Get your forum today!

Ecalpon · 06-08-2007, 11:54 AM

FYI:

Just by chance logged into my site to find it extremely slow, but once in I found 18 users browsing the site. "Strange I thought, so many and it's so slow." So I took a closer look.

Strange out of the 18 connections 13 were from the 66.48.69.* IP block. In my 20+ years of dealing with the net, this is unheard of. So I traced them back. and found they are all coming from the same ISP, again very strange. Only one thing looks like this and that's a DOS attack.

So using what I have in my arsenal, I did some checking and found that the first 6 IP's I looked at were running an unprotected computer. Ok I thought, I got you.....

Looking back one hop I found every one of the connections were going through 1 system. So here is the info on the trigger man.

IP 205.150.4.164
Domain: www.theglobeandmail.com
Subdomain/ User: bob.globeandmail.com
Location: North York "just east of Toronto" Canada

What you choose to do with this information is up to you, but at least now you know from where and who to look at.

I have banned the 66.48.69.* IP block and noticed a slight change in the response of the system. I would suggest that short term you other Admins do the same.

Ecalpon · 06-08-2007, 12:18 PM

UPDATE!

This guy also may be using a Yahoo server under the 74.6.*.* IP block as a chack shows several accounts at yahoo all starting with the letters "Lj" are also reporting back to the 205.150.4.164 IP

BadBoy0 · 06-08-2007, 12:33 PM

I've done that before but the slowdown issues and "too many connections" errors have been affecting all the forums on the s2 and s3 FFF IPB servers for months. There was a fix done in early March that worked and maintained good performance for almost a month - so I suggest that fix be done again and regularly as part of maintenance? In any case its a server issue, not an individual forum one.

Ecalpon · 06-08-2007, 12:42 PM

Quote:

Originally Posted by BadBoy0

I've done that before but the slowdown issues and "too many connections" errors have been affecting all the forums on the s2 and s3 FFF IPB servers for months. There was a fix done in early March that worked and maintained good performance for almost a month - so I suggest that fix be done again and regularly as part of maintenance? In any case its a server issue, not an individual forum one.

Granted, what ever the hole is that is being used, needs to be fixed. But what your overlooking is an attack on one forum is not the issue. An attack on one is an attack on every site on that server with that security hole. Once they find one they will soon find the other servers and expand the attack. So it's not an attack on me or you, it's an attack on the server and the software.

BadBoy0 · 06-08-2007, 02:19 PM

I noted a large number of "guests" yesterday and today from the 74.6.* IP block range too. I found those are a yahoo webcrawler, so probably just a search engine. I don't think they are a problem, just perhaps showing a symptom of the FFF server problem - perhaps it needs more bandwidth or something to handle a lot of users and search engine accesses? The main forumer servers don't seem to have this problem?

BadBoy0 · 06-08-2007, 07:02 PM

I added the 74.6.* IP block for a test to my forum's ban list earlier today, but right now I'm still getting the "too many connections" error message so that has little or no effect. This is the same issue that has been happening for months, so its the servers that need some work to solve it as was done early in March before.

06-08-2007, 11:54 AM	#1 (permalink)
Ecalpon Junior Forumer Join Date: Sep 2006 Posts: 63 Rep Power: 3 fTrader: (0) fBuck$: 489.0 Bank: 777.7 Total fBuck$: 1,266.7 Send fBuck$ » My Forumer My Country:	Ahhhh Caught one! FYI: Just by chance logged into my site to find it extremely slow, but once in I found 18 users browsing the site. "Strange I thought, so many and it's so slow." So I took a closer look. Strange out of the 18 connections 13 were from the 66.48.69.* IP block. In my 20+ years of dealing with the net, this is unheard of. So I traced them back. and found they are all coming from the same ISP, again very strange. Only one thing looks like this and that's a DOS attack. So using what I have in my arsenal, I did some checking and found that the first 6 IP's I looked at were running an unprotected computer. Ok I thought, I got you..... Looking back one hop I found every one of the connections were going through 1 system. So here is the info on the trigger man. IP 205.150.4.164 Domain: www.theglobeandmail.com Subdomain/ User: bob.globeandmail.com Location: North York "just east of Toronto" Canada What you choose to do with this information is up to you, but at least now you know from where and who to look at. I have banned the 66.48.69.* IP block and noticed a slight change in the response of the system. I would suggest that short term you other Admins do the same.

06-08-2007, 12:18 PM	#2 (permalink)
Ecalpon Junior Forumer Join Date: Sep 2006 Posts: 63 Rep Power: 3 fTrader: (0) fBuck$: 489.0 Bank: 777.7 Total fBuck$: 1,266.7 Send fBuck$ » My Forumer My Country:	Re: Ahhhh Caught one! UPDATE! This guy also may be using a Yahoo server under the 74.6.. IP block as a chack shows several accounts at yahoo all starting with the letters "Lj" are also reporting back to the 205.150.4.164 IP

06-08-2007, 12:33 PM	#3 (permalink)
BadBoy0 Junior Forumer Join Date: Sep 2006 Posts: 229 Rep Power: 3 fTrader: (0) fBuck$: 1,952.0 Bank: 0.0 Total fBuck$: 1,952.0 Send fBuck$ » My Forumer My Country:	Re: Ahhhh Caught one! I've done that before but the slowdown issues and "too many connections" errors have been affecting all the forums on the s2 and s3 FFF IPB servers for months. There was a fix done in early March that worked and maintained good performance for almost a month - so I suggest that fix be done again and regularly as part of maintenance? In any case its a server issue, not an individual forum one.

06-08-2007, 02:19 PM	#5 (permalink)
BadBoy0 Junior Forumer Join Date: Sep 2006 Posts: 229 Rep Power: 3 fTrader: (0) fBuck$: 1,952.0 Bank: 0.0 Total fBuck$: 1,952.0 Send fBuck$ » My Forumer My Country:	Re: Ahhhh Caught one! I noted a large number of "guests" yesterday and today from the 74.6.* IP block range too. I found those are a yahoo webcrawler, so probably just a search engine. I don't think they are a problem, just perhaps showing a symptom of the FFF server problem - perhaps it needs more bandwidth or something to handle a lot of users and search engine accesses? The main forumer servers don't seem to have this problem?

06-08-2007, 07:02 PM	#6 (permalink)
BadBoy0 Junior Forumer Join Date: Sep 2006 Posts: 229 Rep Power: 3 fTrader: (0) fBuck$: 1,952.0 Bank: 0.0 Total fBuck$: 1,952.0 Send fBuck$ » My Forumer My Country:	Re: Ahhhh Caught one! I added the 74.6.* IP block for a test to my forum's ban list earlier today, but right now I'm still getting the "too many connections" error message so that has little or no effect. This is the same issue that has been happening for months, so its the servers that need some work to solve it as was done early in March before.

Get your forum today!

Explore

Support

About

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ahhhh! wth stupid admin panel thingy!grrr	majorchoas	phpBB2 Bug Reports	8	08-14-2005 07:19 PM
Ahhhh!	imported_MasTaFUsion	IPB General Support	1	02-22-2004 05:30 AM