Geeklog Forums

I was looking through the error.log for an unrelated issue, and I noticed there are dozens of "invalid username" entries, about eight or ten at a time;

Mon 05 Dec 2011 05:00:29 COT - Error, invalid username: 'Heamepalgam'
Mon 05 Dec 2011 05:12:52 COT - Error, invalid username: 'cidemeDyecy'
Mon 05 Dec 2011 05:23:55 COT - Error, invalid username: 'Suisellva'
Mon 05 Dec 2011 05:42:57 COT - Error, invalid username: 'Vfqmetql'
Mon 05 Dec 2011 05:44:18 COT - Error, invalid username: 'blurezelf'
Mon 05 Dec 2011 05:47:38 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 05:51:40 COT - Error, invalid username: 'Mawnrannike'
Mon 05 Dec 2011 06:13:21 COT - Error, invalid username: 'pletchervfo'
Mon 05 Dec 2011 06:23:30 COT - Error, invalid username: 'Reewclesy'
Mon 05 Dec 2011 06:39:28 COT - Error, invalid username: 'hielvebah'
Mon 05 Dec 2011 06:57:03 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 07:29:10 COT - Error, invalid username: 'Cannabispayok'
Mon 05 Dec 2011 07:54:47 COT - Error, invalid username: 'billhornetty'
Mon 05 Dec 2011 08:11:37 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 08:30:12 COT - Error, invalid username: 'Groultytato'
Mon 05 Dec 2011 09:14:24 COT - Error, invalid username: 'inoweseelleks'
Mon 05 Dec 2011 09:22:03 COT - Error, invalid username: 'HeermaJamma'
Mon 05 Dec 2011 10:25:34 COT - Error, invalid username: 'Wariato'
Mon 05 Dec 2011 12:00:42 COT - Error, invalid username: 'layeldemome123'
Mon 05 Dec 2011 12:11:12 COT - Error, invalid username: 'xrumerj'
Mon 05 Dec 2011 12:17:18 COT - Error, invalid username: 'Apocketofeuros'
Mon 05 Dec 2011 12:35:18 COT - Error, invalid username: 'Arequequinose'
Mon 05 Dec 2011 12:46:27 COT - Error, invalid username: 'raignCreard'
Mon 05 Dec 2011 12:52:09 COT - Error, invalid username: 'SataInpumma'
Mon 05 Dec 2011 13:07:43 COT - Error, invalid username: 'yiwbtr8'
Mon 05 Dec 2011 13:08:51 COT - Error, invalid username: 'Exterrero'
Mon 05 Dec 2011 13:23:32 COT - Error, invalid username: 'KahTraurb'
Mon 05 Dec 2011 13:27:52 COT - Error, invalid username: 'Zombigeemibre'

None of these are actual users on my website. They seem to be coming in groups, so I suspect someone is running a script to try to find an existing username (or something) as part of an effort to spam the site. It's not going to work, because every post to my website (comments or any other kind of submission) are now individually reviewed before posting.

But anyway, I would like to know - How can I figure out who is trying to hit my website with these bogus usernames? If I have the IP address of whoever was doing this I could prevent that IP from accessing the site. Is there any way to monitor the attempts? Besides the error.log (which I have) is this kind of information captured anywhere else? Is there something else I should be thinking of? Thanks.

Don Winner
www.panama-guide.com

Geeklog doesn't capture the IP address of failed login attempts (maybe we should, at least optionally). You'd have to check your webserver's logfiles for that. Look for POST requests to the users.php and match them up with the timestamps in the error.log

bye, Dirk

OK, that worked. The data was contained in the Raw Apache Log on the server (as you described.) And, just as you said, there were POST requests to users.php that matched up perfectly with the error.log entries. So, I started to copy the offending IP addresses and add them to the IP Deny list in CPanel.

However - it's a different IP every time. So whoever is running this script is coming in from a different angle with every attempt, and therefore it won't do me any good to try to block all of these IP addresses. Is there anything else i can do? I mean, I'm really not all that worried - but I would like to be able to do something to put a big "CLOSED" sign up for this kind of attack.

Don
www.panama-guide.com

Yeah, if they would all be coming from the same IP address, Geeklog would have blocked - or at least slowed them down - already, since that would have triggered the speed limit for login attempts.

I don't think there's anything you can do about those, unless you find a pattern in them that lets you identify these types of attempts and separate them from valid login attempts (where somebody made a typo, for example). FWIW, we get those all the time here on geeklog.net and I don't think they ever really accomplished anything (other than being a mild annoyance).

bye, Dirk

Yeah, concur. I already manually approve all of the comments posted due to spammers. I think this is just some script that's looking for a existing user and password combination in order to post a spam link or something. Whatever - I was just hoping for a way to shut it down. Thanks for taking the time, Dirk.

Don
www.panama-guide.com

Don,

You can try using ZBBLOCK from http://www.spambotsecurity.com and watch your log file that it creates, so you can make adjustments as needed to the security. I have used it on the demo.geeklog.net site and many of my other sites for a few months and it cut out an incredible amount of spam and hacking attempts. Give it a try and make sure you setup the logs and email so that users can contact you when they have a problem connecting to your site.

Michael

OK, I've downloaded and installed ZB Block. When I checked the Raw Apache Log again, this is an example of the script I'm trying to block;

"POST /users.php HTTP/1.0" 200 54687 "http://www.panama-guide.com/users.php?mode=new"

And the instructions for the ZB Block install says: "Now you must add:

<?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?>

to all the pages you wish to protect, as near as you can to the top as you can, and deffinitely before any MySQL access occurs."

So, in this case, where should I put the ZB Block Script. And I realize this isn't the ZB Block Help Forum, but I'm asking because you're using this on a Geeklog site, so I'm hoping you can steer me a little here. Should I add the ZB Block script to the top of the users.php file?

Don
www.panama-guide.com

Yeah, I just looked at the users.php file, and that's the kind of stuff I normally stay way far away from on Geeklog. Where did you put the ZB Block scripts on the demo site?

Don
www.panama-guide.com

Don,

If your running geeklog version 1.8.1, then in your lib-common.php file open it up and copy that line that had a "GOOD" statement to it to the same location in the lib-common file example below. Should be a starting point line of 127 or so.



Any questions, let me know.

Michael

I notice this a while ago as well. I did create a feature request (http://project.geeklog.net/tracking/view.php?id=1382) which would add additional information to the log.

---

One of the Geeklog Core Developers.

@Michael: I'm currently running Geeklog 1.7.1sr1 - would there be any change to your suggestion regarding the placement of the script ZB Block script in the lib-common.php file?

Also, I asked the folks over at ZB Block the same question. They said: "Re: Using ZB Block to protect a Geeklog site - The manual is old and outdated. It would be best to put it at the top of the file that contains your SQL username and password, since the rest of the script must go through that. Remember, don't add any newlines or spaces. If the file starts with a <?php , then put in the ZB Block hook right in front of it. Like: Code: <?php require('/home/panamax/public_html/zbblock/zbblock.php'; ?><?php

Please get back to us, and tell us how it went. Zap"

So, is their suggestion to "put it at the top of the file that contains your username and password" the same basic suggestion as putting the line of script in the lib-common.php file? What do you think Dirk?

Thanks.

Don
www.panama-guide.com

One more thing that I almost forgot. When the guys as ZB Block said "the manual is old and outdated" my confidence level dropped to damn near zero...

Don
www.panama-guide.com

Don,

Okay. That line 127 was only a suggestion on where to look in the lib-common file. But yes, it has to be placed in that file in that location so it can protect your entire site.

If you insert that code at the top of the page as they suggest, your site may not even work because it wont allow for any type of interaction on your site from what I can tell.

When they mention that the docs are old, thats the only thing they are saying. Everything else is constantly being updated.

Place the code in the proper place, just above this area in the lib-common file and you'll be just fine.



Michael

OK, thanks for getting back to me. I'll put it in there, and see how it works....

Don
www.panama-guide.com

Perfect. I now have ZB Block up and running on my website, and it immediately started heading off these kinds of attacks and probes. I was running for just about 15 minutes, and it's already stopped a bunch of spammers from China and Brazil who are on known banned lists. And yes, that's exactly what they are doing, probing for weakness in security to find websites where they can toss up spam. This program seems to be doing the trick, and the website seems to be running just fine, with no problems. So far, I'm a happy camper.

Thanks for helping me get this done.

Don
www.panama-guide.com

Ah, I just went and checked the error.log file. Remember those hundreds of attempts to gain access to the website using bogus user names that were the original reason why I started this thread? They stopped cold, the instant I activated the ZB Block program. So, it looks like it's working as advertised.

Don
www.panama-guide.com

Just wanted to mention that we had ZBBLOCK running on the Geeklog demo site for a while and it did seem to occasionally block legit users. Here's one who complained about it on our bugtracker.

bye, Dirk

Nope, I have to take it all back. ZB Block seems to be working well while I surfed the site, but when I tried to post a new article it identified ME as a spammer. Now trying to tweak the settings and figure it out.

Don
www.panama-guide.com

OK, it seems like the CSRF token protection is somehow screwing up ZB Blocker. Everything is working fine until I get to the "authentication required" screen, and them as soon as that call goes out the ZB Blocker kicks in and identifies me as a spammer.

Is there anyway I can temporarily disable the CSRF token protection to test and experiment?

Don

Never mind. I chucked it. Goodbye, ZB Block experiment. It seemed to be working just fine, except for the part about making my website inaccessible, to me...

Don