Support ⇒ Security ⇒ Blocked IP addresses due massive: POST contact.php ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity

Blocked IP addresses due massive: POST contact.php Reply to topic


Today the server went down/slow for a few hours.
This was due to a massive attack on /contact.php and /*/contact.php which don't exist in Dragonfly CMS.

UPDATE: Investigation reveals an e107 bug: e107.org/e107_plugins/...php?198317

Apache went to 99.9% CPU so the following IP's that were hitting the server are blocked.
If yours is in here, please contact your host to repair your server, after the fix provide us your IP address.

iptables -A INPUT -s IP_HERE -j DROP
apf -d IP_HERE
24.77.160.241 38.102.74.147 58.8.96.31 62.122.96.6 62.141.52.11 62.149.233.199 64.62.216.2 64.131.77.225 64.160.104.172 64.188.249.170 66.7.192.235 66.64.221.10 66.165.35.16 66.197.171.181 66.197.212.213 67.18.221.58 67.19.238.84 67.205.102.122 67.215.230.121 67.225.156.252 67.230.163.10 68.214.81.44 69.10.156.253 69.27.100.2 69.65.9.132 69.67.39.102 69.163.186.113 70.38.38.87 70.86.117.42 70.86.235.162 72.3.224.58 72.55.156.70 72.232.240.226 74.55.77.202 75.127.110.45 76.163.252.93 77.79.12.9 77.79.245.90 77.221.130.15 77.221.130.42 77.222.56.62 77.245.195.69 77.239.239.6 78.24.191.196 78.41.204.220 78.46.36.153 78.129.180.149 79.137.233.6 80.93.57.206 80.93.57.207 80.93.62.128 80.249.173.97 81.2.252.33 81.169.130.81 81.176.226.100 81.176.226.108 81.176.226.194 82.98.222.50 82.188.100.195 82.208.46.140 83.81.53.246 83.125.8.20 83.169.7.85 83.170.102.253 83.216.172.149 84.45.45.135 84.246.1.142 85.12.15.44 85.17.213.148 85.25.132.168 85.92.68.2 85.214.77.132 85.223.49.120 86.61.66.240 86.109.112.197 87.97.65.12 87.117.246.167 87.229.26.122 87.229.45.142 87.229.111.44 87.238.162.10 87.238.162.84 87.238.162.146 87.238.162.205 88.61.57.14 88.84.155.122 88.87.119.149 88.151.101.127 88.191.91.37 88.191.104.172 88.198.19.38 88.198.48.10 88.198.177.230 89.28.248.133 89.111.176.226 89.208.141.110 89.212.6.4 91.121.198.163 91.135.150.200 91.192.224.74 91.196.124.9 91.199.120.10 91.199.120.82 92.50.238.233 92.51.134.76 92.61.39.235 92.246.14.10 93.93.13.10 93.187.141.50 93.187.141.58 94.23.24.13 94.23.42.147 94.88.116.88 94.103.157.130 94.142.240.30 94.199.181.102 95.211.13.146 109.86.145.204 109.169.46.7 115.87.203.149 118.109.126.38 122.201.73.42 122.201.80.105 122.252.1.33 131.211.16.193 142.132.30.237 173.192.14.195 174.120.139.150 178.63.10.16 178.150.132.242 178.218.218.31 188.40.70.247 188.228.91.25 193.6.244.125 193.138.157.8 193.138.157.11 193.178.146.58 193.227.250.62 194.50.101.248 194.109.22.66 194.126.172.239 194.126.234.29 194.249.18.150 195.3.206.1 195.5.163.202 195.5.163.206 195.20.196.20 195.56.111.226 195.64.184.18 195.70.32.195 195.88.93.92 195.144.205.2 195.184.14.233 195.242.131.2 195.248.234.31 200.40.248.210 200.73.80.59 200.234.200.15 201.20.37.59 201.62.99.157 201.116.197.150 203.82.214.245 204.10.38.244 204.51.97.183 205.234.145.224 206.71.53.4 207.7.108.242 207.58.129.57 207.126.166.226 207.191.228.114 207.210.80.242 208.64.69.84 208.85.6.42 208.101.61.52 209.31.101.80 209.126.254.80 209.126.254.119 209.126.254.121 209.126.254.129 209.151.164.22 211.9.50.82 212.25.25.105 212.213.216.218 213.163.84.4 213.175.95.122 213.189.9.9 213.232.94.135 213.239.212.231 213.246.39.30 216.152.65.112 216.246.2.35 217.23.10.183 217.112.84.13 219.117.255.170 220.233.87.16

Veel free to investigate them!

UPDATE: Investigation reveals an e107 bug: e107.org/e107_plugins/...php?198317

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Tue Mar 24, 2015 2:10 pm; edited 9 times in total


was not sure what was up., had the logo here in our banner system and page was not loading and hanging up on our site... the other day noticed like 25 or so visitors, here.

The site listed in the link, is that the one we should add to our domain list, to keep it from happening to our sites from that site?

dfaddons.com

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
OS/Apache/Mysql/php/9.2.X/


UPDATE: Lists are updated with latest attackers

No earth, the IP's listed are blocked due to attacks.
e107 is just one cause of the problem.

For example i looked up 1 IP (92.61.39.235) and it contains the domain rune.lt which runs e107 and got compromised.

So, the above list of IP addresses are mostly infected servers.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


UPDATE: added 10 more IP's
Lists are getting to long so i made it simple

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


UPDATE: added more exploited servers to the list

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


The list is getting longer and longer so Nano made a script to automatically block them.
Therefore i will not longer maintain the above list of IP's.

It seems the hacker script identifies as "Casper Bot Search" (casper.php) AND "dex Bot Search" so any UA using that string will be blocked by our APF.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Tue Jun 29, 2010 5:37 pm; edited 1 time in total


just saw this one in the online box for visitors, not bots, as presume it is a bot, just not identified?


01: Forums
.....

dfaddons.com

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
OS/Apache/Mysql/php/9.2.X/


Another UA used for the exploit is:
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

cheers

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
none available


Thanks Inspector.
A google search for "casper bot search" revealed another new topic at www.webmasterworld.com...160991.htm

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Casper Bot Search
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
dex Bot Search
kmccrew Bot Search

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
none available

All times are UTC


Jump to: