Huge amount of activity from China

Started by bosswhite, November 18, 2019, 08:38:49 AM

Previous topic - Next topic

SomeoneElse

If you have full server access, fail2ban is invaluable - this Chinese activity produces loads of Apache 403 errors and banning IP addresses based on this makes life much easier.

a10

Just a remark, lifting the htaccess CN ban now and then to watch activity, in addition to 'normal' chinanet \ unicom, many small ip ranges from universities \ official offices etc regularly active in the vacuuming.
Make your own deductions.

example
inetnum:        222.192.180.0 - 222.192.183.255
descr:          SuZhou Health College of Technology
descr:          SuZhou, Jiangsu 215000, China
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

delta5

If you have a firewall package like Succuri installed, just go to geoblocking and one checkmark for China and problem solved if you don't want any traffic from there.

bosswhite

With reference to my original post the traffic from China has reduced (although still in excess of 100 hits per day) but over the last couple of days there has been a lot of traffic from the UK.

What is strange about this is if I look at Who's Online they are all looking at the same post each day. It's always the same post. I've attached a small screenshot as an example.

When I do an IP Lookup on the addresses they all come back as Broadband Providers from various Providers.
EE High Speed Internet
Three
BT
Virgin Media
Sky Broadband, etc.

Any ideas what may be causing this? Any help/advice greatly appreciated.
I've been down so long now it's beginning to look like up..

bosswhite

What I am now seeing is a specific number of guests being shown as online but when I view Who's Online and select Guests Only it shows less than half of the number being reported.
It's as if some guests are viewing (or whatever) the site anonymously.

This is in addition to the issues previously mentioned in this topic which still remain.

I am seriously worried that my site is being compromised.
I've been down so long now it's beginning to look like up..

njtweb

Quote from: bosswhite on November 25, 2019, 08:26:55 AM
What I am now seeing is a specific number of guests being shown as online but when I view Who's Online and select Guests Only it shows less than half of the number being reported.
It's as if some guests are viewing (or whatever) the site anonymously.

This is in addition to the issues previously mentioned in this topic which still remain.

I am seriously worried that my site is being compromised.

Have you noticed anything on your site change?

bosswhite

Quote from: njtweb on November 25, 2019, 03:38:19 PM
Have you noticed anything on your site change?

It's looking like the number shown for guests is including the number of spiders online, e.g.
Guests: 45
Spiders: 15

When you look at Who's Online/Spiders Only you will see the correct amount (15) displayed
When you look at Who's Online/Guests Only you will only see 30 displayed

So the spiders are being counted twice (as Guests and Spiders).
I've been down so long now it's beginning to look like up..

chrishicks

#27
Quote from: bosswhite on November 24, 2019, 07:35:44 AM
With reference to my original post the traffic from China has reduced (although still in excess of 100 hits per day) but over the last couple of days there has been a lot of traffic from the UK.

What is strange about this is if I look at Who's Online they are all looking at the same post each day. It's always the same post. I've attached a small screenshot as an example.

When I do an IP Lookup on the addresses they all come back as Broadband Providers from various Providers.
EE High Speed Internet
Three
BT
Virgin Media
Sky Broadband, etc.

Any ideas what may be causing this? Any help/advice greatly appreciated.

I'm getting hit with this along with the mass hits from China. I have a single topic that has been viewed over 750 times(and counting) in 2 days and my Who's Online looks exactly like your screenshot. It's almost my entire list when it's not the one's from China. I ran the topic title through Google search and it's not in the first 20 pages of their results so I doubt the traffic is from them. I also did 17 pages worth on Bing and nothing. Obviously I can't check them all but I was curious so I picked the big two and went with it. It's just weird that this one random topic is being hit the way it is. Here is just one page of my online list:



In regards to the China hits, I'm seeing a minimum of 400 a day, every day. They seem to be indexing every topic on my forum and the hits last for about 2 hours nonstop. Sometimes it's a new page every other second while others there may be a 30-40 second gap between hits.

EDIT: the topic hits have gone up over 50 since I posted this. I'm actually wondering if I should move the topic just to see what happens.


Antechinus

That's normal behaviour for Chinese bots. They just go nuts. If they're causing problems with forum performance, wallop them with .htaccess. If they aren't, just ignore them until they bugger off again.

bosswhite

#29
I am still suffering from huge amounts of traffic from China.

I have singled out a couple of IP ranges in particular that are causing problems and would like to add these to my .htaccess file and see if it helps.

The IP ranges are:
111.225.*.*
110.249.*.*

I am unsure how/where to add them to my existing file which was done for me by a colleague. The existing file is as follows:
RewriteEngine On
#
RewriteCond %{QUERY_STRING} ^id=([0-9]+).*$
RewriteRule ^viewtopic.php$ /forum/index.php?topic=%1.0 [R=301,L]
#
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?xtracad.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
#
SetEnvIfNoCase User-Agent "^wget" bad_bot
<Limit GET POST>
   Order Allow,Deny
   Allow from all
   Deny from env=bad_bot
</Limit>
#
Options -Indexes


I'm not sure what each of the entries do so am reluctant to delete/change any of it myself.

