[DJ Maze]

Today the server went down/slow for a few hours.
This was due to a massive attack on /contact.php and /*/contact.php which don't exist in Dragonfly CMS.

UPDATE: Investigation reveals an e107 bug: e107.org/e107_plugins/...php?198317

Apache went to 99.9% CPU so the following IP's that were hitting the server are blocked.
If yours is in here, please contact your host to repair your server, after the fix provide us your IP address.

Code:

iptables -A INPUT -s IP_HERE -j DROP

Code:

apf -d IP_HERE

Code:

24.77.160.241
38.102.74.147
58.8.96.31
62.122.96.6
62.141.52.11
62.149.233.199
64.62.216.2
64.131.77.225
64.160.104.172
64.188.249.170
66.7.192.235
66.64.221.10
66.165.35.16
66.197.171.181
66.197.212.213
67.18.221.58
67.19.238.84
67.205.102.122
67.215.230.121
67.225.156.252
67.230.163.10
68.214.81.44
69.10.156.253
69.27.100.2
69.65.9.132
69.67.39.102
69.163.186.113
70.38.38.87
70.86.117.42
70.86.235.162
72.3.224.58
72.55.156.70
72.232.240.226
74.55.77.202
75.127.110.45
76.163.252.93
77.79.12.9
77.79.245.90
77.221.130.15
77.221.130.42
77.222.56.62
77.245.195.69
77.239.239.6
78.24.191.196
78.41.204.220
78.46.36.153
78.129.180.149
79.137.233.6
80.93.57.206
80.93.57.207
80.93.62.128
80.249.173.97
81.2.252.33
81.169.130.81
81.176.226.100
81.176.226.108
81.176.226.194
82.98.222.50
82.188.100.195
82.208.46.140
83.81.53.246
83.125.8.20
83.169.7.85
83.170.102.253
83.216.172.149
84.45.45.135
84.246.1.142
85.12.15.44
85.17.213.148
85.25.132.168
85.92.68.2
85.214.77.132
85.223.49.120
86.61.66.240
86.109.112.197
87.97.65.12
87.117.246.167
87.229.26.122
87.229.45.142
87.229.111.44
87.238.162.10
87.238.162.84
87.238.162.146
87.238.162.205
88.61.57.14
88.84.155.122
88.87.119.149
88.151.101.127
88.191.91.37
88.191.104.172
88.198.19.38
88.198.48.10
88.198.177.230
89.28.248.133
89.111.176.226
89.208.141.110
89.212.6.4
91.121.198.163
91.135.150.200
91.192.224.74
91.196.124.9
91.199.120.10
91.199.120.82
92.50.238.233
92.51.134.76
92.61.39.235
92.246.14.10
93.93.13.10
93.187.141.50
93.187.141.58
94.23.24.13
94.23.42.147
94.88.116.88
94.103.157.130
94.142.240.30
94.199.181.102
95.211.13.146
109.86.145.204
109.169.46.7
115.87.203.149
118.109.126.38
122.201.73.42
122.201.80.105
122.252.1.33
131.211.16.193
142.132.30.237
173.192.14.195
174.120.139.150
178.63.10.16
178.150.132.242
178.218.218.31
188.40.70.247
188.228.91.25
193.6.244.125
193.138.157.8
193.138.157.11
193.178.146.58
193.227.250.62
194.50.101.248
194.109.22.66
194.126.172.239
194.126.234.29
194.249.18.150
195.3.206.1
195.5.163.202
195.5.163.206
195.20.196.20
195.56.111.226
195.64.184.18
195.70.32.195
195.88.93.92
195.144.205.2
195.184.14.233
195.242.131.2
195.248.234.31
200.40.248.210
200.73.80.59
200.234.200.15
201.20.37.59
201.62.99.157
201.116.197.150
203.82.214.245
204.10.38.244
204.51.97.183
205.234.145.224
206.71.53.4
207.7.108.242
207.58.129.57
207.126.166.226
207.191.228.114
207.210.80.242
208.64.69.84
208.85.6.42
208.101.61.52
209.31.101.80
209.126.254.80
209.126.254.119
209.126.254.121
209.126.254.129
209.151.164.22
211.9.50.82
212.25.25.105
212.213.216.218
213.163.84.4
213.175.95.122
213.189.9.9
213.232.94.135
213.239.212.231
213.246.39.30
216.152.65.112
216.246.2.35
217.23.10.183
217.112.84.13
219.117.255.170
220.233.87.16

Veel free to investigate them!

UPDATE: Investigation reveals an e107 bug: e107.org/e107_plugins/...php?198317

[earth]

was not sure what was up., had the logo here in our banner system and page was not loading and hanging up on our site... the other day noticed like 25 or so visitors, here.

The site listed in the link, is that the one we should add to our domain list, to keep it from happening to our sites from that site?

[DJ Maze]

UPDATE: Lists are updated with latest attackers

No earth, the IP's listed are blocked due to attacks.
e107 is just one cause of the problem.

For example i looked up 1 IP (92.61.39.235) and it contains the domain rune.lt which runs e107 and got compromised.

So, the above list of IP addresses are mostly infected servers.

[DJ Maze]

UPDATE: added 10 more IP's
Lists are getting to long so i made it simple

[DJ Maze]

UPDATE: added more exploited servers to the list

[DJ Maze]

The list is getting longer and longer so Nano made a script to automatically block them.
Therefore i will not longer maintain the above list of IP's.

It seems the hacker script identifies as "Casper Bot Search" (casper.php) AND "dex Bot Search" so any UA using that string will be blocked by our APF.

[earth]

just saw this one in the online box for visitors, not bots, as presume it is a bot, just not identified?


01: Forums
.....

[InspectorClueNo]

Another UA used for the exploit is:
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

cheers

[DJ Maze]

Thanks Inspector.
A google search for "casper bot search" revealed another new topic at www.webmasterworld.com...160991.htm

[InspectorClueNo]

Casper Bot Search
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
dex Bot Search
kmccrew Bot Search