Sub Menu
Links Menu
Online Users

In total there are 308 users online :: 3 registered, 0 hidden and 305 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

IMPORTANT! Security risk

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

IMPORTANT! Security risk

PostAuthor: geoff1 » Sun Apr 08, 2007 1:50 am

Hi all,

I've been having some problems recently with hackers etc (Im running IM14 currently, but not for much longer!) and upon close examination of my server's long I've discovered what I call a "hoverbot" which seems to just sit there looking at every single file in the forums, totally idnoring the htaccess, robots.txt and forums bots management panel!

This "hoverbot" acts like a standard user (although doesn't always show up on the forums!) looks at posts, calendar events, PM's etc, and then attempts to access the functions.php file and redirect to another site!

It calls itself:

crawl.66.249.72.243.googlebot.com

and comes from this ip: 216.22.3.9

Its obviously not a googlebot so I advise you all the block this things access on the server cp asap, and i mean both the name and the IP!!!


(These are my findings, you may know differently, and im not intending to have a go at google either! <img>)
Last edited by geoff1 on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Geoff 'Lonewolf' Upton

'miracle worker extroardinaire'

Insanity is a state of mind... your mad to think otherwise!
User avatar
geoff1
Members
Members
 
Posts: 97
Likes: 0 post
Liked in: 0 post
Joined: Mon Jul 10, 2006 1:09 pm
Cash on hand: 0.00

Re: IMPORTANT! Security risk

PostAuthor: .QUACK.Major.Pain » Sun Apr 08, 2007 7:10 am

The ACP will only allow to ban the ip.
Can't ban the username because it doesn't exist in userlist
Last edited by .QUACK.Major.Pain on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

PostAuthor: ZacFields » Sun Apr 08, 2007 8:05 am

66.249.72.243 is a legitimate googlebot. Anything 66.249.X.X is pretty much a legitimate googlebot. I have found on many different occasions that googlebot has wandered out of it's boundaries (such as clicking on the "find all posts by user" link in someone's profile which would put them on search.php which is in the disallowl ist.)

Now 216.22.3.9 looks to be a ServInt machine.

Not sure what's going on there. When I put 216.22.3.9 into ip information it doesn't come up with googlebot. Where are you getting that it's calling itself a googlebot?

That being said, IM 1.4.0 is subject to RFI (I think that's what it's called) hacks. I was dealing with this a couple weeks ago. They are usually targeting your includes/functions_portal.php file and the RFI file they are trying to link you to is usually called "borek.txt" on another server.

Your best option is to upgrade to 1.4.1 but the only problem is that even banning their IP's at your Integramod ACP won't stop them from running requests on your server. I actuallly have all non-US IP ranges banned from using my server at the moment but even after I did that last week they were still running requests on that same file from foreign IP's.

In my case they were hitting me with hundreds of different server IP's and after they realized I had fixed the problem and they could no longer get through they eventually left.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

PostAuthor: geoff1 » Mon Apr 09, 2007 1:40 am

I got the name of the "googlebot" from the server control panel itself (not the forums one) in the access logs for the last two days! The actual source came from USLEC Corp USA's server (which has doubtlessly been hacked without them knowing!)

To add to the fun I've also got lots of other insainely annoying attacks from other us servers which eventually (when traced and blocked) come from 216.22.3.6 (I have about 200 traces from that ip so far!

As to the upgrade to 141, its now heavily on the cards! I've had enough of these morons wrecking the performance of my forums! <img> :angry:
Last edited by geoff1 on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Geoff 'Lonewolf' Upton

'miracle worker extroardinaire'

Insanity is a state of mind... your mad to think otherwise!
User avatar
geoff1
Members
Members
 
Posts: 97
Likes: 0 post
Liked in: 0 post
Joined: Mon Jul 10, 2006 1:09 pm
Cash on hand: 0.00


Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot]

cron