IPS to Ban: IPS from my attack
#1
172.56.13.46
172.56.13.84
172.56.18.98
185.34.33.2
46.28.53.146
50.28.48.78
62.210.74.186
86.1.31.135

After getting hacked by "Spook and Shade" half a dozen times, before it haulted. They reached me on Skype and demanded 50 Bitcoin then compromised for 35 CDN Dollars, which I refuse to pay. But above are all the IP's that were attacking my Admin CP from my compromised Administrator(s) accounts. I lost four administrators in the process because Spook and Shade compromised their accounts.

I thought I would let you know.
[Image: tdlfbanner.png]
Reply
#2
Thanks for sharing, but a few of those IPs looks like it belongs to T-Mobile, a cellular company. These IP addresses changes all the time so blocking them could potentially block future site users.

But a few other ones are good, you should run a WHOIS on them like this:
http://whois.domaintools.com/185.34.33.2

And get the IP range: 185.34.33.0 - 185.34.33.31

That page has indicated the CIDR which can be used for blocking: 185.34.32.0/22

Otherwise, you can manually enter the range here to generate the CIDR: http://ip2cidr.com/

185.34.33.0 - 185.34.33.31 would be: 185.34.33.0/27

But blocking 185.34.32.0/22 would cover more range of IPs owned by Octopuce, which is a server hosting company in France.

Most users will not need to proxy in order to access your website. They shouldn't have to, so I recommend blocking as many datacenters/hosting servers as you can.
Reply
#3
They got into my skype (the one password I didin't change - security fail on my part) and trolled Frankie on it, that's where the threats came from. His skype is also compromised.

I've emailed him on my email to verify its me.
Reply
#4
Would be nice if MyBB offered a way to block entire ASNs in one click.
Reply
#5
You can also look up the country IP range with:

http://www.find-ip-address.org/iplookup/country-range .php

I've gone into CPanel and blocked whole country ranges in order to reduce spam and bogus account requests from places like Romania and Russia.  It's also handy to use CPanel tools (if your provider offers them) and track access to your site.  Sometimes there are malicious probes that aren't apparent until something obvious occurs.
Reply
#6
This user has been denied support. This user has been denied support.
(2014-11-19, 12:06 PM)sinbad Wrote: You can also look up the country IP range with:

http://www.find-ip-address.org/iplookup/country-range .php

I've gone into CPanel and blocked whole country ranges in order to reduce spam and bogus account requests from places like Romania and Russia.  It's also handy to use CPanel tools (if your provider offers them) and track access to your site.  Sometimes there are malicious probes that aren't apparent until something obvious occurs.

Uhm.. Most spam comes from China and or proxies from usa thus what you've done is actually extremely stupid as you've just "made" over "150m" people unable to access your site.
Plus 77.4% of scanners entering my site are from USA and France.
It's better just to give cloudflare the upper hand and let them deal with the extreme spammers imo.
Beep Boop          
                                          ~ RIP Server 2014-2014
Reply
#7
(2014-11-19, 01:24 PM)Rakes Wrote: Uhm.. Most spam comes from China and or proxies from usa thus what you've done is actually extremely stupid as you've just "made" over "150m" people unable to access your site.
Plus 77.4% of scanners entering my site are from USA and France.
It's better just to give cloudflare the upper hand and let them deal with the extreme spammers imo.

That hasn't been my experience. I've gotten more of my spam attempts and SSH bruteforce attempts from places like Romania, Ukraine, [some-unpronouncible]stan, or places in South America. China actually hasn't been too terrible for me. I have China and Ukraine blacklisted in my server firewall at this point because I don't expect legitimate traffic from there. I manually ban other IPs.

The US and France have never been my main sources of attacks, so you've definitely had a different experience than I think most of us have had.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Reply
#8
I've had China, Ukraine & Russia the most, but I've also had legitimate users from all 3. Which is why I only block server hosting ranges. A user from Russia actually sent me a message thanking my forum's system for not inconveniencing him like most forums.

It's really unfortunate that a bunch of pricks are ruining it for the legitimate users.
Reply
#9
(2014-11-19, 01:24 PM)Rakes Wrote:
(2014-11-19, 12:06 PM)sinbad Wrote: You can also look up the country IP range with:

http://www.find-ip-address.org/iplookup/country-range .php

I've gone into CPanel and blocked whole country ranges in order to reduce spam and bogus account requests from places like Romania and Russia.  It's also handy to use CPanel tools (if your provider offers them) and track access to your site.  Sometimes there are malicious probes that aren't apparent until something obvious occurs.

Uhm.. Most spam comes from China and or proxies from usa thus what you've done is actually extremely stupid as you've just "made" over "150m" people unable to access your site.
Plus 77.4% of scanners entering my site are from USA and France.
It's better just to give cloudflare the upper hand and let them deal with the extreme spammers imo.

I set my forum to require a manual approval for all new account requests.  Before I approve the account, I do an IP lookup.  I know exactly what country range that request came from.  The NFP group I webmaster for is a specific group with a specific topic and they share information and education.  Someone from Russia or Romania would have little need for that information.  However, I usually wait until I get at least 5 or more account requests from an area before I consider IP banning.  If they all originate from a host, I ban down to the host area.  If there are multiple host level requests originating from a regional area, I ban down to the region.  Finally, if there are multiple regional requests coming from a country, I ban the whole country.  If someone is legit, they have an email address that they can request reconsideration and if verifiable, I'll modify the ban to allow them in.

By using this method, I have eliminated 99% of all the bogus account requests and spamming.  Prior to using this method, I was averaging between 5-10 bogus access requests per day.  After researching the request mechanisms, I determined that most of the bogus requests were bot generated.
Reply
#10
Quote:172.56.13.46
172.56.13.84
172.56.18.98

172.56.0.0/16; T-Mobile USA. Not a good idea to blanket block this range.

I have 88.190.0.0/15 (Free SAS "Dedibox" netblock), some China Unicom/Telecom ranges that resolve to hn.kd.ny.adsl (a LOT of scraper/bot activity) and most of Hetzner blocked outright, and with a compat line change Fassim takes care of the rest. Wink
[Image: logo.png]
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)