MyBB Community Forums

Full Version: Not a hack, a bandwidth issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I had set up a quiet little forum with under 10 users. I never expected many users.

I had also done all of the good things to prevent hackers: changed the path to the admin area, used cpanel to add extra access passwords for it, strong passwords for the admin CP, htaccess with deny lists for known hackers from other WP sites I run and from the history of bogus registration attempts manually checked against Cleantalk etc. I also pass the site through Cloudflare. And so on.

In fact, the site never did get hacked. However, I still just suspended it, at least temporarily, through WHM. The reason is that all of the monthly BW that I allocated to the site has been consumed by hits against calendar.php and a few other scripts. My research suggests that there had been a SQL injection flaw in earlier versions of myBB (I was running the latest). I had nearly 50,000 hits in a couple of weeks against calendar.php on a board with fewer than 10 registrations.

Since the attempts didn't yield any positive results for the bad guys, it seems that the hack scripting community is lagging behind. However, it still yields a negative result for me since I have to pay for the resources that these goofballs are consuming.

I also assume that my little board is not the only one seeing this sort of activity in the background. Short of shutting down the calendar system, is there any reasonable way to throttle this? Since I have a very diverse interest group, simply blocking entire countries with htaccess or firewalls isn't really in the cards for me. At least a few thousand bad guys (or maybe one bad guy with access to a few thousand IP addresses) seem to think that calendar.php is vulnerable.

You can probably ask your host to help with that. After all, they're paying for the bandwidth too along with the server resources which are being used by every request. Without further examination it would be hard to tell what exactly is going on, and even harder to mitigate it.
It could actually just be a normal bot, just stuck crawling infinite calendar pages.
I agree with Cameron. Modify your robots.txt file to tell (well-behaved) bots to neither index nor follow links in calendar.php. As an added step, you may want to put bots in their own user group and revoke calendar permissions for the group. Repeat for other functionality which bots probably don't need (such as usercp.php).
I believe that Cameron's suggestion was accurate. I noted this when it was posted but only just now got around to hunting that down as a possible cause. I run myBB on a VPS and the original log system that I checked with did not show the source of the BW drain.

I checked again with Webalizer and discovered that it was BLEXBot. I had been using a robots.txt file that I had adopted for Wordpress sites, and BLEXBot had never given me grief on those. I updated my robots.txt file to block it and to disallow calendar.php, etc.

I can't guarantee that that was my problem since I've just put these changes in place; but my guess is that the suggestion is a good one. It'll take a day or two to run up some new log files to see what gives.

Thanks; and sorry for the myBB newbie mistake.
Reading this thread I was wondering if it's enough to disable calendar in the admin area? I don't utilize it and figured I'd prevent this from happening to my board.

Thank you