News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Huge amount of activity from China

Started by bosswhite, November 18, 2019, 08:38:49 AM

Previous topic - Next topic

bosswhite

First I apologise if this post is made in the wrong area. Please feel free to move it if that is the case.

My site has been up and running successfully for 14 years. Over the last two weeks I have been getting in excess of 300 guests at any time, all with IP addresses from China.
Because I noticed that a lot of these were showing activity as Unknown Action I banned their IP ranges for suspicious activity so that I could also record the number of hits (over 30,000 and growing).
Each time I ban an IP range a new IP address gets used, always from China.

It seems strange that I should be targeted in this way as my site is a forum for users of a specific software that is not sold or used in China to the extent that would generate that much interest.

Should I be worrying, should I remove the bans, is there anything I can do.
I have Stop Forum Spam mod enabled and it seems to do a good job. New registrations have to be approved before they become active.
Currently on 2.0.11 with several mods (but none installed recently).
I've been down so long now it's beginning to look like up..

a10

#1
Had this last week for a few days, totally crazy amount of ip's and pageviews.

Not a fan of extensive htaccess \ ban lists (too esay to end up blocking legitimate ip's), but something needed to be done. Used the china part of this list https://www.wizcrafts.net/chinese-blocklist_2_4.html

Worked perfect & instant peace, kept the blocking active for a few days, until the 'attack' aparently stoppped.

Edit: and today's check, the rats are back  >:(
In ftp, .htaccessnorm and .htaccesschina, fast swap in ftp by renaming to .htaccess as needed.
And yes, it's the "unknown action" gang.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Arantor

I'd be intrigued to know what action they're trying to hit as it is clearly action=something they're trying to hit.

Kindred

add my tweak which displays the action that is being attempted.... :D
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Antechinus

Quote from: bosswhite on November 18, 2019, 08:38:49 AMBecause I noticed that a lot of these were showing activity as Unknown Action I banned their IP ranges for suspicious activity...

That's not necessarily suspicious. Legitimate members can give that message too, depending on what they are doing. Portal pages are an obvious example, since those are often not listed internally as a known action.

At a guess I'd say the Chinese IP's are Baidu or one of the other Chinese spiders. They tend to go nuts every so often, and will absolutely hammer a site with no regard for decorum. Mass banning the sods is the way to go if they are causing trouble.

QuoteCurrently on 2.0.11 with several mods (but none installed recently).

I have to say it's a bit odd for you to be worrying about security if you can't even be bothered installing the last four security patches. The team don't make them just for fun, y'know.

bosswhite

Quote from: Antechinus on November 18, 2019, 12:35:47 PM
QuoteCurrently on 2.0.11 with several mods (but none installed recently).

I have to say it's a bit odd for you to be worrying about security if you can't even be bothered installing the last four security patches. The team don't make them just for fun, y'know.

I accept what you say without reservation and appreciate all that the team do.
Unfortunately, to best accommodate my users I have installed several mods and certain upgrades can make me lose functions.
I've been down so long now it's beginning to look like up..

Illori

no features are removed in the upgrades we create. if you have something not function correctly you should make a post about it so we can assist you. you are at risk of being hacked if you don't upgrade to 2.0.15 as well as missing support for current php versions, your forum can break and stop functioning fully if you don't upgrade.

bosswhite

Quote from: Illori on November 18, 2019, 12:56:53 PM
no features are removed in the upgrades we create.

From your downloads page:
Upgrading from an earlier branch (SMF 2.0.14 or below)? No problem, this is what you need. This archive will upgrade/reset your forum to a clean install of the latest version and will remove all modifications.
I've been down so long now it's beginning to look like up..

Antechinus

Quote from: bosswhite on November 18, 2019, 01:07:00 PM
From your downloads page:
Upgrading from an earlier branch (SMF 2.0.14 or below)? No problem, this is what you need. This archive will upgrade/reset your forum to a clean install of the latest version and will remove all modifications.

That's for a large upgrade pack, which is only needed if you want to jump several versions in one go. You don't need that. You can just use the patches that are linked from the home page of your admin centre. It's usually only a couple of clicks per patch, just like installing a mod.

So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

bosswhite

Quote from: Antechinus on November 18, 2019, 01:10:21 PM
So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Just tried first patch. Works fine as long as any text string being searched for has not been changed by the implementation of a mod.
If it has it fails because it cannot find that exact text string. Probably why I haven't updated for so long.
I've been down so long now it's beginning to look like up..

a10

Quote from: Antechinus on November 18, 2019, 12:35:47 PM
At a guess I'd say the Chinese IP's are Baidu or one of the other Chinese spiders. They tend to go nuts every so often, and will absolutely hammer a site with no regard for decorum. Mass banning the sods is the way to go if they are causing trouble.

Started with nearly all unknown, then over some time drifted over to 'reading' posts and very few unknown, so yes, looks like some (mini-ddos) spider that was adjusting it's aims. 99,9% chinanet and china unicom, number of different ip's used mind staggering, made me think of some state organisation behind it.

Anyway, they are not putting the site offline or other trouble, but am hating such invasions from foreign elements, so using the above mentionned china list. Does a great job, cannot sense any slowdown.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Antechinus

Quote from: bosswhite on November 18, 2019, 02:34:15 PM
Quote from: Antechinus on November 18, 2019, 01:10:21 PM
So you'd start by installing the 2.0.12 patch, then 2.0.13, etc, until you are up to date.

Just tried first patch. Works fine as long as any text string being searched for has not been changed by the implementation of a mod.
If it has it fails because it cannot find that exact text string. Probably why I haven't updated for so long.

We have these things called "support boards". They're good places to ask about glitches like that.

njtweb

Is it possible they're targeting SMF installations? I've got 400 of the same on my site right now. All China. 159.138.xxx.xxx

Antechinus

A lot of phpBB forums have been hit recently. It's likely the Chinese spiders have just decided to do the rounds again.

njtweb

Quote from: Antechinus on November 18, 2019, 09:59:21 PM
A lot of phpBB forums have been hit recently. It's likely the Chinese spiders have just decided to do the rounds again.

So, if these are Baidu, would that be equivalent to China's version of google's spiders? I honestly don't know. If it is them what can it do? Would it be a detriment, can it cause negative impact on your, (my) site? I have 150 this morning all in the 159.138 range today.

-Rock Lee-

I always analyze the IP to see that it jumps for example I also received this wave of visits and as a result I had:

WHOIS Information for 159.138.153.110
==============

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '159.138.144.0 - 159.138.159.255'

% Abuse contact for '159.138.144.0 - 159.138.159.255' is '[email protected]'

inetnum: 159.138.144.0 - 159.138.159.255
netname: Huawei-HK-CLOUDS
descr: Huawei HongKong Clouds
country: HK
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
last-modified: 2019-06-04T07:08:33Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: [email protected]
remarks: [email protected] is invalid
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-09T09:59:52Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: [email protected]
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: [email protected]
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '159.138.0.0/16AS136907'

route: 159.138.0.0/16
country: HK
descr: Huawei-HK-CLOUDS
origin: AS136907
mnt-by: MAINT-HIPL-SG
last-modified: 2017-11-17T02:15:11Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)


https://viewdns.info/whois/?domain=159.138.153.110

It seems they are looking for forums of certain specific themes or I don't know what they are really looking for. Or they just prepare everything for the 3rd war *drinking mate while laughing*.


Regards!
¡Regresando como cual Fenix! ~ Bomber Code
Ayudas - Aportes - Tutoriales - Y mucho mas!!!

njtweb

Quote from: Rock Lee on November 19, 2019, 08:54:37 AM


WHOIS Information for 159.138.153.110
==============

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '159.138.144.0 - 159.138.159.255'

% Abuse contact for '159.138.144.0 - 159.138.159.255' is '[email protected]'

inetnum: 159.138.144.0 - 159.138.159.255
netname: Huawei-HK-CLOUDS
descr: Huawei HongKong Clouds
country: HK
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
last-modified: 2019-06-04T07:08:33Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: [email protected]
remarks: [email protected] is invalid
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-09T09:59:52Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: [email protected]
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: [email protected]
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '159.138.0.0/16AS136907'

route: 159.138.0.0/16
country: HK
descr: Huawei-HK-CLOUDS
origin: AS136907
mnt-by: MAINT-HIPL-SG
last-modified: 2017-11-17T02:15:11Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)


https://viewdns.info/whois/?domain=159.138.153.110

[/i].


Exactly what I have. So.... same question. Do these spiders cause any kind of negative impact? I don't see any difference in site load or paging.

Illori

if you don't see any difference in time it takes to load a page, I would not worry.

njtweb

Quote from: Illori on November 19, 2019, 09:35:37 AM
if you don't see any difference in time it takes to load a page, I would not worry.

Ok, thank you Illori.

Antechinus

The only problem you might get is that if they go overboard they can tie up connections to the server, and act like a mini DDOS. Not that they do this deliberately. It's more that they don't care. Their approach seems to be "We'll index the world when we feel like it, and stuff you".

So sometimes they can cause problems, but they're noticeable problems, and you can just break out .htaccess if that happens.

Advertisement: