWC]

ok I will send some examples as soon as I can.
My SMF is diabling the copy facility on the presented error logs I will sort that and get back.

Regards

[Kindred]

to answer your first question:

Code Select Expand


http://www.yoursite.com//index.php?action=affiliates;sa=editLink;affid=1
8: Undefined variable: txt
File: /home/sitename/www/Sources/Affiliates.php
Line: 376


Line1 = the action which triggered the error
Line 2 = the type of error (undefined are usually the most common, with mods)
Line 3 = The file which triggered the error.
              (note: If there is an (eval?) listed anywhere in the error, then this file is NOT the actual problem. You will need to turn OFF Eval in the smf admin > server settings
Line 4 - The line number of code in the file listed in Line 3 which casused the error

the magnifying glasses allow you to filter all other errors and only show errors which match the filter you have selected.

[Ron G4GWC]

Guest
66.249.76.172   
    Today at 03:56:31 AM
d9046810a829f70453a1edd5b8163f1a
Type of error: Undefined
http://g4bp.co.uk/smf2/index.php?topic=925.new8: Undefined index: login_with_forumFile: /content/sites/g/4/g4bp.co.uk/web/smf2/Themes/default/Login.template.php (kick_guest sub template - eval?)
Line: 103

Hi The Above is part of an error log  resulting from an attempt to login or damage my site or furum service
Could You explain what this enquiry is trying to do ?.
I get a great deal of these invasive "attacks" from what seems to be an unlimited I.P. list

Regards  Ron

[Ron G4GWC]

Just to add a few of the problems these attacks seem to be causing
1 ERROR BAR ALONG top of page with link "theme address wrong click here to correct
2 little changes in my theme colour changes on menu Items
3 horizontal menus changed to verticle on main menu and admin menu.

are these attacks corrupting my CSS

[Ron G4GWC]

to answer your first question:

Code Select Expand


http://www.yoursite.com//index.php?action=affiliates;sa=editLink;affid=1
8: Undefined variable: txt
File: /home/sitename/www/Sources/Affiliates.php
Line: 376


Line1 = the action which triggered the error
Line 2 = the type of error (undefined are usually the most common, with mods)
Line 3 = The file which triggered the error.
              (note: If there is an (eval?) listed anywhere in the error, then this file is NOT the actual problem. You will need to turn OFF Eval in the smf admin > server settings
Line 4 - The line number of code in the file listed in Line 3 which casused the error

the magnifying glasses allow you to filter all other errors and only show errors which match the filter you have selected.

Many thanks for the response I will turn EVAL off regards Ron

[MrPhil]

It's necessary to turn off EVAL only if you get "Eval" or "Eval (?)" in the message. Otherwise you pay a performance penalty and might forget to reenable EVAL.

[Kindred]

1- the people hitting your site have no effect on the directories. If you have an error indicating an incorrect directory, then you have configured something incorrectly yourself.
2- if your theme is installed incorrectly, you may get strange effects. correct the directories (see #1)
3- See #2 and #1

in other words... your display problems hav enothing to do with people hitting your site.

Also, your error would appear to be related to a mod
it is not related to any "attack"...  as a matter of fact, I would bet that the errors you are seeing are from a) users trying to log in or b) search engine spiders.
You have your forum ste to be visible to members only... which means that ***ANYONE*** who tries to visit your site will hit the login screen.
Since your errors are caused in the login functions, this explains why you have so many errors showing up...
If you posted your link ANYWHERE in the public domain, it means that search engines AND users may be trying to get to your site, but can not...   because you have your site locked down and guests can not view it.

In other words, everything is based on your configuration and no one is attacking your site.


So, I will ask what you should have provided back at the beginning.

SMF Version?
Mods installed?

[Ron G4GWC]

Sure your Correct
My attempts to correct matters have now locked out access to the forum altogether
Visiting the SMF directory Gives: " Unable to load Theme/default/Index.template.php "
I have created this problem by trying to correct  CSS problems but just working as administrator
How do I reset Themes to a default to get back in  I have not changed anything via FTP sofar
all the damage has been done  via the admin account
Hope you can advise

Regards

Ron

1- the people hitting your site have no effect on the directories. If you have an error indicating an incorrect directory, then you have configured something incorrectly yourself.
2- if your theme is installed incorrectly, you may get strange effects. correct the directories (see #1)
3- See #2 and #1

in other words... your display problems hav enothing to do with people hitting your site.

Also, your error would appear to be related to a mod
it is not related to any "attack"...  as a matter of fact, I would bet that the errors you are seeing are from a) users trying to log in or b) search engine spiders.
You have your forum ste to be visible to members only... which means that ***ANYONE*** who tries to visit your site will hit the login screen.
Since your errors are caused in the login functions, this explains why you have so many errors showing up...
If you posted your link ANYWHERE in the public domain, it means that search engines AND users may be trying to get to your site, but can not...   because you have your site locked down and guests can not view it.

In other words, everything is based on your configuration and no one is attacking your site.


So, I will ask what you should have provided back at the beginning.

SMF Version?
Mods installed?

Hi thanks for the response is it normal for them to pesist for 10 days or more I get little info from I.P. lookup no site urls I closed down the directory for 2 days, they are still there trying, they are 99.9% of the traffic to my forum, before I tightened up registration they posted 3000+
Medics ad posts on the site, Mad

[Ron G4GWC]

So far no mods installed, using latest version updated a few days ago.
Regards

[Kindred]

ok...   a few things.
1- "latest" is never a version...     Always give the version number.

2- download and run repair_settings.php that should fix your default theme paths.

3- I do not quite believe that this is a base install with no mods.   SMF runs without any errors with the basic installation. The fact that you have an undefined error indicates that something was changed from the base installation, either manually or by mod.

[Ron G4GWC]

Thanks again, Sure I have caused the problem myself part of the learning process, and working to block suspect attacks.
I was was working with site CSS  problems, not forrmatting the menu items horizontal as should be.
may well have hit a few wrong changes, thanks for the responses I will follow your advise

Regards

[Ron G4GWC]

Thanks again have download the tool and run it
I can now get the forum up but without  login boxes  and no option menus
It shows Admin as current user it fail show options but the topics look intact.
" Unable to load Themes/default/errors.template.php"

Previously it responded with similar but "index.template.php "
I did not see errors template path/address noted in repair_settings.php screen?

Regards
Ron

[Ron G4GWC]

Hi just to confirm, using 2.0.4
regards  Ron

[Kindred]

it sound slike you are missing files

[Ron G4GWC]

Is there a way to reinstall just files without loosing the d/b content?
regards
\Ron

[Kindred]

yes. files are separate form database

take the large upgrade archive
upload the contents, with the exception of the upgrade,php and .sql files
your forum is now reset to default files.

[Ron G4GWC]

OK will do that, but I have just checked and both the reported files are on the server,
will download the archive. regards 
Regards
Ron

[Kindred]

if all the files are present, then your directories are wrong....   plain and simple.

either the files are missing or the directories are wrong and the system can't find the files.

[Ron G4GWC]

OK I am replacing files and directory structure, but all looks fine and the forum has been active for 3 weeks
I will try anything
Best Regards

Ron

[Ron G4GWC]

Copied all files replaced originals,  The symtoms are exactly the same, must be information in the Dbase that is stopping correct
operation,
Any further Ideas
Regards
Ron

[Ron G4GWC]

Copied all files replaced originals,  The symtoms are exactly the same, must be information in the Dbase that is stopping correct
operation,
Any further Ideas
Regards
Ron

Wonder what my next step can be, looks like may have to start again.
Regards    Ron

[Kindred]

well...   at this point, I have reached the end of what I can do for you second hand....    something is obviously very wrongly configured on your site.

[Ron G4GWC]

My plan is to reinstall SMF then restore my last backup of the MYsql before failure occurred I will loose some members and Topics I am sure,
but I have tried everything as this topic replies covers, I'm convinced the DOS / Spam attacks caused corruption  on the default CSS
I tried to remedy this by changing themes, that when everything went ape******??
I have installed other  forums before but they have never been targeted like the SMF I wonder if the Community
has a lot of Hackers getting feedback from the inputs to the forum.
Regards
Ron

[MrPhil]

I can't imagine how a (D)DoS attack or spam could damage your files or database, unless your hosting service is monumentally incompetent (or it's an inside job). More likely you messed up something trying to stem the attacks. Why don't you first try replacing all the files (except Settings.php, Settings_bak.php, and user attachments). If that doesn't work, then you can go to a database backup restore (wiping out recent activity). If you do that, take a backup (via phpMyAdmin) of your current database, so you still have that available.

Before you do anything else, have you emptied out both the SMF cache and your browser cache? The SMF cache has a button in Admin to clear it, or you can go to the "cache" directory and erase all files except .htaccess and index.php.

Bring your host on board for dealing with (D)DoS attacks, and at least try to block those IP addresses in your .htaccess (if on an Apache server). Spam attacks you'll have to handle yourself, via SMF's anti-bot-registration features and mods (CAPTCHA, Questions, BB/honeypot, etc.).

[Kindred]

Mr Phil,

Thank you... I've told him that several times (that "attackers" are not responsible for any CSS or file trouble)
He had tried replacing the files alone...

also, I am fairly certain that there was no DOS attack.
His ASSUMPTION of an attack was due to a filling error log...
He claims that he had no mods, which I don't believe, since SMF, base install runs without any errors.

However, at this point, he is right...  a full backup restore is probably the only way he's going to fix things.