Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
transit
Regular
Regular


Joined: Jun 01, 2010
Posts: 69

PostPosted: Tue Apr 05, 2011 11:54 am Reply with quote

So within the last little bit I have been getting hit hard by certain IP's loading thousands of my pages/jpgs/pdfs all within seconds of each other. Heres a little excerpt from my latest visitors below.

At first I thought they were bots, but when i do a whois search its not like its a normal IP from someones computer. How can I block mass loadings of my files? Can it be done via nuke sentinal?

Code:
65.94.56.175

   
/uploads/file/Tomken%20Renewal%20Busing%20Application.pdf
   
4/5/11 12:46 PM
   
2313139
   
http://www.trott.ca/forms-cat7.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/forms-file-9.html
   
4/5/11 12:46 PM
   
26
   
http://www.trott.ca/forms-cat7.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/modules/Downloads/images/lwin.gif
   
4/5/11 12:46 PM
   
80
   
http://www.trott.ca/forms-cat7.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/modules/Downloads/images/popular.gif
   
4/5/11 12:46 PM
   
120
   
http://www.trott.ca/forms-cat7.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/forms-cat7.html
   
4/5/11 12:46 PM
   
5036
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/modules/RavenNuke_Reflections/includes/motiongallery2.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/norightclick.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/jquery/supersubs.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/TrickedOutSlider/js/jquery.flow.1.2.auto.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/jquery/nukeNAV.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/jquery/superfish.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/jquery/jquery.hoverIntent.minified.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/boxover/boxover.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/jquery/jquery.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/jquery/jquery.colorbox-min.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
65.94.56.175
   
/includes/rn.js
   
4/5/11 12:46 PM
   
0
   
http://www.trott.ca/forms.html
   
Mozilla/4.0 (compatible; MSIE 8.0;
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Tue Apr 05, 2011 12:13 pm Reply with quote

You can block them using Nuke Sentinel's block IP function or you can add them yourself to your htaccess and block them. But you might want to discuss this with your hosting service and see if they have a way to block these attacks at an earlier stage. You or your host might want to research who owns 65.94.56.174 (is this Only registered users can see links on this board! Get registered or login! and see what you can do to intervene with them to get the attacks stopped. No matter how early in the process your host blocks things like this they are still creating traffic and overhead just to deal with them. Better to go to the source if at all possible.
 
View user's profile Send private message Visit poster's website
killing-hours
RavenNuke(tm) Development Team


Joined: Oct 01, 2010
Posts: 438
Location: Houston, Tx

PostPosted: Tue Apr 05, 2011 12:42 pm Reply with quote

The ip is assigned to Bell Canada (ISP).

Contact their abuse: Only registered users can see links on this board! Get registered or login!

Here is the domain information: Only registered users can see links on this board! Get registered or login!

I would also contact your hosting provider or block it in the .htaccess as mentioned by fkelly.

_________________
Money is the measurement of time - Me
"You can all go to hell…I’m going to Texas" -Davy Crockett 
View user's profile Send private message
transit
PostPosted: Tue Apr 05, 2011 1:24 pm Reply with quote

I can use the Block IP Address in cpanel as well? I have multiple domains hooked up so editing many .htaccess's might be a pain.

Nuke sentinal doesnt offer any of these early spam detections?
 
killing-hours
PostPosted: Tue Apr 05, 2011 1:37 pm Reply with quote

transit wrote:
Nuke sentinal doesnt offer any of these early spam detections?


Don't really think it's "spam" per say... I just downloaded the first .pdf in the code you gave above which tells me it's finding "legit" files on your server and grabbing them. For what purpose... I can't answer.

Web scraping/indexing maybe?
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Tue Apr 05, 2011 2:21 pm Reply with quote

It doesn't look like a hacking attempt. It really looks like a search engine. Is it affecting your response time?
 
View user's profile Send private message
transit
PostPosted: Tue Apr 05, 2011 3:17 pm Reply with quote

Yes very highly, I thought it was bots at first too.
 
spasticdonkey
RavenNuke(tm) Development Team


Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA

PostPosted: Tue Apr 05, 2011 10:31 pm Reply with quote

I'm not sure I'm seeing anything strange about those logs... most of those files would be requested when loading a page under normal conditions (including your customizations)

Code:
/modules/Downloads/images/lwin.gif

/modules/Downloads/images/popular.gif
/modules/RavenNuke_Reflections/includes/motiongallery2.js
/includes/norightclick.js
/includes/jquery/supersubs.js
/TrickedOutSlider/js/jquery.flow.1.2.auto.js
/includes/jquery/nukeNAV.js
/includes/jquery/superfish.js
/includes/jquery/jquery.hoverIntent.minified.js
/includes/boxover/boxover.js
/includes/jquery/jquery.js
/includes/jquery/jquery.colorbox-min.js
/includes/rn.js


are you sure this is the cause of your issue? Most of your pages loaded pretty fast for me with the exception of your home page; that has a couple MB of images on it. That could potentially put a strain on your server... I would optimize those images with an image editor and see if that helps. For instance this 18kb instead of 226 KB.
Image
(Usually not a good idea to rescale images with the browser, better to edit to the intended size. Your images are 700px and set to max-width 455px)

It could also be many other causes... Sad

Take note of when and where any performance lag is happening. If it only happens during peak hours of the day, your host may have over-sold your server.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©