Advertisement:

Author Topic: Huge amount of activity from China  (Read 2619 times)

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Huge amount of activity from China
« on: November 18, 2019, 08:38:49 AM »
First I apologise if this post is made in the wrong area. Please feel free to move it if that is the case.

My site has been up and running successfully for 14 years. Over the last two weeks I have been getting in excess of 300 guests at any time, all with IP addresses from China.
Because I noticed that a lot of these were showing activity as Unknown Action I banned their IP ranges for suspicious activity so that I could also record the number of hits (over 30,000 and growing).
Each time I ban an IP range a new IP address gets used, always from China.

It seems strange that I should be targeted in this way as my site is a forum for users of a specific software that is not sold or used in China to the extent that would generate that much interest.

Should I be worrying, should I remove the bans, is there anything I can do.
I have Stop Forum Spam mod enabled and it seems to do a good job. New registrations have to be approved before they become active.
Currently on 2.0.11 with several mods (but none installed recently).
I've been down so long now it's beginning to look like up..

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #1 on: November 18, 2019, 10:10:27 AM »
Had this last week for a few days, totally crazy amount of ip's and pageviews.

Not a fan of extensive htaccess \ ban lists (too esay to end up blocking legitimate ip's), but something needed to be done. Used the china part of this list https://www.wizcrafts.net/chinese-blocklist_2_4.html

Worked perfect & instant peace, kept the blocking active for a few days, until the 'attack' aparently stoppped.

Edit: and today's check, the rats are back  >:(
In ftp, .htaccessnorm and .htaccesschina, fast swap in ftp by renaming to .htaccess as needed.
And yes, it's the "unknown action" gang.
« Last Edit: November 18, 2019, 10:52:43 AM by a10 »
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Huge amount of activity from China
« Reply #2 on: November 18, 2019, 11:04:14 AM »
I’d be intrigued to know what action they’re trying to hit as it is clearly action=something they’re trying to hit.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,767
  • Gender: Male
    • Kindred-999 on GitHub
Re: Huge amount of activity from China
« Reply #3 on: November 18, 2019, 12:33:21 PM »
add my tweak which displays the action that is being attempted.... :D
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #4 on: November 18, 2019, 12:35:47 PM »
Because I noticed that a lot of these were showing activity as Unknown Action I banned their IP ranges for suspicious activity...

That's not necessarily suspicious. Legitimate members can give that message too, depending on what they are doing. Portal pages are an obvious example, since those are often not listed internally as a known action.

At a guess I'd say the Chinese IP's are Baidu or one of the other Chinese spiders. They tend to go nuts every so often, and will absolutely hammer a site with no regard for decorum. Mass banning the sods is the way to go if they are causing trouble.

Quote
Currently on 2.0.11 with several mods (but none installed recently).

I have to say it's a bit odd for you to be worrying about security if you can't even be bothered installing the last four security patches. The team don't make them just for fun, y'know.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #5 on: November 18, 2019, 12:48:11 PM »
Quote
Currently on 2.0.11 with several mods (but none installed recently).

I have to say it's a bit odd for you to be worrying about security if you can't even be bothered installing the last four security patches. The team don't make them just for fun, y'know.

I accept what you say without reservation and appreciate all that the team do.
Unfortunately, to best accommodate my users I have installed several mods and certain upgrades can make me lose functions.
I've been down so long now it's beginning to look like up..

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,983
Re: Huge amount of activity from China
« Reply #6 on: November 18, 2019, 12:56:53 PM »
no features are removed in the upgrades we create. if you have something not function correctly you should make a post about it so we can assist you. you are at risk of being hacked if you don't upgrade to 2.0.15 as well as missing support for current php versions, your forum can break and stop functioning fully if you don't upgrade.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #7 on: November 18, 2019, 01:07:00 PM »
no features are removed in the upgrades we create.

From your downloads page:
Upgrading from an earlier branch (SMF 2.0.14 or below)? No problem, this is what you need. This archive will upgrade/reset your forum to a clean install of the latest version and will remove all modifications.
I've been down so long now it's beginning to look like up..

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #8 on: November 18, 2019, 01:10:21 PM »
From your downloads page:
Upgrading from an earlier branch (SMF 2.0.14 or below)? No problem, this is what you need. This archive will upgrade/reset your forum to a clean install of the latest version and will remove all modifications.

That's for a large upgrade pack, which is only needed if you want to jump several versions in one go. You don't need that. You can just use the patches that are linked from the home page of your admin centre. It's usually only a couple of clicks per patch, just like installing a mod.

So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #9 on: November 18, 2019, 02:34:15 PM »
So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Just tried first patch. Works fine as long as any text string being searched for has not been changed by the implementation of a mod.
If it has it fails because it cannot find that exact text string. Probably why I haven't updated for so long.
I've been down so long now it's beginning to look like up..

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #10 on: November 18, 2019, 02:48:01 PM »
At a guess I'd say the Chinese IP's are Baidu or one of the other Chinese spiders. They tend to go nuts every so often, and will absolutely hammer a site with no regard for decorum. Mass banning the sods is the way to go if they are causing trouble.

Started with nearly all unknown, then over some time drifted over to 'reading' posts and very few unknown, so yes, looks like some (mini-ddos) spider that was adjusting it's aims. 99,9% chinanet and china unicom, number of different ip's used mind staggering, made me think of some state organisation behind it.

Anyway, they are not putting the site offline or other trouble, but am hating such invasions from foreign elements, so using the above mentionned china list. Does a great job, cannot sense any slowdown.
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #11 on: November 18, 2019, 03:21:45 PM »
So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Just tried first patch. Works fine as long as any text string being searched for has not been changed by the implementation of a mod.
If it has it fails because it cannot find that exact text string. Probably why I haven't updated for so long.

We have these things called "support boards". They're good places to ask about glitches like that.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #12 on: November 18, 2019, 09:16:08 PM »
Is it possible they're targeting SMF installations? I've got 400 of the same on my site right now. All China. 159.138.xxx.xxx

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #13 on: November 18, 2019, 09:59:21 PM »
A lot of phpBB forums have been hit recently. It's likely the Chinese spiders have just decided to do the rounds again.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #14 on: November 19, 2019, 06:34:41 AM »
A lot of phpBB forums have been hit recently. It's likely the Chinese spiders have just decided to do the rounds again.

So, if these are Baidu, would that be equivalent to China's version of google's spiders? I honestly don't know. If it is them what can it do? Would it be a detriment, can it cause negative impact on your, (my) site? I have 150 this morning all in the 159.138 range today.

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 3,136
  • Gender: Male
  • I also speak english :D
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: Huge amount of activity from China
« Reply #15 on: November 19, 2019, 08:54:37 AM »
I always analyze the IP to see that it jumps for example I also received this wave of visits and as a result I had:

Code: [Select]
WHOIS Information for 159.138.153.110
==============

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '159.138.144.0 - 159.138.159.255'

% Abuse contact for '159.138.144.0 - 159.138.159.255' is 'hws_security@huawei.com'

inetnum: 159.138.144.0 - 159.138.159.255
netname: Huawei-HK-CLOUDS
descr: Huawei HongKong Clouds
country: HK
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
last-modified: 2019-06-04T07:08:33Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: hws_security@huawei.com
abuse-mailbox: hws_security@huawei.com
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: hws_security@huawei.com
remarks: hws_security@huawei.com is invalid
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-09T09:59:52Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: heting3@huawei.com
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: heting3@huawei.com
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '159.138.0.0/16AS136907'

route: 159.138.0.0/16
country: HK
descr: Huawei-HK-CLOUDS
origin: AS136907
mnt-by: MAINT-HIPL-SG
last-modified: 2017-11-17T02:15:11Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)

https://viewdns.info/whois/?domain=159.138.153.110

It seems they are looking for forums of certain specific themes or I don't know what they are really looking for. Or they just prepare everything for the 3rd war *drinking mate while laughing*.


Regards!
¡Regresando como cual Fenix! ~ Bomber Code © 2018
Ayudas - Aportes - Tutoriales - Y mucho mas!!!


Ayudame via PayPal

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #16 on: November 19, 2019, 09:26:41 AM »


Code: [Select]
WHOIS Information for 159.138.153.110
==============

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '159.138.144.0 - 159.138.159.255'

% Abuse contact for '159.138.144.0 - 159.138.159.255' is 'hws_security@huawei.com'

inetnum: 159.138.144.0 - 159.138.159.255
netname: Huawei-HK-CLOUDS
descr: Huawei HongKong Clouds
country: HK
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
last-modified: 2019-06-04T07:08:33Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: hws_security@huawei.com
abuse-mailbox: hws_security@huawei.com
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: hws_security@huawei.com
remarks: hws_security@huawei.com is invalid
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-09T09:59:52Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: heting3@huawei.com
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: heting3@huawei.com
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '159.138.0.0/16AS136907'

route: 159.138.0.0/16
country: HK
descr: Huawei-HK-CLOUDS
origin: AS136907
mnt-by: MAINT-HIPL-SG
last-modified: 2017-11-17T02:15:11Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)

https://viewdns.info/whois/?domain=159.138.153.110

[/i].


Exactly what I have. So.... same question. Do these spiders cause any kind of negative impact? I don't see any difference in site load or paging.

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,983
Re: Huge amount of activity from China
« Reply #17 on: November 19, 2019, 09:35:37 AM »
if you don't see any difference in time it takes to load a page, I would not worry.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #18 on: November 19, 2019, 09:41:20 AM »
if you don't see any difference in time it takes to load a page, I would not worry.

Ok, thank you Illori.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #19 on: November 19, 2019, 03:07:32 PM »
The only problem you might get is that if they go overboard they can tie up connections to the server, and act like a mini DDOS. Not that they do this deliberately. It's more that they don't care. Their approach seems to be "We'll index the world when we feel like it, and stuff you".

So sometimes they can cause problems, but they're noticeable problems, and you can just break out .htaccess if that happens.

Offline SomeoneElse

  • Semi-Newbie
  • *
  • Posts: 22
Re: Huge amount of activity from China
« Reply #20 on: November 19, 2019, 03:23:12 PM »
If you have full server access, fail2ban is invaluable - this Chinese activity produces loads of Apache 403 errors and banning IP addresses based on this makes life much easier.

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #21 on: November 21, 2019, 05:27:27 AM »
Just a remark, lifting the htaccess CN ban now and then to watch activity, in addition to 'normal' chinanet \ unicom, many small ip ranges from universities \ official offices etc regularly active in the vacuuming.
Make your own deductions.

example
inetnum:        222.192.180.0 - 222.192.183.255
descr:          SuZhou Health College of Technology
descr:          SuZhou, Jiangsu 215000, China
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline delta5

  • Jr. Member
  • **
  • Posts: 300
    • @@kd8hmo on Twitter
    • FedUpWithLiberals.com
Re: Huge amount of activity from China
« Reply #22 on: November 21, 2019, 10:47:45 PM »
If you have a firewall package like Succuri installed, just go to geoblocking and one checkmark for China and problem solved if you don't want any traffic from there.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #23 on: November 24, 2019, 07:35:44 AM »
With reference to my original post the traffic from China has reduced (although still in excess of 100 hits per day) but over the last couple of days there has been a lot of traffic from the UK.

What is strange about this is if I look at Who's Online they are all looking at the same post each day. It's always the same post. I've attached a small screenshot as an example.

When I do an IP Lookup on the addresses they all come back as Broadband Providers from various Providers.
EE High Speed Internet
Three
BT
Virgin Media
Sky Broadband, etc.

Any ideas what may be causing this? Any help/advice greatly appreciated.
I've been down so long now it's beginning to look like up..

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #24 on: November 25, 2019, 08:26:55 AM »
What I am now seeing is a specific number of guests being shown as online but when I view Who's Online and select Guests Only it shows less than half of the number being reported.
It's as if some guests are viewing (or whatever) the site anonymously.

This is in addition to the issues previously mentioned in this topic which still remain.

I am seriously worried that my site is being compromised.
I've been down so long now it's beginning to look like up..

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #25 on: November 25, 2019, 03:38:19 PM »
What I am now seeing is a specific number of guests being shown as online but when I view Who's Online and select Guests Only it shows less than half of the number being reported.
It's as if some guests are viewing (or whatever) the site anonymously.

This is in addition to the issues previously mentioned in this topic which still remain.

I am seriously worried that my site is being compromised.

Have you noticed anything on your site change?

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #26 on: November 26, 2019, 08:59:20 AM »
Have you noticed anything on your site change?

It's looking like the number shown for guests is including the number of spiders online, e.g.
Guests: 45
Spiders: 15

When you look at Who's Online/Spiders Only you will see the correct amount (15) displayed
When you look at Who's Online/Guests Only you will only see 30 displayed

So the spiders are being counted twice (as Guests and Spiders).
I've been down so long now it's beginning to look like up..

Online chrishicks

  • Full Member
  • ***
  • Posts: 515
  • Gender: Male
    • RejectsRestStop
Re: Huge amount of activity from China
« Reply #27 on: November 26, 2019, 09:33:48 PM »
With reference to my original post the traffic from China has reduced (although still in excess of 100 hits per day) but over the last couple of days there has been a lot of traffic from the UK.

What is strange about this is if I look at Who's Online they are all looking at the same post each day. It's always the same post. I've attached a small screenshot as an example.

When I do an IP Lookup on the addresses they all come back as Broadband Providers from various Providers.
EE High Speed Internet
Three
BT
Virgin Media
Sky Broadband, etc.

Any ideas what may be causing this? Any help/advice greatly appreciated.

I'm getting hit with this along with the mass hits from China. I have a single topic that has been viewed over 750 times(and counting) in 2 days and my Who's Online looks exactly like your screenshot. It's almost my entire list when it's not the one's from China. I ran the topic title through Google search and it's not in the first 20 pages of their results so I doubt the traffic is from them. I also did 17 pages worth on Bing and nothing. Obviously I can't check them all but I was curious so I picked the big two and went with it. It's just weird that this one random topic is being hit the way it is. Here is just one page of my online list:



In regards to the China hits, I'm seeing a minimum of 400 a day, every day. They seem to be indexing every topic on my forum and the hits last for about 2 hours nonstop. Sometimes it's a new page every other second while others there may be a 30-40 second gap between hits.

EDIT: the topic hits have gone up over 50 since I posted this. I'm actually wondering if I should move the topic just to see what happens.

« Last Edit: November 26, 2019, 09:54:48 PM by chrishicks »

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #28 on: November 27, 2019, 06:55:24 AM »
That's normal behaviour for Chinese bots. They just go nuts. If they're causing problems with forum performance, wallop them with .htaccess. If they aren't, just ignore them until they bugger off again.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #29 on: November 29, 2019, 12:02:10 PM »
I am still suffering from huge amounts of traffic from China.

I have singled out a couple of IP ranges in particular that are causing problems and would like to add these to my .htaccess file and see if it helps.

The IP ranges are:
111.225.*.*
110.249.*.*

I am unsure how/where to add them to my existing file which was done for me by a colleague. The existing file is as follows:
Code: [Select]
RewriteEngine On
#
RewriteCond %{QUERY_STRING} ^id=([0-9]+).*$
RewriteRule ^viewtopic.php$ /forum/index.php?topic=%1.0 [R=301,L]
#
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?xtracad.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
#
SetEnvIfNoCase User-Agent "^wget" bad_bot
<Limit GET POST>
   Order Allow,Deny
   Allow from all
   Deny from env=bad_bot
</Limit>
#
Options -Indexes

I'm not sure what each of the entries do so am reluctant to delete/change any of it myself.

If anyone could guide me as to how to enter these IP ranges I would be very grateful. Thank you in advance.
« Last Edit: November 29, 2019, 12:17:41 PM by bosswhite »
I've been down so long now it's beginning to look like up..

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #30 on: November 29, 2019, 12:34:23 PM »
^^^ Am still using the CN list mentionned in earlier post, very peaceful here.
Simply added after my normal .htacces content (some lines forcing www\https).
You could add it after your .htaccess stuff and test how it works.
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline Shambles

  • SMF Hero
  • ******
  • Posts: 5,293
  • Gender: Male
    • i30 Owners Club
Re: Huge amount of activity from China
« Reply #31 on: November 29, 2019, 12:51:10 PM »
Code: [Select]
deny from 111.225.0.0/16
deny from 110.249.0.0/16

Offline aegersz

  • SMF Hero
  • ******
  • Posts: 1,543
  • Gender: Male
  • the "mods and tweaks" junkie
    • dopetalk
Re: Huge amount of activity from China
« Reply #32 on: November 29, 2019, 01:20:00 PM »
yes, over the past week (I don't think mine were from China but) I had about 900 guests.

A different IP was accessing what looked a different thread so I thought it was massive search engine web crawling.

The site didn't get overloaded and I forgot to check the IP.
The configuration of my Linux VPS (SMF 2.0 with 145 mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #33 on: November 29, 2019, 02:22:19 PM »
I added a couple of lines to the end of my .htaccess file, example:
deny from 111.225.*.*

Now I cant access my site and get the following error message:
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /home/xtracad/Z6OW6C36/htdocs/forum/Sources/Subs-Db-mysql.php:58 Stack trace: #0 /home/xtracad/Z6OW6C36/htdocs/forum/Sources/Load.php(2650): smf_db_initiate('ftp3.dns-system...', 'xxxxxx', 'xxxxxx', 'xxxxxxxx', 'smf_', Array) #1 /home/xtracad/Z6OW6C36/htdocs/forum/SSI.php(77): loadDatabase() #2 /home/xtracad/Z6OW6C36/htdocs/index.php(58): require_once('/home/xtracad/Z...') #3 {main} thrown in /home/xtracad/Z6OW6C36/htdocs/forum/Sources/Subs-Db-mysql.php on line 58

I've replaced some text with xxxxx as it was showing my database name and password which was viewable by anyone accessing the site. As a temporary measure I've renamed the forum directory in the hope viewers won't get that error.

Could the problem have been caused by the way I specified the IP range with wildcards?

I don't know what to do now to regain access and make the site safe. Please help if you are able.
I've been down so long now it's beginning to look like up..

Offline Shambles

  • SMF Hero
  • ******
  • Posts: 5,293
  • Gender: Male
    • i30 Owners Club
Re: Huge amount of activity from China
« Reply #34 on: November 29, 2019, 02:36:20 PM »
Well if you cared to ignore my post, good luck.

Though the error you reported is a PHP versioning issue.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #35 on: November 29, 2019, 03:15:02 PM »
Well if you cared to ignore my post, good luck.

My apologies. I assumed that you were giving examples of what you had used when I noticed 0/16 as my range was intended to be 0/255 to cover the IP addresses being used against me.
As I explained I have no knowledge as to how or where to modify the .htaccess file to give the required results. The file has since been reverted to that shown in Reply #29 of mine.

Though the error you reported is a PHP versioning issue.

I don't understand how that could have happened. I was logged in to my site and everything was fine. I updated the .htaccess file through FileZilla whilst I was logged in. Could that have caused the issue?
I've been down so long now it's beginning to look like up..

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Huge amount of activity from China
« Reply #36 on: November 29, 2019, 03:23:09 PM »
Quote
when I noticed 0/16 as my range was intended to be 0/255 to cover the IP addresses being used against me.

If only that's what it meant; it doesn't.

The 0/16 means 'start from 32, deduct the 16, and preserve the first 16 bits of the IP address'. Which in this case means 'keep the first 2 blocks of the IP address and ignore the last 2', as in *exactly what you wanted*.

Quote
Could that have caused the issue?

