Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 03 Mar 2008, 15:30
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Real name: John
Question We were 'Probed'

I dont know what else to call it, someone or something in hong kong just visited many many times as 100 guests on my site all in the space of 2 mintues, kinda like they were sniffing around looking for a way in (where they should not be)......

Database has just been backed up.

Its sticks out because I know when a spider comes along, it has a specific behaviour... it doesnt just hit everything all at once, it moves around page to page one at a time... This thing whatever it was was very different.

My site is in development and does not quite get this many non spider hits in a day, let alone 2 minutes. Can anyone tell me if this is expected or unexpected behaviour for a very small forum to have in the usual day to day operations?
Attached Images
File Type: jpg what the.jpg (41.0 KB, 49 views)
Reply With Quote
  #2  
Old 03 Mar 2008, 15:32
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Real name: Anthony
Its hard to say exactly what they was doing or if it was even a spider, you need to dig up info on the ip for that hostname in the pic.

I would start by banning them in the admincp and using a host deny in a htacess file as well in your public_html dir.
Reply With Quote
  #3  
Old 03 Mar 2008, 15:42
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Real name: John
Originally Posted by snakes1100 View Post
Its hard to say exactly what they was doing or if it was even a spider, you need to dig up info on the ip for that hostname in the pic.

I would start by banning them in the admincp and using a host deny in a htacess file as well in your public_html dir.
Thanks for the advice.

I had banned them in admincp but didnt think of htaccess, ive now added the range to htaccess as well whilst i look into it further.
Reply With Quote
  #4  
Old 03 Mar 2008, 15:52
illithid illithid is offline
 
Join Date: Sep 2007
I have to agree with Snakes in regards to banning all the IP addresses used during that "Probe". The reason I say that is because, at first glance, it looks to me like a "brute force attack". A method of hacking to crack passwords, etc. Generally this only occurs at the login script, but can occur at other areas of page. Perhaps they are trying to exploit a weakness somewhere. Hard to say though.

Definitely ban those IP's.
Reply With Quote
  #5  
Old 03 Mar 2008, 15:58
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Real name: John
Originally Posted by illithid View Post
Definitely ban those IP's.
Done

As far as i can tell, its just a miscellaneous range, not a spider. It was weird because the ip was slightly different each time, thus becoming 100 guests.

And also, I just discovered the following:

Called with DO = 'a russian url ive removed (because when i went there Kaspersky found malware)'
The site was a Chinese site written in English and hosted in Russia... it was weird.

They will stay banned for good.
Reply With Quote
  #6  
Old 03 Mar 2008, 16:53
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
Originally Posted by NeuroLancer View Post
I dont know what else to call it, someone or something in hong kong just visited many many times as 100 guests on my site all in the space of 2 mintues, kinda like they were sniffing around looking for a way in (where they should not be)......

Database has just been backed up.

Its sticks out because I know when a spider comes along, it has a specific behaviour... it doesnt just hit everything all at once, it moves around page to page one at a time... This thing whatever it was was very different.

My site is in development and does not quite get this many non spider hits in a day, let alone 2 minutes. Can anyone tell me if this is expected or unexpected behaviour for a very small forum to have in the usual day to day operations?

Next time you notice something like that, go to the Who'd Online page and do an IDENT display. (User Agent in the drop down box). Set it to yes, and display. The INDENTs will tell you if they are Spiders.

What happened to you could very well have been Spiders. I have that happen quite often. Not 100, but quite a few from the same place hitting all at the same time.
Reply With Quote
  #7  
Old 03 Mar 2008, 23:31
DivisionByZero's Avatar
DivisionByZero DivisionByZero is offline
 
Join Date: Dec 2002
Real name: Chris
If you really wanna filter the bulls**t, the best thing you can do is block ENTIRE chinese and australian IP space. You can find the latest IP blocks for any given country here:

http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn
http://www.apnic.net/apnic-bin/ipv4-....pl?country=au

Simply add these blocks to your IPtables rules and I GUARANTEE this will eliminate 99.9999% of the spam and foreign attacks. I do this as a rule. I have NO REASON to do business with anyone in China or Australia.

A more interactive way to achieve this is to install the GeoIP module for Apache. It looksup every hostname/IP in the GeoIP table and determines the country. You can then set rules based on visitor country.
__________________
Professional vB development since 2002.
References & Praise: 1|2|3|4|5|6|7|8
Reply With Quote
  #8  
Old 04 Mar 2008, 00:52
NeuroLancer's Avatar
NeuroLancer NeuroLancer is offline
 
Join Date: Feb 2008
Real name: John
Originally Posted by Boofo View Post
Next time you notice something like that, go to the Who'd Online page and do an IDENT display. (User Agent in the drop down box). Set it to yes, and display. The INDENTs will tell you if they are Spiders.
Thanks boofo I did do that, they resolved as what appears to be a standard internet user.

Originally Posted by MisterPopularity View Post
If you really wanna filter the bulls**t, the best thing you can do is block ENTIRE chinese and australian IP space.
LOL, pineapples will grow in space before I filter my own country (Australia ) but I appreciate the advice.
Reply With Quote
  #9  
Old 04 Mar 2008, 00:57
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
The IDENT string can be tricky to read on some spiders. One spider that will always show as a guest is the Accoona spider. It's IDENT string shows as a normal user yet when you resolve the IP it shows up as a spider clear as day. So don't always go by that, just as a general rule.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:27.

Layout Options | Width: Wide Color: