|
I think someone is trying to hack my web site's forum
#246472 - 02/14/11 02:02 AM
|
|
|
In the past few days, I've gotten over 300 login attempts on random user accounts on my website forums. The hits come roughly once every 5 minutes from an array of random IP addresses. It's been going on non-stop for days.
I'm currently setting up ban triggers for the most prolific IP addresses, but I'm afraid that I'm going to go too far and ban legitimate users who forgot their password.
Anyone else been through this before? Any advice?
|
GroovyMAME support forum on BYOAC
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: krick]
#246473 - 02/14/11 02:09 AM
|
|
|
> In the past few days, I've gotten over 300 login attempts on random user accounts on
> my website forums. The hits come roughly once every 5 minutes from an array of random
> IP addresses. It's been going on non-stop for days.
>
> I'm currently setting up ban triggers for the most prolific IP addresses, but I'm
> afraid that I'm going to go too far and ban legitimate users who forgot their
> password.
>
> Anyone else been through this before? Any advice?
Could you post some access attempts from your log file?
While on the subject, this is a good idea as well...
1) Block empty user-agents
2) Block injection attempts
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteRule ^.* - [F,L]
#Prevent SQL injection attempts
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|"|%27|<|>|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]
|
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: twisty]
#246474 - 02/14/11 02:29 AM
|
|
|
The log that I'm looking at is the one for my SMF forum. Basically, there's a ton of login attempts with "incorrect password" about once every 5 minutes going back several days. The way I am blocking them is by adding each IP to the SMF forum ban list.
I tried adding your rewrite rules, but it hosed my site. I'll have to take a more detailed look at them later to try to figure out what the problem was.
However, since my site uses Joomla, I've already got these rules in the .htaccess file which probably accomplishes a lot of the same thing...
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
#
#Order allow,deny
#Deny from all
#Satisfy all
#
## End of deny access to extension xml files
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a [SCRIPT_DISABLED]> tag in URL
RewriteCond %{QUERY_STRING} (\<|<).*script.*(\>|>) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
|
GroovyMAME support forum on BYOAC
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: krick]
#246475 - 02/14/11 02:43 AM
|
|
|
> The log that I'm looking at is the one for my SMF forum. Basically, there's a ton of
> login attempts with "incorrect password" about once every 5 minutes going back
> several days. The way I am blocking them is by adding each IP to the SMF forum ban
> list.
There's likely not a whole lot you can do about it unfortunately, because there's no full-proof method to differentiate between a legit user and a bot in this scenario - if using unmodified scripts.
One idea however, is to add an extra form to the page whereby they need to fill in their displayed IP or something like that. Maybe even a captcha. But this will not stop the actual attempts - and it's kind of a PITA for legit users.
|
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: twisty]
#246476 - 02/14/11 02:52 AM
|
|
|
FWIW, we have bots trying to register here constantly in order to spam,
but I added in some extra form fields that must be filled out correctly and that has stopped 'em cold.
They assume unmodified scripts are being used in order to function correctly.
|
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: twisty]
#246477 - 02/14/11 03:16 AM
|
|
|
Yeah, I added a registration question to my tankadin.com forum...
"Answer this question... Tank + Paladin = ?"
Legitimate people trying to register for my forums should be able to figure out the answer.
Bots and non-english speaking Chinese and Russian spammers... not so much.
Once I added the question, the spam registrations dropped just a few per month.
The biggest issue I see is people registering and creating profiles that contain links to other websites in an attempt to cheat at Google. I don't mind if people have a link in their signature that points at their own personal website. However, I HATE when people register and never make a single legitimate post, but mooch off my site to get backlinks.
Once a month or so, I run a query though my forum user profiles looking for questionable links. When I find them, I delete accounts and ban them.
I get a remarkable amount of back-link spam from lawyers, jewelers, motorcycles, golf, breast implants, etc... Most of the sites appear to be legitimate sites that must have paid for search engine "optimization" from shady outfits.
In a related note, have you seen the JC Penney Google smackdown?...
http://www.google.com/search?q=jc+penney+google
|
GroovyMAME support forum on BYOAC
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: krick]
#246478 - 02/14/11 03:37 AM
|
|
|
> The biggest issue I see is people registering and creating profiles that contain
> links to other websites in an attempt to cheat at Google.
Just add a rel="nofollow" to profile and sig links. Problem solved :-)
<a href="spammed-site.html" rel="nofollow">Spammed Site</a>
Another method is to add this to your header script...
Code:
if(preg_match("/profile\.php/i",$_SERVER["PHP_SELF"])){
$header="<meta name=\"robots\" content=\"nofollow\" />";
}
Then simply insert $header in your HTML section.
|
|
|
|
Re: I think someone is trying to hack my web site's forum
[Re: krick]
#246497 - 02/14/11 06:09 AM
|
|
|
handle it like a woman,be safe and have a strong upper hand 
|
I’m convinced Mario is a hobo.
He wakes up everyday in the same clothes, runs around in sewers, and collects coins for a living.
At the end of the day, he uses the coins to buy mushrooms
|
|
Previous 
Index 
Next 
Threaded 
I think someone is trying to hack my web site's forum
Reply
[Re: 
