Announcement

Collapse
No announcement yet.

Is this a hack attempt?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is this a hack attempt?

    I am sitting in who's online watching IP's and there is this one that is just sitting in a thread for 45 minutes now.

    The IP keeps changing from www.xyz.com to www.cxz.com to www.ssdf.com to mail.ere.com to mail.wert.com (all examples)

    They seem to rotate every couple of seconds as each time I hit the refresh button there is a new one. The list seems to be 20-30 long.

    Is this an attempt to hack in, and if so, is there anything I can do to stop it?

    This is happening as I type this, so speedy replies would be appreciated!

    I am a computer dunce, so any explanations/solutions should be in baby talk please!

    *runs off to backup database while awaiting replies*

  • #2
    While you figure it out, you might wish to close your boards..
    "63,000 bugs in the code, 63,000 bugs, you get 1 whacked with a service pack, now there's 63,005 bugs in the code."
    "Before you critisize someone, walk a mile in their shoes. That way, when you critisize them, you're a mile away and you have their shoes."
    Utopia Software - Current Software: Utopia News Pro (news management system)

    Comment


    • #3
      NOw I know this is a hack.

      The who's online just went from 3 to 19, and all the new arrivals are all in the same thread and have the same IP range.

      I closed the board as recomended, but whoever this is seems to still be getting in??

      2 new users have popped into the who's online since I shut the forum (yes, I logged out as admin, tried to get back in and it says "forum closed, please come back later")

      Thoughts? Ideas?

      **UPDATE** Now I know that he can get around the forum being closed because to get rid of the 19 guests, I set the cookie timeout to 1 second. That cleared out all the guests. I then went back and set the cookie to 900 and BAM, 18 users, all with the same IP range, right back in the list.....
      Last edited by Cancorp; Wed 16 Apr '03, 11:44am.

      Comment


      • #4
        They can still visit that specific thread, but they get that error message anyway. (That's why they still keep comming in)

        Anyway, ban that IP range?
        "63,000 bugs in the code, 63,000 bugs, you get 1 whacked with a service pack, now there's 63,005 bugs in the code."
        "Before you critisize someone, walk a mile in their shoes. That way, when you critisize them, you're a mile away and you have their shoes."
        Utopia Software - Current Software: Utopia News Pro (news management system)

        Comment


        • #5
          It's more likely to be a search engine trying to spider your site.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            Steve,

            Would a search engine use www addresses and mail addresses of businesses? The URL's that show up are all from established websites, primarily in Canada but some in the US.

            I also show a few gc.ca extensions which are Canadian Government.

            Also, how can they get back in once they have been kicked and the board is closed?

            Comment


            • #7
              Not sure what you mean by 'using' addresses. It would help to see exactly what you are talking about.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                Originally posted by Cancorp
                **UPDATE** Now I know that he can get around the forum being closed because to get rid of the 19 guests, I set the cookie timeout to 1 second. That cleared out all the guests. I then went back and set the cookie to 900 and BAM, 18 users, all with the same IP range, right back in the list.....
                Who's Online only shows sessions active within the cookie timeout. The sessions still exist in the table, they're just not shown. That's why they happened to be still in Who's Online....

                Mike

                Comment


                • #9
                  Steve, he probably means the address IP addresses resolve to.

                  They're more than likely search engine bots.

                  Comment


                  • #10
                    Maybe someone posted a link to a thread on your forum, and visitors to their site are just checking out that thread.....
                    vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                    Comment


                    • #11
                      sounds like someones using a anon mail proxy

                      eg: mail.theweb.co.uk
                      MCSE, MVP, CCIE
                      Microsoft Beta Team

                      Comment


                      • #12
                        Aren't those the same domains used by that porn spammer?
                        ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                        Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                        Comment


                        • #13
                          Lo all
                          I'm getting a similar thing. e.g
                          Guest Searching Forums 11:29 PM 63.148.99.232
                          Guest Sending Email to another forum user 11:20 PM 63.148.99.232
                          and so on.
                          about 4 guests all with that same ip above. tryed resolving the ip but no luck.
                          Thought it was a search engine at first but it was also in
                          Guest Unknown Location: /moderator.php?action=useroptions&userid=7&
                          which is kinda freaking me out. Any ideas ?
                          Doom3.co.uk - The Defitive Doom 3 Source

                          Comment


                          • #14
                            well if they are website names or mail.blah.com they are unsecured proxies definately and they are probably trying to attack your forums, it may have been the spam bot.

                            Most legitemate proxies or cacheing systems will have the words proxy, cache or sometimes the server software in the url such as NTL who use inktomi caching servers.

                            If you have the time to do so try contacting the IP's they are accessing through and inform them that they may have a proxy, most sysops will appreciate these security holes being pointed out.
                            Scott MacVicar

                            My Blog | Twitter

                            Comment


                            • #15
                              Cheers for the quick reply . Had no luck finding a contact for the ip address so going to ban the ip address from my whole website now to be on the safe side as its started all over again now and I'm sure a spider or bot for a search engine wouldn't do it for as long as this.
                              Doom3.co.uk - The Defitive Doom 3 Source

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X