Doubtful. Ask your host if they upgraded you to PHP 7.0 or higher without telling you. And maybe upgrade to 2.0.15.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline bosswhite

  • Jr. Member
  • **
  • Posts: 215
  • Gender: Male
Re: Huge amount of activity from China
« Reply #37 on: November 30, 2019, 05:53:43 AM »
The 0/16 means 'start from 32, deduct the 16, and preserve the first 16 bits of the IP address'. Which in this case means 'keep the first 2 blocks of the IP address and ignore the last 2', as in *exactly what you wanted*.

Thank you so much. A simple explanation goes a long way in helping to understand the terminology. My apologies again to Shambles for the misunderstanding. I have now implemented these terms into my .htaccess file. Fingers crossed.

Perhaps, if you have the time, you could advise me what the correct format would be to deny from a specific host name?

Doubtful. Ask your host if they upgraded you to PHP 7.0 or higher without telling you.

Thank you, that was the cause. They advised me to include some text at the start of my .htaccess file which switches the site back to PHP 5.6, as my site isn't compatible with the new version, and this appears to have solved the problem. Now up and running again.




I've been down so long now it's beginning to look like up..

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Huge amount of activity from China
« Reply #38 on: November 30, 2019, 06:25:05 AM »
Maybe you should upgrade to SMF 2.0.15 already.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline njtweb

  • Sophist Member
  • *****
  • Posts: 1,000
Re: Huge amount of activity from China
« Reply #39 on: December 06, 2019, 12:19:16 PM »
Does anybody know if these hits could affect adsense? While it's not affecting the speed or functionality of my site, there has been a noticeable drop-off in adsense revenue. I'm still getting the same daily activity from legitimate traffic but this 159 and 158 IP traffic is non-stop.

Offline memiller

  • Semi-Newbie
  • *
  • Posts: 22
Re: Huge amount of activity from China
« Reply #40 on: December 06, 2019, 06:27:23 PM »
Anecdotally, we just got a significant burst of traffic from IPs in Huawei Clouds prefixes that seemed be indexing our whole site.  We use Cloudflare, so I added a firewall rule there to captcha challenge everything from AS136907 just for giggles. We got 18K hits in less than 6 hours from hundreds of IPs in the 159.138.144.0/20 (Hong Kong) range.  That's a hullava indexing run, if that's what it is. Honestly, I don't mind SEO and spider runs to help keep us discoverable, but it would be nice if it didn't include getting mugged.  :)

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,864
  • Master of BBC Abuse
Re: Huge amount of activity from China
« Reply #41 on: December 06, 2019, 06:31:35 PM »
That's normal Chinese bot behaviour. When they decide to index a site, they just throw stacks of bots at it and attempt to index everything as fast as they can. They don't care about the effects on your site. If they crash your server, they don't care. They're just after all your information, and will grab it if its available.

Offline aegersz

  • SMF Hero
  • ******
  • Posts: 1,543
  • Gender: Male
  • the "mods and tweaks" junkie
    • dopetalk
Re: Huge amount of activity from China
« Reply #42 on: January 16, 2020, 11:38:38 AM »
I am also experiencing this for the IP range: 114.119.128.107 ~ 114.119.167.95.

IP lookup says:

Country:China
Region:Guangdong
City:Shenzhen

Why do they do this indexing and how does it help anybody ?
The configuration of my Linux VPS (SMF 2.0 with 145 mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Offline drewactual

  • Sr. Member
  • ****
  • Posts: 715
    • College Football Fan Site CFB51
Re: Huge amount of activity from China
« Reply #43 on: January 16, 2020, 01:17:48 PM »
the best i can tell it's nothing more than the same type of indexing google, bing, yahoo, ect. perform... it's just a lot more aggressive and they could care less what you've 'limited' with robots.txt.... they'll hit your server's resources with all of their resources and drill until it's done- if your server crashes they'll be sitting there waiting until it recovers and it starts all over again.

this next bit is somewhat unrelated but something i discovered and shared in another thread that may help someone?

I run a dedicated server with centos and apache- and with an MPM Worker configuration and FPM over top of it.  the httpd.conf is NOT configured to dynamic (i can't recall the command it is set to) but it maintains x number of workers in reserve, and expands and withdraws the available pool depending on load.  I had mine set to 125 workers with a possible 225 iirc workers, the ability to spawn children, and a 5 second TTL window.... problem i had to find out about and while under stress from these chinese bots: a recent cPanel update reset the worker function to default- and default is slight... 10 workers i think it was, and unlimited TTL... so.. resources were clogged with real members 'getting in line' for actions..... the 'bug' is documented on the cPanel forums... once i discovered this and altered the settings to where they were, no more issues... on Monday night i had over 30k 'visitors' on the site and it had zero impact on function or load time. 

i share this for folks who may be running MPM Worker and are getting hit with this traffic, and who are experiencing pages that crawl... to simply look into it or to ask their hosts to do so...

Offline shawnb61

  • Developer
  • SMF Hero
  • *
  • Posts: 1,736
    • sbulen on GitHub
Re: Huge amount of activity from China
« Reply #44 on: January 21, 2020, 04:39:02 PM »
I am seeing this on my forum as well.  It's not just China, it's mainly Russia.  With some Denmark & Italy thrown in for good measure.

Buried amidst a bunch of basic topic crawling, there is some awfully sucpicious looking activity in the web logs.

They're knocking on a lot of doors... 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Online chrishicks

  • Full Member
  • ***
  • Posts: 515
  • Gender: Male
    • RejectsRestStop
Re: Huge amount of activity from China
« Reply #45 on: January 21, 2020, 10:36:54 PM »
I use Cloudflare and recently noticed their bot fight mode so I decided to give it a try against these bots and sadly it did nothing. I was still seeing these IPs hit my site 1000's of times a day. I ended up setting up a challenge/block to see if they would get through it on one of the IP ranges that was hitting my site and it stopped them cold.

https://i.imgur.com/gDMHPtz.png

I have noticed they are slowing down on trying to hit my site as this was what it looked like a few days ago:

https://i.imgur.com/SgNlbrC.png

Next up is the 114.119.xxx.xxx range.

Offline efk

  • Jr. Member
  • **
  • Posts: 193
  • Gender: Male
Re: Huge amount of activity from China
« Reply #46 on: January 22, 2020, 01:38:52 AM »
Yep 114.119.1
Also I noticed this one for some time, probably unrelated with IP above 159.138.1

Offline efk

  • Jr. Member
  • **
  • Posts: 193
  • Gender: Male
Re: Huge amount of activity from China
« Reply #47 on: January 26, 2020, 01:35:05 AM »
I found strange forum behavior related with changing security questions. What is interesting, few times in past when it happened to be increased number of visitors/spambots, number is getting drastically decreased once security questions are changed. Maybe this is just a coincidence, but I'm wondering if someone noticed the same thing. Its not normal to see for a few days over 1000 visitors as max number for checked day, and after this change to be up to max 100 visitors online at time in next days.

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #48 on: January 26, 2020, 09:52:42 AM »
The 1000's of daily cn ip's have disapeared, now just a few 159.138., so could remove the anti-cn .htaccess ftm.
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Only registering attempts of any volume is some stupid botrat using tor, has been hammering my forum for months, never managed a single reg (questions), am seeing most of these > https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Offline shawnb61

  • Developer
  • SMF Hero
  • *
  • Posts: 1,736
    • sbulen on GitHub
Re: Huge amount of activity from China
« Reply #49 on: January 26, 2020, 10:04:20 AM »
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Look again.  Buried in mine (the Russian ones) were what appear to be sql injection attempts.

This is not normal, benign, crawling.

Code: [Select]
GET /smf/index.php?topic=22187.40;wap21111111111111%27%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45)%20--%20/*%20order%20by%20%27as HTTP/1.1
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 931
Re: Huge amount of activity from China
« Reply #50 on: January 26, 2020, 03:55:36 PM »
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Look again.  Buried in mine (the Russian ones) were what appear to be sql injection attempts.
Russians, but anyone seen any hack attempts from those CN bots ?
Seemed inoffensive, apart from the total overkill of trafic \ ip's.
2.0.17, ssl, php 7.3.13, 10.3.21-MariaDB
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.