Forum Subject: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 01:43pm
By: winnerdk
Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
Mon 05 Dec 2011 05:23:55 COT - Error, invalid username: 'Suisellva'
Mon 05 Dec 2011 05:42:57 COT - Error, invalid username: 'Vfqmetql'
Mon 05 Dec 2011 05:44:18 COT - Error, invalid username: 'blurezelf'
Mon 05 Dec 2011 05:47:38 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 05:51:40 COT - Error, invalid username: 'Mawnrannike'
Mon 05 Dec 2011 06:13:21 COT - Error, invalid username: 'pletchervfo'
Mon 05 Dec 2011 06:23:30 COT - Error, invalid username: 'Reewclesy'
Mon 05 Dec 2011 06:39:28 COT - Error, invalid username: 'hielvebah'
Mon 05 Dec 2011 06:57:03 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 07:29:10 COT - Error, invalid username: 'Cannabispayok'
Mon 05 Dec 2011 07:54:47 COT - Error, invalid username: 'billhornetty'
Mon 05 Dec 2011 08:11:37 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 08:30:12 COT - Error, invalid username: 'Groultytato'
Mon 05 Dec 2011 09:14:24 COT - Error, invalid username: 'inoweseelleks'
Mon 05 Dec 2011 09:22:03 COT - Error, invalid username: 'HeermaJamma'
Mon 05 Dec 2011 10:25:34 COT - Error, invalid username: 'Wariato'
Mon 05 Dec 2011 12:00:42 COT - Error, invalid username: 'layeldemome123'
Mon 05 Dec 2011 12:11:12 COT - Error, invalid username: 'xrumerj'
Mon 05 Dec 2011 12:17:18 COT - Error, invalid username: 'Apocketofeuros'
Mon 05 Dec 2011 12:35:18 COT - Error, invalid username: 'Arequequinose'
Mon 05 Dec 2011 12:46:27 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 12:52:09 COT - Error, invalid username: 'SataInpumma'
Mon 05 Dec 2011 13:07:43 COT - Error, invalid username: 'yiwbtr8'
Mon 05 Dec 2011 13:08:51 COT - Error, invalid username: 'Exterrero'
Mon 05 Dec 2011 13:23:32 COT - Error, invalid username: 'KahTraurb'
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'
None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.
But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.
Don Winner
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 01:50pm
By: Dirk
bye, Dirk
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 02:08pm
By: winnerdk
However - it's a different IP every time. So whoever is running this script is coming in from a different angle with every attempt, and therefore it won't do me any good to try to block all of these IP addresses. Is there anything else i can do? I mean, I'm really not all that worried - but I would like to be able to do something to put a big "CLOSED" sign up for this kind of attack.
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 02:26pm
By: Dirk
I don't think there's anything you can do about those, unless you find a pattern in them that lets you identify these types of attempts and separate them from valid login attempts (where somebody made a typo, for example). FWIW, we get those all the time here on geeklog.net and I don't think they ever really accomplished anything (other than being a mild annoyance).
bye, Dirk
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 03:15pm
By: winnerdk
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 05:54pm
By: Anonymous (ironmax)
Yeah, concur. I already manually approve all of the comments posted due to spammers. I think this is just some script that's looking for a existing user and password combination in order to post a spam link or something. Whatever - I was just hoping for a way to shut it down. Thanks for taking the time, Dirk.
Don
www.panama-guide.com
Don,
You can try using ZBBLOCK from http://www.spambotsecurity.com and watch your log file that it creates, so you can make adjustments as needed to the security. I have used it on the demo.geeklog.net site and many of my other sites for a few months and it cut out an incredible amount of spam and hacking attempts. Give it a try and make sure you setup the logs and email so that users can contact you when they have a problem connecting to your site.
Michael
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 07:17pm
By: winnerdk
"POST /users.php HTTP/1.0" 200 54687 "http://www.panama-guide.com/users.php?mode=new"
And the instructions for the ZB Block install says: "Now you must add:
<?php require('/home/panamax/public_html/zbblock/zbblock.php'
; ?>to all the pages you wish to protect, as near as you can to the top as you can, and deffinitely before any MySQL access occurs."
So, in this case, where should I put the ZB Block Script. And I realize this isn't the ZB Block Help Forum, but I'm asking because you're using this on a Geeklog site, so I'm hoping you can steer me a little here. Should I add the ZB Block script to the top of the users.php file?
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 07:28pm
By: winnerdk
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 08:09pm
By: Anonymous (ironmax)
Yeah, I just looked at the users.php file, and that's the kind of stuff I normally stay way far away from on Geeklog. Where did you put the ZB Block scripts on the demo site?
Don
www.panama-guide.com
Don,
If your running geeklog version 1.8.1, then in your lib-common.php file open it up and copy that line that had a "GOOD" statement to it to the same location in the lib-common file example below. Should be a starting point line of 127 or so.
exit;
}
include('/www/gd/demo_geeklog/public_html/zbblock/zbblock.php');
// this file can't be used on its own - redirect to index.php
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-common.php') !== false) {
echo COM_refresh($_CONF['site_url'] . '/index.php');
exit;
}
// +---------------------------------------------------------------------------+
// | Library Includes: You shouldn't have to touch anything below here |
// +---------------------------------------------------------------------------+
/**
* If needed, add our PEAR path to the list of include paths
*
Any questions, let me know.
Michael
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/05/11 08:15pm
By: Laugh
I was looking through the error.log for an unrelated issue, and I noticed there are dozens of "invalid username" entries, about eight or ten at a time;
Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
...
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'
None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.
But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.
Don Winner
www.panama-guide.com
I notice this a while ago as well. I did create a feature request (http://project.geeklog.net/tracking/view.php?id=1382[*1] ) which would add additional information to the log.
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 08:59am
By: winnerdk
Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php
Please get back to us, and tell us how it went. Zap"
So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?
Thanks.
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 09:00am
By: winnerdk
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 11:39am
By: Anonymous (ironmax)
@Michael: I'm currently running Geeklog 1.7.1sr1 - would there be any change to your suggestion regarding the placement of the script ZB Block script in the lib-common.php file?
Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php
Please get back to us, and tell us how it went. Zap"
So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?
Thanks.
Don
www.panama-guide.com
Don,
Okay. That line 127 was only a suggestion on where to look in the lib-common file. But yes, it has to be placed in that file in that location so it can protect your entire site.
If you insert that code at the top of the page as they suggest, your site may not even work because it wont allow for any type of interaction on your site from what I can tell.
When they mention that the docs are old, thats the only thing they are saying. Everything else is constantly being updated.
Place the code in the proper place, just above this area in the lib-common file and you'll be just fine.
require('/home/panamax/public_html/zbblock/zbblock.php';
// this file can't be used on its own - redirect to index.php
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-common.php') !== false) {
echo COM_refresh($_CONF['site_url'] . '/index.php');
exit;
}
// +---------------------------------------------------------------------------+
// | Library Includes: You shouldn't have to touch anything below here |
// +---------------------------------------------------------------------------+
Michael
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 12:06pm
By: winnerdk
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 04:31pm
By: winnerdk
Thanks for helping me get this done.
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 04:39pm
By: winnerdk
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 04:40pm
By: Dirk
bye, Dirk
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 05:06pm
By: winnerdk
Don
www.panama-guide.com
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 05:30pm
By: winnerdk
Is there anyway I can temporarily disable the CSRF token protection to test and experiment?
Don
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 05:49pm
By: winnerdk
Don
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/06/11 10:01pm
By: Anonymous (ironmax)
Never mind. I chucked it. Goodbye, ZB Block experiment. It seemed to be working just fine, except for the part about making my website inaccessible, to me...
Don
Interesting...did you include yourself in the whitelist in the zbblock.ini file in the vault directory?
; *** ZB Block Password ***
;
; Password to control functions of ZB Block
; ?wlpw=<password> to add yourself to the whitelist
; and allow yourself back in.
;
; values:
; "" to neutralize password and turn of control
; functions globally.
;
; "<password>" Password to control functions.
;
; default: zbb_pw = ""
zbb_pw = "password"
Michael
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/07/11 09:55am
By: winnerdk
Don
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/17/12 04:13pm
By: Laugh
How is zb block working on the demo sites?
I am thinking of trying it out on one of my Geeklog sites.
Did you use any special settings?
Thanks
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/17/12 06:33pm
By: Anonymous (ironmax)
Ironmax,
How is zb block working on the demo sites?
I am thinking of trying it out on one of my Geeklog sites.
Did you use any special settings?
Thanks
Tom,
It works great! However you have to keep an eye on the logs and fine tune it for anyone that is not getting thru to your site, provided they notify you in the first place that they are having issues not connecting. So its a mixed bag of issues, some will notify and others wont bother and go someplace else.
Michael
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/17/12 06:39pm
By: Laugh
Re: Some Kind Of Spam or Hacking Attack - Hundreds of
Posted on: 12/17/12 06:52pm
By: Anonymous (ironmax)
Michael