Mystery...I am baffled

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • FSHD
    New Member
    • Jan 2007
    • 20

    Mystery...I am baffled

    Hello, I am experiencing the strangest thing on my vbulletin board. I just don't have a clue what to make of this, why it's happening, if it will somehow hurt my board or how to make it stop.

    The following is a detailed description of what is going on. If any of you have seen this before or if you have any idea what could be happening I would sincerely appreciate any insight that you could give to me.


    Late in the evening of October 15th 2007 I noticed what I
    can only describe as a "mystery" of web usage behavior.
    A pattern of activity showed up with almost no conceivable
    explanation. Below is a description of this web activity.

    Every 1-2 minutes somebody requests a page from our forum


    In total almost 200 different requests have come in for this
    page. This is strange enough, since that URL simply points to
    an obscure thread which has been deleted.

    They come from a variety of IP addresses located literally all
    over the world. Some of the hostnames seen include btc-net.bg,
    tpnet.pl, tttmaxnet.com, netvision.net.il, nbnet.nb.ca,
    denver.comcast.net, and so forth.

    One thought was that this URL was posted in a chatroom and
    then clicked on by a number of people from around the globe.
    But if that's true, it's inconceivable that they would all have
    EXACTLY the same browser type. The browser is always:
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322)

    They all have blank referring URLs that show up as "-"

    None of these IP addresses has made more than one request; they
    all request the thread, they do not request graphics, then no more
    requests come from that IP. A small piece of my logfile is below:

    217.132.132.2 - - [16/Oct/2007:02:30:13 -0400] "GET /freebies/
    showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    61.178.77.119 - - [16/Oct/2007:02:35:36 -0400] "GET /freebies/
    showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    81.181.94.182 - - [16/Oct/2007:02:41:02 -0400] "GET /freebies/
    showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    84.204.100.120 - - [16/Oct/2007:02:44:46 -0400] "GET /freebies/
    showthread.php?t=24155 HTTP/1.1" 200 18320 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    89.102.96.158 - - [16/Oct/2007:02:47:53 -0400] "GET /freebies/
    showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    156.34.60.89 - - [16/Oct/2007:02:48:12 -0400] "GET /freebies/
    showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

    My only conclusion is that the IP addresses which have requested
    this page represent machines which are compromised and have been
    instructed, en masse, to request this obscure page from our server.
    This sounds rather farfetched, and I would gladly entertain any
    other ideas from professionals in this field.

  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    #2
    Or a link has been posted to that thread somewhere and people are trying to accessing it through that link. It's impossible to know for sure what is happening.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment

    • Adrienne
      Senior Member
      • Dec 2006
      • 190
      • 3.0.7

      #3
      I found a pattern of strange IP's all going to the same thread. The IP's turned out to be spammers or hackers, when I googled them. Somehow they are all being directed to the same thing.

      Comment

      • FSHD
        New Member
        • Jan 2007
        • 20

        #4
        Originally posted by Adrienne
        I found a pattern of strange IP's all going to the same thread. The IP's turned out to be spammers or hackers, when I googled them. Somehow they are all being directed to the same thing.
        I suspect that they are trying out some new software. what they are doing doesn't seem to be hurting my board but I have no idea how to make them stop. I contacted the hosting company where I have my server and they blocked about 100 ips BUT that really makes no sense because whoever is doing this is not recirculating the ips, they are sending new ones in every few minutes. I'll have my hosting company unblock those ips.

        I changed to a dedicated server 3 days ago and I wonder if this situation could be connected to the move?

        My husband is a programmer and he takes care of my tech issues. He's the person who wrote the description of what's happening in my original post. He is not as concerned about this as I am. I'm ready to pull my hair out and collapse. His attitude is, it's not wonderful but it's doing no harm to the site and I don't know what to do about it...

        Adrienne...could you tell me what you Googled so that I can find the information that you read?

        Comment

        • Adrienne
          Senior Member
          • Dec 2006
          • 190
          • 3.0.7

          #5
          Originally posted by FSHD
          I suspect that they are trying out some new software. what they are doing doesn't seem to be hurting my board but I have no idea how to make them stop. I contacted the hosting company where I have my server and they blocked about 100 ips BUT that really makes no sense because whoever is doing this is not recirculating the ips, they are sending new ones in every few minutes. I'll have my hosting company unblock those ips.

          I changed to a dedicated server 3 days ago and I wonder if this situation could be connected to the move?

          My husband is a programmer and he takes care of my tech issues. He's the person who wrote the description of what's happening in my original post. He is not as concerned about this as I am. I'm ready to pull my hair out and collapse. His attitude is, it's not wonderful but it's doing no harm to the site and I don't know what to do about it...

          Adrienne...could you tell me what you Googled so that I can find the information that you read?
          If you Google the IP and it's a known bad one you will get alot of results. Also check it in Groups.
          Here's where I also check the IP's:

          DNSstuff focuses on providing software reviews, troubleshooting advice, best practices for tools, and comprehensive lists of the top business software products available on the market.

          Lookup information on a specific IP address. Discover if an IP is a spam harvester, spam mail server, or dictionary attacker.

          Spam, uceprotect®, spamprotection, download global spammer list, rbl, spam-faq, prevent spam, uce, ube, email, blocking, spamtrap, spamtrapping, admins websecurity.


          You can also Google the User Agent and see if anything comes up.

          I discover this activity by checking Who's Online.

          When they go to a thread which has been deleted an error message shows up. So basically they aren't getting in, knock on wood. But here's another wierd thing- when I highlight the error symbol on the Who's Online page, right-click and paste onto text editor, more information shows up. Here's an edited example:

          Viewing Error Message /my site/showthread.php?t=http://strange URL/images/cs.txt? Viewing Thread

          I look up those URLs, and they are not good. They are attempting PHP attacks!
          We've seen many of the top listed ones shown here:

          Last edited by Adrienne; Tue 16 Oct '07, 7:07pm.

          Comment

          • FSHD
            New Member
            • Jan 2007
            • 20

            #6
            Adrienne, Thank you so much for the information. I am aware of a few of those links and I use them often while moderating my forum. I think that my situation is a little different than what you had in mind.

            You see, the ip addresses are being sent to my site without their knowledge. They are not doing anything malicious. They are simply coming to my forum, asking for a page and then leaving at a rate of one each minute.

            The hosting company that houses my server offered to block the ip addresses to prevent hacking activity. That's all well and good BUT it's not the ip addresses. The ip addresses are all different. We never see the same ip address twice.

            The problem is the machine that is sending the ip addresses to come and look at the page on my site. I can't figure out who it is or how to make it stop.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...