Curious error msg on banned user, mind taking a look at this?

[BigMike]

Hello SMF,

SMF 2.0.9

Decided I would clear out some old error logs when I found this rather interesting one:

Code Select Expand


http://board.marlincrawler.com/index.php?topic=34551.0+++++++++++++++++++++++++++Result:+this+IP+is+banned+-+changing+proxy+1+times;+using+proxy+119.6.144.73:81;+chosen+nickname+%22LattymatDar%22;+registered;+logged+in;+no+post+sending+forms+are+found;+probably,+registration+failed+%28activation+code+was+sent+/+there+are+additional+protection+used+on+forum+/+forum+SQL-error+/+...%29;+Result:+this+IP+is+banned+-+changing+proxy+1+times;+error:+%22an+error+has+occurred%21%22;+chosen+nickname+%22LattymatDar%22;+logged+in;+no+post+sending+forms+are+found;
Sorry LattymatDar, you are banned from using this forum!
SPAM
This ban is not set to expire.

I've been a forum operator for a bit over a decade and while I don't watch the error logs as often as I should I'd have to say this is a first. The person's IP is 202.171.253.74 and they are the #4 most activated ban trigger we have (5229 hits).

So I can see they are trying to use a proxy server but why then are they on the original ban IP address? Also, it appears they are leaving messages for themselves, such as they are trying different things and then adding comments to the URL so they can know what all they've tried.

Just wondering if there is anything that can be used here? Just being (rightfully) paranoid is all. Is this some sort of known bot or automated script format that hackers use to poke around for holes in websites?

Here it is broken down:

Result:+this+IP+is+banned+-+changing+proxy+1+times;
+using+proxy+119.6.144.73:81;
+chosen+nickname+%22LattymatDar%22;
+registered;
+logged+in;
+no+post+sending+forms+are+found;
+probably,+registration+failed+%28activation+code+was+sent+/+there+are+additional+protection+used+on+forum+/+forum+SQL-error+/+...%29;
+Result:+this+IP+is+banned+-+changing+proxy+1+times;
+error:+%22an+error+has+occurred%21%22;
+chosen+nickname+%22LattymatDar%22;
+logged+in;
+no+post+sending+forms+are+found;

Thanks
Mike

[margarett]

Yes, it has to be a bot. If your search stop forum spam, the ip is heavily listed there.

IP ban --> htaccess
It will not even reach SMF

[BigMike]

Ha! I didn't even think about htaccess level. There only 5 specific IPs that are throwing waaaaaaaay more ban triggers than the rest so this will be easy to do.

Marked as solved, just felt like posting in case any of the info can be used for future security/protection.

Have a nice day!
BigMike


EDIT: Annnnnnnnnd it's done

For reference, in .htaccess:

Code Select Expand


<Limit GET POST>
  order allow,deny
  allow from all
  # View top ban hits: http://<YOUR.SITE>/index.php?action=admin;area=ban;sa=browse;entity=ip;sort=hits
  # Add Spammers here, one line each:
  deny from 202.171.253.
</Limit>


By only listing the first three blocks and including an ending decimal you are banning the remaining effective range.

You can test this yourself by adding your own IP address and then try to load your website. Click here to get your IP, https://www.google.com/search?q=what+is+my+ip. When I add myself I get a "Forbidden ... You don't have permission to access / on this server." error on any forum link I try. (don't worry this won't block your FTP access in order to un-block yourself )

One thing to note is to be careful you're not banning something useful such as a search engine bot (if you enjoy your site being indexed for others to find). I've only done some searching on this but a good site to start from is http://www.iplists.com.