MyBB Community Forums

Full Version: Suspiciocus Activity
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
One of my forums was attacked and went down until I blocked the IP, and this was in the logs:

193.224.106.234 - - [12/Mar/2012:18:51:16 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:16 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:16 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:16 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:16 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:16 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:17 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:18 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:18 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:18 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:19 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:20 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:20 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:22 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:23 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:22 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:23 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:23 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:24 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:24 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:24 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:25 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:25 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:26 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:27 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:27 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:28 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:28 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:28 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:28 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:29 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:29 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"
193.224.106.234 - - [12/Mar/2012:18:51:30 -0400] "GET /jscripts/prototype.js?ver=1603 HTTP/1.0" 200 163312 "-" "Mozilla/5.0"

Is that file normal? If so, where is it accessed normally? What does it do? And is that many requests normal?
It is a JavaScript library like JQuery. It is accesses on every page. I'm guessing not, the attacker was probably DDoSing that specific file.
Ok, so it wasn't a config error on my part?
No, I don't believe so.
(2012-03-12, 11:41 PM)Paul H. Wrote: [ -> ]It is a JavaScript library like JQuery. It is accesses on every page. I'm guessing not, the attacker was probably DDoSing that specific file.

It's not a distributed attack so it's not a DDOS.

(2012-03-12, 11:42 PM)BitzDefender Wrote: [ -> ]Ok, so it wasn't a config error on my part?

Nope. It seems to be coming from a College network in Hungary. If it's causing a significant amount of bandwidth usage or issuing malicious actions you should block it, otherwise I wouldn't worry too much about it.

Well now there all multiple IP's and all of my smaller sites are down because of it (shared IP). What can I do against hundreds of IPs?
You should contact your webhost. It seems that you are being DDoS'd - they should have features to mitigate attacks. If they do not, I advise switching hosts.
that or someone is running a MyBB site and remote linking to your file to save on their bandwidth.
(2012-03-12, 11:53 PM)Nathan Malcolm Wrote: [ -> ]
(2012-03-12, 11:41 PM)Paul H. Wrote: [ -> ]It is a JavaScript library like JQuery. It is accesses on every page. I'm guessing not, the attacker was probably DDoSing that specific file.

It's not a distributed attack so it's not a DDOS.
lets assume it as...
....DEDICATED denial of service
I'm currently working on replacing, in headerinclude, the protoype.js file and using Google's: http://code.google.com/apis/libraries/de...#prototype

Hopefully it works.
Pages: 1 2