| Author |
Message |
selma
Hangin' Around
Joined: May 09, 2006
Posts: 31
|
 Posted:
Fri Jul 13, 2007 3:48 pm |
 
|
Sorry elric,
That was a new topic that should have gone in it's own thread. So I took it out of here and started a new thread.
But, regarding the large number of attackers found by sentinel; Susanne suggested looking in the logs.
When I did look in the NS tracked IP logs I found that more than half the traffic to my site was from a very tight spread of IP addresses. They were only different by a couple of numbers (74.6.23.4 then .21.3 then 22.5) Sometimes there were 50 of them on-site at the same time.
My abuse count rose by at least 5 each day.
Looking at the logs though, which also tells you what they were doing on your site, I just blocked them. Some of the really irritating ones I blocked and forwarded to the PC Killer templates.
The site in question always had 25 - 60 people on line at a time. Which did not make sense because it was a community arts program that doesn't even happen for 4 months. Should only have 50 visitors or less in a day at this point.
Noticed a dramatic decrease in activity after the changes.
Susanne mentioned the send to friend activity. Noticed that the same IP's were sending to friends 20 times a day - every day.
But those ip's were also in that range of those that spanned a limited range of addresses.
Good Luck |
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Fri Jul 13, 2007 6:21 pm |
|
But such entries from Yahoo are harmless.
74.6.29.36 - - [13/Jul/2007:23:59:28 +0200] "GET /article-friend-147.html HTTP/1.0" 302 26 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; "
74.6.23.4 is INKTOMISEARCH.COM -thats also Slurp.
Slurp is very active currently. |
|
|
|
|
selma
Hangin' Around
Joined: May 09, 2006
Posts: 31
|
| Posted:
Fri Jul 13, 2007 7:45 pm |
|
hmmm,
So I wonder if they would have been on site that much. 30 - 60 hits all at one time is a serious jump in activity for this site.
I'll go back and look and see if I can see a difference in search engine use and any others. Sure is quiet without them though.
Good information. Worth looking into. Thanks |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9136
Location: Arizona
|
| Posted:
Sat Jul 14, 2007 8:29 am |
|
| selma wrote: | | So I wonder if they would have been on site that much. 30 - 60 hits all at one time is a serious jump in activity for this site. |
That, most definitely, would be the profile of a search engine revving it up so to speak. I get this from time-to-time, and, yes, Yahoo in my opinion, has been the "worse".
You might want to check out this post on Guardian's site:
|
|
|
|
|
|
elric
New Member
Joined: Jun 15, 2007
Posts: 13
|
| Posted:
Sat Jul 14, 2007 12:23 pm |
|
| selma wrote: | Sorry elric,
That was a new topic that should have gone in it's own thread. So I took it out of here and started a new thread.
|
No need for sorry's, any information is good information  and thanks Susann and montego as well.
I'm looking through my logs now.
Might be a suggestion for Sentinel, when I view what the tracked IP etc looked at for exampla /modules.php?name=Reviews&rop=write_review
It would be nice to have the option on that screen to block the Useror IP etc, the only option I see is url/admin.php?op=ABTrackedDeleteSave&tid=243301&user_id=1&ip_addr=212.87.151.18&column=date&direction=desc&min=0
I keep having to go back to the main screen whilst remembering the IP so that I can block it.
Also an option to remove them from the tracked page if I block them.
Back on track, I have noticed quite a number of hits to /modules.php?name=Reviews&rop=write_review
while I have have reviews as an inactive module. |
|
|
|
|
|
selma
Hangin' Around
Joined: May 09, 2006
Posts: 31
|
| Posted:
Sat Jul 14, 2007 5:57 pm |
|
I'd love to think that real searchers are hitting that site that often. Would actually be kind of nice.
I did check through the logs though. Most are from Yahoo, Inktomi and MSN. Can't complain about that for sure. So I unblocked them - lol
The ones that were going directly to mail and trying to send adverts, I had already sent to the pc killer, so not much more from them. Guardian's Spam Blocker is making it easy to catch a lot of trash too.
Would be so tempting to just relax, now that I've had two whole quiet days. But I see the post about the Italian mail worm, so I guess it isn't time for that yet.
Someday ...
Have a great weekend everyone |
|
|
|
|
|
elric
New Member
Joined: Jun 15, 2007
Posts: 13
|
| Posted:
Sun Jul 15, 2007 1:16 pm |
|
I have just had my first day off as well "yippee"
I found some porn sites were in my referers, I have blocked them using the Protector System.
Lets hope our luck continues for a little while at least. |
|
|
|
|
|
elric
New Member
Joined: Jun 15, 2007
Posts: 13
|
| Posted:
Mon Jul 16, 2007 1:08 pm |
|
Ok so it did not last long, just had another 4.
I have been checking sentinel for updates but I have a strange version
NukeSentinel(tm) 2.5.1
and it reports New version is availible! - 2.5.10 does this mean I actually have 2.5.01?
I have already uploaded the files but did not run the nsnst.php because I was unsure. |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Mon Jul 16, 2007 1:34 pm |
|
In nuke_nsnst_ config is this for the current version:
version_newest 2.5.10
version_number 2.5.10
and it reports "Your version is upto date!"
2.5.01 is from August 06 and 2.5.10 from June 07. |
|
|
|
|
|
elric
New Member
Joined: Jun 15, 2007
Posts: 13
|
| Posted:
Wed Jul 18, 2007 5:36 am |
|
Thanks Susann,
Alas I'm still no wiser
nuke_nsnst_ config,
Version_check 1184648400
Version_newest 2.5.10
Version_number 2.5.1
It leaves me unsure and I don't want to do the wrong update.
Perhaps I should look through the update files to the database and compare my tables. |
|
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3038
Location: United Kingdom
|
| Posted:
Wed Jul 18, 2007 5:45 am |
|
It looks like you are using an old version of NS, but to be safe you could always uninstall NS and then reinstall 2.5.10. |
Last edited by jakec on Wed Jul 18, 2007 10:31 am; edited 1 time in total |
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Wed Jul 18, 2007 7:27 am |
|
The version 2.5.1 is an updated patch version from last year. |
|
|
|
|
|
elric
New Member
Joined: Jun 15, 2007
Posts: 13
|
| Posted:
Fri Jul 20, 2007 2:13 pm |
|
Thanks Susann, but I'm still unsure how to proceed, would my version be equivilent to 2.5.01 or do I need to do a different update first? I have searched around but can't find anything that gives direction from my version, the changes file included with thte updates only refer to 2.5.01 or 2.5.10 somewhere I seem to have lost a zero.
I have NukeSentinel_2510_7080_Up at the ready and if it's safe to assume my version is 2.5.01 then I'll proceed, with something like sentinel I want to be a lot more positive before I start messing around. |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Fri Jul 20, 2007 3:14 pm |
|
I think your version is 2.5.01 some called the version 2.5.1up and others 2.5.1. However you should know about the date of your last update  but there is this nice feature in the NukeSentinel Administration wich tells you "A New version is availible!" So just update from 2501-2502 etc. until you reach 2.5.10 . Good luck !
Btw: Update also IP2Country |
|
|
|
|
|
elric
New Member
Joined: Jun 15, 2007
Posts: 13
|
| Posted:
Sat Jul 21, 2007 2:50 pm |
|
Thank you Susann, you've inspired me with confidence.
I now feel happy to proceed, would have been nice if those version aliases were added to the changelog included with the updates but nevermind it's lucky we have knowledgable people like you.
|
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
