Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 14 Oct 2020, 22:13
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Real name: Daniel
Weird IP behavior for the last few weeks.

So I keep getting DB errors and it looks like someone is trying to hack the site.

Of the last 100 or so most recent registrations, all have IP addresses look almost exactly the same. They start with 10.30.94 And all the DB errors are coming from 2 IP's. Also, this IP range seems to be private so I cant get a fix on where it's coming from. Maybe everyone is using VPNs???

So, of course, I block the IP and did a wildcard on the end but then I myself the admin got locked out of the site. Not the backend but I definitely got locked out of the front end. My IP is nothing like this so now I'm curious. Maybe it's some kind of glitch in the system that keeps recording the same or almost the same IP when someone new registers.

Now to be clear a few of these members with the same exact IP actually posted legit messages but I have like 100 members with the same IP. ???

It looks very fishy to me but I figured I would run it by you guys here before I start deleting accounts.

Last edited by Scalemotorcars; 15 Oct 2020 at 14:45.
Reply With Quote
  #2  
Old 15 Oct 2020, 15:01
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
Do you use Cloudflare or something similar?
Reply With Quote
  #3  
Old 15 Oct 2020, 16:18
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Real name: Daniel
Hosted on Register.com

I thought it had something to do with the forum spam plugin Im using. They switched from http to https but I changed the links in the plugin. I then did some digging in the DB and noticed the same "User ID keeps popping up in the DB erros. With this the wierd this is it appears to be coming from the integrated Photopost pluggings. Also when I blocked the IP above the DB errors increaded.
Reply With Quote
  #4  
Old 15 Oct 2020, 16:59
Hostboard's Avatar
Hostboard Hostboard is offline
 
Join Date: May 2002
Real name: Steven
Have you tried to use .htaccess instead of vBulletin?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
Custom Solutions for your vBulletin

Reply With Quote
  #5  
Old 15 Oct 2020, 20:37
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Real name: Daniel
Yes I actually have a bunch of countries blocked by .htaccess along with a blacklist. The weird part is that all new registrations are coming from the same IP range 10.30.94 (100-201). I cant seem to find out why? The IP recored on the site for new members isnt their actual IP. I had a friend register and his IP came up in the same range listed above where I know its completely different.
Reply With Quote
  #6  
Old 16 Oct 2020, 05:53
z3r0's Avatar
z3r0 z3r0 is offline
 
Join Date: Apr 2005
Location: Lancashire, UK
It looks like your host may have put something in front of your site.

You could try adding the following to your config.php file and see if the IP's sort themselves out.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
Better VB.org search
Reply With Quote
  #7  
Old 16 Oct 2020, 17:27
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Real name: Daniel
Thanks for the code Ill give this a try. Could you tell me a safe area of the config file to put this?

Edit, I added it to the end. Lets see if this fixes it. Ill post back just in case someone else runs into this.

Last edited by Scalemotorcars; 16 Oct 2020 at 17:38.
Reply With Quote
  #8  
Old 17 Oct 2020, 21:22
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Real name: Daniel
Well nuts that didnt work. All that happened is the entire site DNS IP was blocked. It looks like my host is using something like Cloudflare or changes something with the apache server. Ill give them a call and see I can get it sorted.
Reply With Quote
  #9  
Old 18 Oct 2020, 06:47
z3r0's Avatar
z3r0 z3r0 is offline
 
Join Date: Apr 2005
Location: Lancashire, UK
Actually I've just looked at your site and I don't thing that would have worked anyway as it looks like you are on an 4.2.2 and I don't think the proxy header stuff went in until 4.2.4.

Looking at your page response headers if you say you are on an Apache server then there is definitely something been placed in front of the site.
__________________
Better VB.org search
Reply With Quote
  #10  
Old 22 Oct 2020, 14:33
Hostboard's Avatar
Hostboard Hostboard is offline
 
Join Date: May 2002
Real name: Steven
I use the pro version of this:
https://www.vbulletin.org/forum/showthread.php?t=282525

This allows me to easily identify multiple registrations per IP.

I believe if you ask Joe he will send it or make it available as he is no longer selling and has released the Pro versions here in the past
__________________
Custom Solutions for your vBulletin

Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 16:16.

Layout Options | Width: Wide Color: