Advertisement:

Author Topic: Huge amount of activity from China  (Read 2616 times)

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Huge amount of activity from China
« on: November 18, 2019, 08:38:49 AM »
First I apologise if this post is made in the wrong area. Please feel free to move it if that is the case.

My site has been up and running successfully for 14 years. Over the last two weeks I have been getting in excess of 300 guests at any time, all with IP addresses from China.
Because I noticed that a lot of these were showing activity as Unknown Action I banned their IP ranges for suspicious activity so that I could also record the number of hits (over 30,000 and growing).
Each time I ban an IP range a new IP address gets used, always from China.

It seems strange that I should be targeted in this way as my site is a forum for users of a specific software that is not sold or used in China to the extent that would generate that much interest.

Should I be worrying, should I remove the bans, is there anything I can do.
I have Stop Forum Spam mod enabled and it seems to do a good job. New registrations have to be approved before they become active.
Currently on 2.0.11 with several mods (but none installed recently).
I've been down so long now it's beginning to look like up..

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #1 on: November 18, 2019, 10:10:27 AM »
Had this last week for a few days, totally crazy amount of ip's and pageviews.

Not a fan of extensive htaccess \ ban lists (too esay to end up blocking legitimate ip's), but something needed to be done. Used the china part of this list https://www.wizcrafts.net/chinese-blocklist_2_4.html

Worked perfect & instant peace, kept the blocking active for a few days, until the 'attack' aparently stoppped.

Edit: and today's check, the rats are back  >:(
In ftp, .htaccessnorm and .htaccesschina, fast swap in ftp by renaming to .htaccess as needed.
And yes, it's the "unknown action" gang.
« Last Edit: November 18, 2019, 10:52:43 AM by a10 »
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Huge amount of activity from China
« Reply #2 on: November 18, 2019, 11:04:14 AM »
I’d be intrigued to know what action they’re trying to hit as it is clearly action=something they’re trying to hit.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,767
  • Gender: Male
    • Kindred-999 on GitHub
Re: Huge amount of activity from China
« Reply #3 on: November 18, 2019, 12:33:21 PM »
add my tweak which displays the action that is being attempted.... :D
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #4 on: November 18, 2019, 12:35:47 PM »
Because I noticed that a lot of these were showing activity as Unknown Action I banned their IP ranges for suspicious activity...

That's not necessarily suspicious. Legitimate members can give that message too, depending on what they are doing. Portal pages are an obvious example, since those are often not listed internally as a known action.

At a guess I'd say the Chinese IP's are Baidu or one of the other Chinese spiders. They tend to go nuts every so often, and will absolutely hammer a site with no regard for decorum. Mass banning the sods is the way to go if they are causing trouble.

Quote
Currently on 2.0.11 with several mods (but none installed recently).

I have to say it's a bit odd for you to be worrying about security if you can't even be bothered installing the last four security patches. The team don't make them just for fun, y'know.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #5 on: November 18, 2019, 12:48:11 PM »
Quote
Currently on 2.0.11 with several mods (but none installed recently).

I have to say it's a bit odd for you to be worrying about security if you can't even be bothered installing the last four security patches. The team don't make them just for fun, y'know.

I accept what you say without reservation and appreciate all that the team do.
Unfortunately, to best accommodate my users I have installed several mods and certain upgrades can make me lose functions.
I've been down so long now it's beginning to look like up..

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,983
Re: Huge amount of activity from China
« Reply #6 on: November 18, 2019, 12:56:53 PM »
no features are removed in the upgrades we create. if you have something not function correctly you should make a post about it so we can assist you. you are at risk of being hacked if you don't upgrade to 2.0.15 as well as missing support for current php versions, your forum can break and stop functioning fully if you don't upgrade.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #7 on: November 18, 2019, 01:07:00 PM »
no features are removed in the upgrades we create.

From your downloads page:
Upgrading from an earlier branch (SMF 2.0.14 or below)? No problem, this is what you need. This archive will upgrade/reset your forum to a clean install of the latest version and will remove all modifications.
I've been down so long now it's beginning to look like up..

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #8 on: November 18, 2019, 01:10:21 PM »
From your downloads page:
Upgrading from an earlier branch (SMF 2.0.14 or below)? No problem, this is what you need. This archive will upgrade/reset your forum to a clean install of the latest version and will remove all modifications.

That's for a large upgrade pack, which is only needed if you want to jump several versions in one go. You don't need that. You can just use the patches that are linked from the home page of your admin centre. It's usually only a couple of clicks per patch, just like installing a mod.

So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #9 on: November 18, 2019, 02:34:15 PM »
So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Just tried first patch. Works fine as long as any text string being searched for has not been changed by the implementation of a mod.
If it has it fails because it cannot find that exact text string. Probably why I haven't updated for so long.
I've been down so long now it's beginning to look like up..

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #10 on: November 18, 2019, 02:48:01 PM »
At a guess I'd say the Chinese IP's are Baidu or one of the other Chinese spiders. They tend to go nuts every so often, and will absolutely hammer a site with no regard for decorum. Mass banning the sods is the way to go if they are causing trouble.

Started with nearly all unknown, then over some time drifted over to 'reading' posts and very few unknown, so yes, looks like some (mini-ddos) spider that was adjusting it's aims. 99,9% chinanet and china unicom, number of different ip's used mind staggering, made me think of some state organisation behind it.

Anyway, they are not putting the site offline or other trouble, but am hating such invasions from foreign elements, so using the above mentionned china list. Does a great job, cannot sense any slowdown.
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #11 on: November 18, 2019, 03:21:45 PM »
So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Just tried first patch. Works fine as long as any text string being searched for has not been changed by the implementation of a mod.
If it has it fails because it cannot find that exact text string. Probably why I haven't updated for so long.

We have these things called "support boards". They're good places to ask about glitches like that.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #12 on: November 18, 2019, 09:16:08 PM »
Is it possible they're targeting SMF installations? I've got 400 of the same on my site right now. All China. 159.138.xxx.xxx

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #13 on: November 18, 2019, 09:59:21 PM »
A lot of phpBB forums have been hit recently. It's likely the Chinese spiders have just decided to do the rounds again.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #14 on: November 19, 2019, 06:34:41 AM »
A lot of phpBB forums have been hit recently. It's likely the Chinese spiders have just decided to do the rounds again.

So, if these are Baidu, would that be equivalent to China's version of google's spiders? I honestly don't know. If it is them what can it do? Would it be a detriment, can it cause negative impact on your, (my) site? I have 150 this morning all in the 159.138 range today.

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 3,136
  • Gender: Male
  • I also speak english :D
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: Huge amount of activity from China
« Reply #15 on: November 19, 2019, 08:54:37 AM »
I always analyze the IP to see that it jumps for example I also received this wave of visits and as a result I had:

Code: [Select]
WHOIS Information for 159.138.153.110
==============

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '159.138.144.0 - 159.138.159.255'

% Abuse contact for '159.138.144.0 - 159.138.159.255' is 'hws_security@huawei.com'

inetnum: 159.138.144.0 - 159.138.159.255
netname: Huawei-HK-CLOUDS
descr: Huawei HongKong Clouds
country: HK
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
last-modified: 2019-06-04T07:08:33Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: hws_security@huawei.com
abuse-mailbox: hws_security@huawei.com
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: hws_security@huawei.com
remarks: hws_security@huawei.com is invalid
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-09T09:59:52Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: heting3@huawei.com
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: heting3@huawei.com
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '159.138.0.0/16AS136907'

route: 159.138.0.0/16
country: HK
descr: Huawei-HK-CLOUDS
origin: AS136907
mnt-by: MAINT-HIPL-SG
last-modified: 2017-11-17T02:15:11Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)

https://viewdns.info/whois/?domain=159.138.153.110

It seems they are looking for forums of certain specific themes or I don't know what they are really looking for. Or they just prepare everything for the 3rd war *drinking mate while laughing*.


Regards!
¡Regresando como cual Fenix! ~ Bomber Code © 2018
Ayudas - Aportes - Tutoriales - Y mucho mas!!!


Ayudame via PayPal

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #16 on: November 19, 2019, 09:26:41 AM »


Code: [Select]
WHOIS Information for 159.138.153.110
==============

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '159.138.144.0 - 159.138.159.255'

% Abuse contact for '159.138.144.0 - 159.138.159.255' is 'hws_security@huawei.com'

inetnum: 159.138.144.0 - 159.138.159.255
netname: Huawei-HK-CLOUDS
descr: Huawei HongKong Clouds
country: HK
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
last-modified: 2019-06-04T07:08:33Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: hws_security@huawei.com
abuse-mailbox: hws_security@huawei.com
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: hws_security@huawei.com
remarks: hws_security@huawei.com is invalid
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-09T09:59:52Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: heting3@huawei.com
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: heting3@huawei.com
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '159.138.0.0/16AS136907'

route: 159.138.0.0/16
country: HK
descr: Huawei-HK-CLOUDS
origin: AS136907
mnt-by: MAINT-HIPL-SG
last-modified: 2017-11-17T02:15:11Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)

https://viewdns.info/whois/?domain=159.138.153.110

[/i].


Exactly what I have. So.... same question. Do these spiders cause any kind of negative impact? I don't see any difference in site load or paging.

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,983
Re: Huge amount of activity from China
« Reply #17 on: November 19, 2019, 09:35:37 AM »
if you don't see any difference in time it takes to load a page, I would not worry.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #18 on: November 19, 2019, 09:41:20 AM »
if you don't see any difference in time it takes to load a page, I would not worry.

Ok, thank you Illori.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #19 on: November 19, 2019, 03:07:32 PM »
The only problem you might get is that if they go overboard they can tie up connections to the server, and act like a mini DDOS. Not that they do this deliberately. It's more that they don't care. Their approach seems to be "We'll index the world when we feel like it, and stuff you".

So sometimes they can cause problems, but they're noticeable problems, and you can just break out .htaccess if that happens.