| Av |
Innlegg |
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
 Tittel: Blocked IP addresses due massive: POST contact.php
Skrevet: Man Jun 28, 2010 6:44 pm |
 |
Today the server went down/slow for a few hours.
This was due to a massive attack on /contact.php and /*/contact.php which don't exist in Dragonfly CMS.
UPDATE: Investigation reveals an e107 bug: e107.org/e107_plugins/...php?198317
Apache went to 99.9% CPU so the following IP's that were hitting the server are blocked.
If yours is in here, please contact your host to repair your server, after the fix provide us your IP address.
Code:
iptables -A INPUT -s IP_HERE -j DROP
Code:
24.77.160.241
38.102.74.147
58.8.96.31
62.122.96.6
62.141.52.11
62.149.233.199
64.62.216.2
64.131.77.225
64.160.104.172
64.188.249.170
66.7.192.235
66.64.221.10
66.165.35.16
66.197.171.181
66.197.212.213
67.18.221.58
67.19.238.84
67.205.102.122
67.215.230.121
67.225.156.252
67.230.163.10
68.214.81.44
69.10.156.253
69.27.100.2
69.65.9.132
69.67.39.102
69.163.186.113
70.38.38.87
70.86.117.42
70.86.235.162
72.3.224.58
72.55.156.70
72.232.240.226
74.55.77.202
75.127.110.45
76.163.252.93
77.79.12.9
77.79.245.90
77.221.130.15
77.221.130.42
77.222.56.62
77.245.195.69
77.239.239.6
78.24.191.196
78.41.204.220
78.46.36.153
78.129.180.149
79.137.233.6
80.93.57.206
80.93.57.207
80.93.62.128
80.249.173.97
81.2.252.33
81.169.130.81
81.176.226.100
81.176.226.108
81.176.226.194
82.98.222.50
82.188.100.195
82.208.46.140
83.81.53.246
83.125.8.20
83.169.7.85
83.170.102.253
83.216.172.149
84.45.45.135
84.246.1.142
85.12.15.44
85.17.213.148
85.25.132.168
85.92.68.2
85.214.77.132
85.223.49.120
86.61.66.240
86.109.112.197
87.97.65.12
87.117.246.167
87.229.26.122
87.229.45.142
87.229.111.44
87.238.162.10
87.238.162.84
87.238.162.146
87.238.162.205
88.61.57.14
88.84.155.122
88.87.119.149
88.151.101.127
88.191.91.37
88.191.104.172
88.198.19.38
88.198.48.10
88.198.177.230
89.28.248.133
89.111.176.226
89.208.141.110
89.212.6.4
91.121.198.163
91.135.150.200
91.192.224.74
91.196.124.9
91.199.120.10
91.199.120.82
92.50.238.233
92.51.134.76
92.61.39.235
92.246.14.10
93.93.13.10
93.187.141.50
93.187.141.58
94.23.24.13
94.23.42.147
94.88.116.88
94.103.157.130
94.142.240.30
94.199.181.102
95.211.13.146
109.86.145.204
109.169.46.7
115.87.203.149
118.109.126.38
122.201.73.42
122.201.80.105
122.252.1.33
131.211.16.193
142.132.30.237
173.192.14.195
174.120.139.150
178.63.10.16
178.150.132.242
178.218.218.31
188.40.70.247
188.228.91.25
193.6.244.125
193.138.157.8
193.138.157.11
193.178.146.58
193.227.250.62
194.50.101.248
194.109.22.66
194.126.172.239
194.126.234.29
194.249.18.150
195.3.206.1
195.5.163.202
195.5.163.206
195.20.196.20
195.56.111.226
195.64.184.18
195.70.32.195
195.88.93.92
195.144.205.2
195.184.14.233
195.242.131.2
195.248.234.31
200.40.248.210
200.73.80.59
200.234.200.15
201.20.37.59
201.62.99.157
201.116.197.150
203.82.214.245
204.10.38.244
204.51.97.183
205.234.145.224
206.71.53.4
207.7.108.242
207.58.129.57
207.126.166.226
207.191.228.114
207.210.80.242
208.64.69.84
208.85.6.42
208.101.61.52
209.31.101.80
209.126.254.80
209.126.254.119
209.126.254.121
209.126.254.129
209.151.164.22
211.9.50.82
212.25.25.105
212.213.216.218
213.163.84.4
213.175.95.122
213.189.9.9
213.232.94.135
213.239.212.231
213.246.39.30
216.152.65.112
216.246.2.35
217.23.10.183
217.112.84.13
219.117.255.170
220.233.87.16
Veel free to investigate them!
UPDATE: Investigation reveals an e107 bug: e107.org/e107_plugins/...php?198317
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS
Sist endret av DJ Maze den Tir Jun 29, 2010 6:55 am, endret 8 ganger totalt |
|
| Til Toppen |
|
 |
earth
Ble medlem: Mar 01, 2006
Innlegg: 271
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Man Jun 28, 2010 7:36 pm |
|
was not sure what was up., had the logo here in our banner system and page was not loading and hanging up on our site... the other day noticed like 25 or so visitors, here.
The site listed in the link, is that the one we should add to our domain list, to keep it from happening to our sites from that site?
_________________
dfaddons.com
earth's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
OS/Apache/Mysql/php/9.2.X/ |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Man Jun 28, 2010 7:56 pm |
|
UPDATE: Lists are updated with latest attackers
No earth, the IP's listed are blocked due to attacks.
e107 is just one cause of the problem.
For example i looked up 1 IP (92.61.39.235) and it contains the domain rune.lt which runs e107 and got compromised.
So, the above list of IP addresses are mostly infected servers.
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Man Jun 28, 2010 8:50 pm |
|
UPDATE: added 10 more IP's
Lists are getting to long so i made it simple
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Man Jun 28, 2010 10:10 pm |
|
UPDATE: added more exploited servers to the list
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Tir Jun 29, 2010 4:43 pm |
|
The list is getting longer and longer so Nano made a script to automatically block them.
Therefore i will not longer maintain the above list of IP's.
It seems the hacker script identifies as "Casper Bot Search" (casper.php) AND "dex Bot Search" so any UA using that string will be blocked by our APF.
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS
Sist endret av DJ Maze den Tir Jun 29, 2010 5:37 pm, endret 1 gang totalt |
|
| Til Toppen |
|
|
earth
Ble medlem: Mar 01, 2006
Innlegg: 271
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Tir Jun 29, 2010 5:00 pm |
|
just saw this one in the online box for visitors, not bots, as presume it is a bot, just not identified?
01: Forums
.....
_________________
dfaddons.com
earth's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
OS/Apache/Mysql/php/9.2.X/ |
|
| Til Toppen |
|
|
InspectorClueNo
Ble medlem: Mar 26, 2008
Innlegg: 215
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Ons Jun 30, 2010 3:48 am |
|
Another UA used for the exploit is:
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
cheers
InspectorClueNo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
none available |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Ons Jun 30, 2010 8:17 am |
|
Thanks Inspector.
A google search for "casper bot search" revealed another new topic at www.webmasterworld.com...160991.htm
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
InspectorClueNo
Ble medlem: Mar 26, 2008
Innlegg: 215
|
Tittel: Re: Blocked IP addresses due massive: POST contact.php
Skrevet: Fre Jul 02, 2010 12:42 am |
|
Casper Bot Search
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
dex Bot Search
kmccrew Bot Search
InspectorClueNo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
none available |
|
| Til Toppen |
|
|
Forum Hjelp
Søk
Logg inn for å sjekke private meldinger
Logg inn
