Announcement

Collapse
No announcement yet.

Massive numbers of POST requests for /forum/register.php?do=addmember

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Massive numbers of POST requests for /forum/register.php?do=addmember

    I'm having the following issue:
    I have a relatively small forum, 6,000+ members. I rarely have more than one or two new members a day join. I rarely have more than 10 members online (plus some number of guests, many of which are searchbots).

    However, I am getting hit with massive numbers of POST requests for /forum/register.php?do=addmember

    I'm talking about reviewing my raw access logs, and finding something like 23,000+ over a two day period!

    Recently, my ISP (shared hosting) shut down my forums for using too many resources and compromising the server. Here's a bit of what they told me:

    ===
    Your account on server [redacted] is again running multiple instances of some php scripts and causing major problems for the entire server. We have been monitoring this for the last couple of hours. After carefully watching the server hardware consumption at the time when the load increases and server performance decreases, we have identified that your account is the one causing problems on the server. See below:

    Stats for 26 Feb 2011:
    ---------------------------------
    CPU Usage - %7.82
    MEM Usage - %3.45
    Number of MySQL procs (average) - 0.33
    Top Process %CPU 26.00 /usr/bin/php /home/redacted/public_html/forum/forumdisplay.php
    Top Process %CPU 23.00 /usr/bin/php /home/redacted/public_html/forum/register.php
    Top Process %CPU 22.00 /usr/bin/php /home/redacted/public_html/forum/register.php

    Stats for 25 Feb 2011:
    ---------------------------------
    CPU Usage - %10.26
    MEM Usage - %3.76
    Number of MySQL procs (average) - 0.26
    Top Process %CPU 44.00 /usr/bin/php /home/karma14/redacted/forum/showthread.php
    Top Process %CPU 39.00 /usr/bin/php /home/karma14/redacted/forum/index.php
    Top Process %CPU 37.00 /usr/bin/php /home/karma14/redacted/forum/index.php

    etc.

    These are way above the acceptable limits given below.
    CPU - <2.0
    Mem - <3
    MySQL - <0.2
    ================

    I've tried disabling all robots with robots.txt; of course if these are "bad" robots they will not obey it.

    Any other suggestions for dealing with this? Trying to find the bad IPs and block them at the server level by examing raw logs seems like it would be massively time-consuming and ultimately futile.

  • #2
    The link to your forums?
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Originally posted by Steve Machol View Post
      The link to your forums?
      www.karma-lab.com/forum

      Comment


      • #4
        I've been researching this today, and I blocked about 50 IP addresses that were engaging in this activity. It took like 3 hours to go through the raw logs, so of course I cannot really fight it this way. I'm sure tomorrow there will be a different list of IPs doing it. Here's an example of what I'm talking about. A robot shows up, doesn't view or GET any content or images, and just keeps bombarding the register.php script:

        Code:
        21.227.162.77 - - [27/Feb/2011:09:48:55 -0800] "GET /forum/index.php HTTP/1.0" 200 214902 "http://www.karma-lab.com/forum/index.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:42 -0800] "GET /forum/register.php? HTTP/1.0" 200 14559 "http://www.karma-lab.com/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:45 -0800] "POST /forum/register.php?do=checkdate HTTP/1.0" 200 13847 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:46 -0800] "POST /forum/register.php?do=register HTTP/1.0" 200 24886 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:47 -0800] "GET /forum/image.php?type=hv&hash=ae235a4d5a50410641b1214c2b1f9431 HTTP/1.0" 200 21102 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:49 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25736 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:50 -0800] "GET /forum/image.php?type=hv&hash=83f8e03266f4922f8dc84053f9a6362d HTTP/1.0" 200 16231 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:49:51 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25736 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:50:03 -0800] "GET /forum/image.php?type=hv&hash=f11f799bce016cabc6610b705818fd18 HTTP/1.0" 200 18589 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:51:08 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 26060 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:56:52 -0800] "GET /forum/image.php?type=hv&hash=358e73fa580bf8f285667f18b94e58de HTTP/1.0" 200 17892 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:09:59:18 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25473 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:21 -0800] "GET /forum/index.php HTTP/1.0" 200 214614 "http://www.karmalab.com/forum/index.php" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:22 -0800] "GET /forum/register.php? HTTP/1.0" 200 14553 "http://www.karmalab.com/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:23 -0800] "POST /forum/register.php?do=checkdate HTTP/1.0" 200 13841 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:24 -0800] "POST /forum/register.php?do=register HTTP/1.0" 200 24880 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:25 -0800] "GET /forum/image.php?type=hv&hash=d9e69e9dbc81c21814715a2e9a50df58 HTTP/1.0" 200 15616 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:27 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:28 -0800] "GET /forum/image.php?type=hv&hash=dca1f276c3d25d643087c79151d5593e HTTP/1.0" 200 17585 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:29 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:30 -0800] "GET /forum/image.php?type=hv&hash=822d0e6fa6811c92ab3ced0aa695625c HTTP/1.0" 200 15976 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:31 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:33 -0800] "GET /forum/image.php?type=hv&hash=b2fa4dd90c72c5d7f1049a3f9689e19f HTTP/1.0" 200 18094 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:34 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:35 -0800] "GET /forum/image.php?type=hv&hash=c70d09270032d5bbd1489faa99ce4d89 HTTP/1.0" 200 19637 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:36 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:37 -0800] "GET /forum/image.php?type=hv&hash=e59c26c133d9da301da2cdf0d58bad25 HTTP/1.0" 200 19863 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:39 -0800] "GET /forum/image.php?type=hv&hash=e6a833c147abb56af5e12007a9219bc2 HTTP/1.0" 200 11725 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:39 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:41 -0800] "GET /forum/image.php?type=hv&hash=2f12dc1c6aefff421bc7e274d5102b50 HTTP/1.0" 200 15471 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:41 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:42 -0800] "GET /forum/image.php?type=hv&hash=e806c762fc808355fa52c8842a0031cc HTTP/1.0" 200 17667 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:43 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25705 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:44 -0800] "GET /forum/image.php?type=hv&hash=1a1ef0b40741cd2ad87dff50df8c70d2 HTTP/1.0" 200 11535 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:44 -0800] "GET /forum/image.php?type=hv&hash=d8f440c75516904619a1cc67eefe73c2 HTTP/1.0" 200 15720 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:44 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:45 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25736 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:46 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:47 -0800] "GET /forum/image.php?type=hv&hash=96d317f6847c89c8d3c7294cf78246ba HTTP/1.0" 200 18705 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:47 -0800] "GET /forum/image.php?type=hv&hash=a17c5e1313a1ddcba9f5e42fc41db131 HTTP/1.0" 200 14672 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:48 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25736 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:48 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25746 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:49 -0800] "GET /forum/image.php?type=hv&hash=f6c8c3802cef6f820a447ad92ad50cf0 HTTP/1.0" 200 13480 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        121.227.162.77 - - [27/Feb/2011:10:03:50 -0800] "GET /forum/image.php?type=hv&hash=7a0c82ea3a3a6208860878f55c6f275d HTTP/1.0" 200 14892 "http://www.karmalab.com/forum/register.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)"
        121.227.162.77 - - [27/Feb/2011:10:03:50 -0800] "POST /forum/register.php?do=addmember HTTP/1.0" 200 25736 "http://www.karma-lab.com/forum/register.php?" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
        This can go on for hundreds of repetitions. Then, a few minutes later, some other IP address doing the same thing.

        Comment


        • #5
          First, there is a routing problem to your server:

          traceroute to karma-lab.com (67.210.107.253), 64 hops max, 52 byte packets
          1 192.168.2.1 (192.168.2.1) 32.168 ms 0.560 ms 0.596 ms
          2 10.129.0.1 (10.129.0.1) 34.422 ms 32.250 ms 9.631 ms
          3 ip68-2-7-1.ph.ph.cox.net (68.2.7.1) 21.569 ms 11.267 ms 21.665 ms
          4 chndcorc01-te-0-15-0-0.ph.ph.cox.net (70.169.72.56) 12.203 ms 12.491 ms 12.291 ms
          5 72.214.144.69 (72.214.144.69) 13.767 ms 11.490 ms 38.412 ms
          6 langbprj01-ae0.0.rd.la.cox.net (68.1.0.232) 23.570 ms 22.684 ms 87.088 ms
          7 irv1-ar3-ge-0-0-0-0.us.twtelecom.net (66.192.255.146) 24.408 ms 27.180 ms 25.281 ms
          8 * * *
          9 * * *
          10 * * *

          etc.

          Second, 121.227.162.77 is from China. FWIW I had to block Chna IPs addresses because of a massive influx of users.

          I suggest you contact your host about these issues. They are not related to vB per se.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            Thanks for the reply. When you say there is a routing problem, I'm afraid I don't know how to read that. What does it illustrate?

            EDIT: also, how did you go about blocking China? Thanks...

            EDIT: I just ran traceroute here from my computer, and what I got was:

            traceroute to 67.210.107.253 (67.210.107.253), 64 hops max, 60 byte packets
            1 Wireless_Broadband_Router (192.168.1.1) 1.089 ms 0.641 ms 0.491 ms
            2 L100.NWRKNJ-VFTTP-99.verizon-gni.net (98.109.77.1) 7.858 ms 7.126 ms 6.648 ms
            3 G3-0-0-899.NWRKNJ-LCR-08.verizon-gni.net (130.81.110.96) 10.262 ms 9.557 ms 9.800 ms
            4 so-5-0-0-0.NWRK-BB-RTR2.verizon-gni.net (130.81.29.10) 10.176 ms 8.824 ms 9.397 ms
            5 xe-6-1-3-0.NY325-BB-RTR2.verizon-gni.net (130.81.23.234) 12.557 ms 14.222 ms 14.919 ms
            6 0.ae4.BR3.NYC4.ALTER.NET (152.63.16.185) 14.624 ms 13.790 ms 12.023 ms
            7 te-7-1-0.edge2.NewYork2.level3.net (4.68.127.21) 15.361 ms 14.361 ms 14.911 ms
            8 vlan52.ebr2.NewYork2.Level3.net (4.69.138.254) 14.704 ms 13.903 ms 15.525 ms
            9 ae-6-6.ebr2.NewYork1.Level3.net (4.69.141.21) 14.723 ms 13.944 ms 15.136 ms
            10 ae-2-2.ebr4.SanJose1.Level3.net (4.69.135.185) 92.635 ms 91.639 ms 90.361 ms
            11 ae-84-84.csw3.SanJose1.Level3.net (4.69.134.250) 89.539 ms 86.059 ms 87.366 ms
            12 ae-83-83.ebr3.SanJose1.Level3.net (4.69.134.233) 99.820 ms 89.614 ms 89.307 ms
            13 ae-2-2.ebr3.LosAngeles1.Level3.net (4.69.132.10) 139.864 ms 139.243 ms 142.774 ms
            14 ae-1-10.bar2.Tustin1.Level3.net (4.69.136.205) 96.885 ms 96.485 ms 97.789 ms
            15 ae-4-4.car2.Tustin1.Level3.net (4.69.132.225) 99.984 ms 169.608 ms 219.994 ms
            16 ADD2NET-INC.car2.Tustin1.Level3.net (4.53.178.6) 96.462 ms 96.222 ms 97.802 ms
            17 ina.lunarmania.com (67.210.107.253) 144.639 ms 144.811 ms 144.691 ms

            Comment


            • #7
              See this: http://www.countryipblocks.net/

              You still need to contact your host about this.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                Related to this issue, I've been blocking IPS left and right and I still have massive attacks on register.php. Some bot or hacker will just sit there and call it over and over and over for 100 POSTS every few seconds!

                I am wondering: is it possible to rename the register.php file to something completely different, as long as I go through the source code and rename every place where it is referenced?

                I'm just wondering if the hackerbots are calling that by name since they know it exists, and if I renamed it to something else, they wouldn't know where to go...

                Comment


                • #9
                  Yes, that is possible but it will require a lot of custom coding which we cannot support. It will also make upgrading more difficult.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography


                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                  Comment


                  • #10
                    Thanks - but I see no other solution to try - I'm getting 5,000+ POST calls to register.php every single day, IPs just hammering away on it, and my forums will be shut down by the service provider unless I use less resources, and this seems to be causing the issue.

                    Comment

                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...
                    X