suspicious forum activity

[dsanchez]

seeing a lot of these in my forum in the last hour in the http://myforum/index.php?action=who

Viewing the likes;sa=view;ltype=msg;like=772448;a6808ca456=a855c9d7908c4398da9bf97900a71458

all coming from similar IPs:

Guest (114.119.*.*)

thoughts?   

[AristocraticAura]

First, perform a port scan on your server using nmap to identify any open ports. Once identified, create iptables rules to block access from any suspicious IP addresses.

Code Select Expand

sudo iptables -A INPUT -s 114.119.*.* -j DROP

[Aleksi "Lex" Kilpinen]

That is a link to show the likes for a specific message, nothing to worry about as far as I can tell.
Anything in action=who is basically just someone or something following a link or blindly trying to follow a link that could be available with different settings, usually nothing to worry about even if some actions might seem strange. Blocking individual IP addressess in any fashion is usually just a waste of time too. In case someone really does something malicious, yeah it can be a good temporary measure, but usually offers no long term benefits and once you have enough addresses blocked it can actually cause more harm than it's worth.

[Illori]

First, perform a port scan on your server using nmap to identify any open ports. Once identified, create iptables rules to block access from any suspicious IP addresses.

Code Select Expand

sudo iptables -A INPUT -s 114.119.*.* -j DROP

most of our users dont even have full access to their server to do this or understand enough to follow this. most of our users have shared hosting where this would not work as they dont have the access to do this. we dont want to jump too far when someone asks a pretty basic question.

[Kindred]

It's nothing to worry about regarding the URL itself...
However, the IP Range is known to be used by Chinese hackers - blocking the whole IP range using
Deny from 114.119
in your htaccess is not a bad idea.