If anyone could guide me as to how to enter these IP ranges I would be very grateful. Thank you in advance.
I've been down so long now it's beginning to look like up..

a10

^^^ Am still using the CN list mentionned in earlier post, very peaceful here.
Simply added after my normal .htacces content (some lines forcing www\https).
You could add it after your .htaccess stuff and test how it works.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Shambles


deny from 111.225.0.0/16
deny from 110.249.0.0/16

aegersz

yes, over the past week (I don't think mine were from China but) I had about 900 guests.

A different IP was accessing what looked a different thread so I thought it was massive search engine web crawling.

The site didn't get overloaded and I forgot to check the IP.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

bosswhite

I added a couple of lines to the end of my .htaccess file, example:
deny from 111.225.*.*

Now I cant access my site and get the following error message:
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /home/xtracad/Z6OW6C36/htdocs/forum/Sources/Subs-Db-mysql.php:58 Stack trace: #0 /home/xtracad/Z6OW6C36/htdocs/forum/Sources/Load.php(2650): smf_db_initiate('ftp3.dns-system...', 'xxxxxx', 'xxxxxx', 'xxxxxxxx', 'smf_', Array) #1 /home/xtracad/Z6OW6C36/htdocs/forum/SSI.php(77): loadDatabase() #2 /home/xtracad/Z6OW6C36/htdocs/index.php(58): require_once('/home/xtracad/Z...') #3 {main} thrown in /home/xtracad/Z6OW6C36/htdocs/forum/Sources/Subs-Db-mysql.php on line 58

I've replaced some text with xxxxx as it was showing my database name and password which was viewable by anyone accessing the site. As a temporary measure I've renamed the forum directory in the hope viewers won't get that error.

Could the problem have been caused by the way I specified the IP range with wildcards?

I don't know what to do now to regain access and make the site safe. Please help if you are able.
I've been down so long now it's beginning to look like up..

Shambles

Well if you cared to ignore my post, good luck.

Though the error you reported is a PHP versioning issue.

bosswhite

Quote from: Shambles on November 29, 2019, 02:36:20 PM
Well if you cared to ignore my post, good luck.

My apologies. I assumed that you were giving examples of what you had used when I noticed 0/16 as my range was intended to be 0/255 to cover the IP addresses being used against me.
As I explained I have no knowledge as to how or where to modify the .htaccess file to give the required results. The file has since been reverted to that shown in Reply #29 of mine.

Quote from: Shambles on November 29, 2019, 02:36:20 PM
Though the error you reported is a PHP versioning issue.

I don't understand how that could have happened. I was logged in to my site and everything was fine. I updated the .htaccess file through FileZilla whilst I was logged in. Could that have caused the issue?
I've been down so long now it's beginning to look like up..

Arantor

Quotewhen I noticed 0/16 as my range was intended to be 0/255 to cover the IP addresses being used against me.

If only that's what it meant; it doesn't.

The 0/16 means 'start from 32, deduct the 16, and preserve the first 16 bits of the IP address'. Which in this case means 'keep the first 2 blocks of the IP address and ignore the last 2', as in *exactly what you wanted*.

QuoteCould that have caused the issue?

Doubtful. Ask your host if they upgraded you to PHP 7.0 or higher without telling you. And maybe upgrade to 2.0.15.

bosswhite

Quote from: Arantor on November 29, 2019, 03:23:09 PM
The 0/16 means 'start from 32, deduct the 16, and preserve the first 16 bits of the IP address'. Which in this case means 'keep the first 2 blocks of the IP address and ignore the last 2', as in *exactly what you wanted*.

Thank you so much. A simple explanation goes a long way in helping to understand the terminology. My apologies again to Shambles for the misunderstanding. I have now implemented these terms into my .htaccess file. Fingers crossed.

Perhaps, if you have the time, you could advise me what the correct format would be to deny from a specific host name?

Quote from: Arantor on November 29, 2019, 03:23:09 PM
Doubtful. Ask your host if they upgraded you to PHP 7.0 or higher without telling you.

Thank you, that was the cause. They advised me to include some text at the start of my .htaccess file which switches the site back to PHP 5.6, as my site isn't compatible with the new version, and this appears to have solved the problem. Now up and running again.




I've been down so long now it's beginning to look like up..

Arantor

Maybe you should upgrade to SMF 2.0.15 already.

njtweb

Does anybody know if these hits could affect adsense? While it's not affecting the speed or functionality of my site, there has been a noticeable drop-off in adsense revenue. I'm still getting the same daily activity from legitimate traffic but this 159 and 158 IP traffic is non-stop.

Advertisement: