cancel
Showing results for 
Search instead for 
Did you mean: 

If You Have A Forum Read This!

Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

If You Have A Forum Read This!

Hi All
My Forum is under attack by malishish Hackers, thay are going after the Admin Account, I spotted this in my Forum Error Logs.
The IP Address are:          Attempts to get in:
84.23.49.196                     - 54
170.51.254.202                 - 6
207.249.174.245               - 6
124.42.10.119                   - 6
205.213.195.70                 - 6
So if you do have a Forum keep a eye on your Forum Error Logs.
I have Band the above IP Addresses from my Forum.
19 REPLIES
Community Veteran
Posts: 1,850
Registered: 11-08-2007

Re: If You Have A Forum Read This!

change your admin password several times to foil them.
Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

Re: If You Have A Forum Read This!

My admin password is 12 characters long, and that is letters and numbers.
So they are not getting in.
[Edit]
Spelling
Community Veteran
Posts: 18,544
Thanks: 190
Registered: 12-08-2007

Re: If You Have A Forum Read This!

Well spotted Gary.  Still may be worth changing your password though Wink
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Re: If You Have A Forum Read This!

Especially now you have told everyone on this public forum how long your password is.
Community Veteran
Posts: 2,282
Thanks: 218
Fixes: 1
Registered: 04-08-2009

Re: If You Have A Forum Read This!

84.23.49.196 - Whois Information
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
%      To receive output for a database update, use the "-B" flag.
% Information related to '84.23.32.0 - 84.23.63.255'
inetnum:      84.23.32.0 - 84.23.63.255
org:          ORG-sL14-RIPE
netname:      RU-IMSYS-20041012
descr:        PROVIDER Local Registry
descr:        Informational-measuring systems Ltd.
country:      RU
admin-c:      VAS20-RIPE
admin-c:      DVZ6-RIPE
tech-c:      VAS20-RIPE
tech-c:      DVZ6-RIPE
status:      ALLOCATED PA
mnt-by:      RIPE-NCC-HM-MNT
mnt-lower:    IMSYS-MNT
mnt-routes:  IMSYS-MNT
source:      RIPE # Filtered
organisation:  ORG-sL14-RIPE
org-name:      Informational-measuring systems Ltd.
org-type:      LIR
address:        "Informational-measuring systems Ltd."
                7 Kominterna str.
                Building 2
                129327 Moscow
                Russian Federation
phone:          +74952157423
fax-no:        +74952157423
e-mail:        admin@imsys.ru
admin-c:        EVK10-RIPE
admin-c:        DVZ6-RIPE
admin-c:        IT247-RIPE
admin-c:        LY10-RIPE
admin-c:        VAS20-RIPE
mnt-ref:        IMSYS-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:        RIPE-NCC-HM-MNT
source:        RIPE # Filtered
person:        Vitaly A. Sviridov
address:        IM Systems
address:        Office 16, Raketni blvrd.,
address:        129090, Moscow,
address:        Russia
remarks:        phone:        +7 095 2157423
phone:          +7 495 2157423
remarks:        fax-no:      +7 095 2828404
fax-no:        +7 495 2828404
e-mail:        vsviridov@imsys.ru
nic-hdl:        VAS20-RIPE
mnt-by:        MACOMNET-MNT
source:        RIPE # Filtered
remarks:        modified for Russian phone area changes
person:        Dmitry V. Zaharov
address:        IM Systems
address:        Office 16, Raketni blvrd.,
address:        129090, Moscow,
address:        Russia
e-mail:        dvz@imsys.ru
remarks:        phone:        +7 095 2157423
phone:          +7 495 2157423
remarks:        fax-no:      +7 095 2828404
fax-no:        +7 495 2828404
nic-hdl:        DVZ6-RIPE
mnt-by:        IMSYS-MNT
source:        RIPE # Filtered
remarks:        modified for Russian phone area changes
% Information related to '84.23.32.0/19AS29319'
route:        84.23.32.0/19
descr:        Informational-measuring systems
origin:      AS29319
mnt-by:      IMSYS-MNT
source:      RIPE # Filtered


David_W
Rising Star
Posts: 2,293
Thanks: 29
Registered: 19-07-2007

Re: If You Have A Forum Read This!

There are several simple ways around unwanted people logging in as admin.
Admin is usually in a folder called /admin so you can use a .htaccess to add a serverside password to that directory, before you even get to the admin.php file, this protects the entire directory.
Look through the scripts and change references to admin.php to my_new_admin_page.php so people can't log in by going to admin.php, the way around that is for them to go to another admin page which will bounce them to the new login page.
Add a redirect script to admin.php, if the script matches your assigned IP's (with wildcards) then it shows the login page, if it doesn't match, it redirects you to the login page for, I dunno, the FBI (if it's a bot, it'll try to log in!)
/edit - quick google found this:
<?
$visitor = $_SERVER['REMOTE_ADDR'];
if (preg_match("/192.168.0.1/",$visitor)) {
header('Location: http://www.thefbi.coml');
} else {
header('Location: http://www.yoursite.com/admin/admin.php');
};
?>

Changing 192.168.0.1 to the hackers address, I'm sure a PHP guru would tell you how to add multiples or wildcards!
Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

Re: If You Have A Forum Read This!

Update From Forum Error Log & Ban List:
The IP Address are:        Attempts to get in:
84.23.49.196                    - 71 - Update
170.51.254.202                - 6
207.249.174.245              - 6
124.42.10.119                  - 6
205.213.195.70                - 6
213.42.178.199                - 2  - New
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: If You Have A Forum Read This!

This is not new news.  Any server "in the wild" on the internet will have attempts to gain access.
B.
Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

Re: If You Have A Forum Read This!

@Baz, Well it has never happened be for, and I have had a forum be for 30-30-2008 what was my ferst back up of the forum.
How do I go about blocking the full of the Union of Soviet Socialist Republics (USSR)?
Community Veteran
Posts: 26,372
Thanks: 629
Fixes: 8
Registered: 10-04-2007

Re: If You Have A Forum Read This!

http://www.countryipblocks.net/country-blocks/
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

Re: If You Have A Forum Read This!

Thanks for the link, but wen I clicked on htaccess deny I got:
Quote
Not Found
The requested URL /country-blocks/htaccess-deny-format/ was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Dam, dam.
Community Veteran
Posts: 26,372
Thanks: 629
Fixes: 8
Registered: 10-04-2007

Re: If You Have A Forum Read This!

Try from the box at the top right:
# Total Networks: 3,829
# Total Subnets:  32,048,136
deny from 2.92.0.0/14
deny from 62.5.128.0/17
deny from 62.16.32.0/19
deny from 62.16.64.0/19
deny from 62.16.96.0/19
deny from 62.32.64.0/19
deny from 62.33.0.0/16
deny from 62.61.0.0/19
deny from 62.63.64.0/18
deny from 62.64.0.0/19
deny from 62.68.128.0/19
deny from 62.69.0.0/19
deny from 62.76.0.0/16
deny from 62.78.32.0/19
deny from 62.84.96.0/19
deny from 62.89.192.0/18
deny from 62.102.128.0/17
deny from 62.105.0.0/19
deny from 62.105.32.0/19
deny from 62.105.128.0/19
deny from 62.106.96.0/19
deny from 62.109.160.0/19
deny from 62.112.96.0/19
deny from 62.113.32.0/19
deny from 62.113.64.0/18
deny from 62.117.64.0/18
...
<snipped as it's too long to post>
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
David_W
Rising Star
Posts: 2,293
Thanks: 29
Registered: 19-07-2007

Re: If You Have A Forum Read This!

Wouldn't it be easier to add an allow from PlusNet IP range, deny from everyone else rule and stick that in a .htaccess in /admin folder?
Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

Re: If You Have A Forum Read This!

Short answer is no.