Hacker attack...log file within...

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Jade
    Confirmed User
    • Jun 2001
    • 329

    #1

    Hacker attack...log file within...

    Hi,

    Is there anyway I can stop this attack....my log files are filled with thousands of these entries:

    [Tue Feb 12 18:45:55 2002] [error] [client 212.216.172.65] user fuvex123 not found: /members/
    [Tue Feb 12 18:45:55 2002] [error] [client 193.193.193.97] user 072998 not found: /members//
    [Tue Feb 12 18:45:56 2002] [error] [client 200.245.82.66] user graham not found: /members/
    [Tue Feb 12 18:45:56 2002] [error] [client 195.58.191.18] user maxiner not found: /members/
    [Tue Feb 12 18:45:56 2002] [error] [client 210.201.31.226] user domrot not found: /members/
    [Tue Feb 12 18:45:56 2002] [error] [client 217.59.184.182] user tatara not found: /members/
    [Tue Feb 12 18:45:57 2002] [error] [client 210.160.73.210] user mchawk not found: /members/
    [Tue Feb 12 18:45:57 2002] [error] [client 210.160.240.22] user jmprxxx not found: /members/ /
    [Tue Feb 12 18:45:58 2002] [error] [client 57.68.137.6] user vdoggg not found: /members/
    [Tue Feb 12 18:45:58 2002] [error] [client 194.78.102.155] user humans not found: /members/
    [Tue Feb 12 18:45:58 2002] [error] [client 217.58.162.210] user jmprxxx not found: /members/
    [Tue Feb 12 18:45:58 2002] [error] [client 61.136.187.66] user lofficer not found: /members/
    [Tue Feb 12 18:45:58 2002] [error] [client 194.79.109.46] user darkone not found: /members/
    [Tue Feb 12 18:45:58 2002] [error] [client 200.27.182.30] user samalex not found: /members/
    [Tue Feb 12 18:45:58 2002] [error] [client 200.245.82.66] user zxcv not found: /members/

    Any help will be much appreciated!

    Jade

    Cum see me at http://BlowjobJade.com
  • SR
    Confirmed User
    • Jul 2001
    • 2239

    #2
    Not really an attack I think
    Looks more like someone using a program and trying to find the right password
    The program use a list of proxies and a file with tons of passwords and it will start scanning and hope it'll find something.

    If they would attack you they would knock your server down.

    Comment

    • SR
      Confirmed User
      • Jul 2001
      • 2239

      #3
      I'm not sure but I heard creating a bunch of fake passwords would work well

      Just create users with login: user password: user
      or login: free password: free
      just a bunch of easy ones and direct them to a fake area or better sent them to your joinpage

      Comment

      • Dualcpu
        Confirmed User
        • Nov 2001
        • 488

        #4
        Might be a brute force attack - trying endless combinations of usernames/passwords.

        Scripts like pennywize.com usually stop brute force attacks.

        P.

        Comment

        • Jade
          Confirmed User
          • Jun 2001
          • 329

          #5
          It does keep killing my server! Can software stop it even though it shows a different IP address for each attempt?

          Cum see me at http://BlowjobJade.com

          Comment

          • AdultWire
            Confirmed User
            • Feb 2002
            • 962

            #6
            I would start by seeing if you can find any uniquely identifiable information about the attacker. Chances are, he reports the same user agent every time he hits -- If the user agent is an unusual (or unique) agent, just set up a mod_rewrite rule that forbids him. He won't even notice (cause he already gets forbid errors when he sends the wrong password), but he will never hit a correct password. You could also send a shorter forbidden document to save bandwidth, and if it persists for more than a few days, contact the proxy owners to let them know their open proxy's are being used for hacking attempts.
            SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

            Comment

            • Jade
              Confirmed User
              • Jun 2001
              • 329

              #7
              I joined pennywize.com. It's catching some but because there are thousands of attempts all with different ip addresses pennywize isn't catching them. Any other alternatives to put a stop to this? It is ruining my site...server keeps crashing and members are cancelling!

              Kisses,

              Jade

              Cum see me at http://BlowjobJade.com

              Comment

              • Shoplifter
                Richest man in Babylon
                • Jan 2002
                • 5848

                #8
                Go to the Cavecreek password theft site at www.passwordforum.com and politely ask them to stop.

                I Like Blondes

                Comment

                • drunkmonkey
                  Confirmed User
                  • Feb 2002
                  • 799

                  #9
                  From what I can tell from the limited info here is that this is a coordinated attack of trojaned computers. It is becoming a quite frequent method of attack on servers and is extremely difficult to thwart.

                  The way it works is trojans are placed on individuals computers giving the attacker root access and total control of said computers. When a computer (i.e. your server) is targeted, all of the trojaned computers send predefined commands to the target. It is a very hard attack to stop. Here is an example of a Denial of Service attack recorded in detail using this attack method.

                  http://grc.com/dos/grcdos.htm

                  The information that the attacker is looking for (password) must be relayed back to the attacker. Since each i.p address is different, the attacks are coming from different computers. The i.p. addresses cannot be faked because a packet must be sent back if the password is to be found. Spoofed attacks are good for Denial of Service attacks but nothing else. Your attacker CAN be traced.

                  I would suggest logging all of the i.p. numbers, tracing them and attempt to contact as many of the owners as possible. When you can contact someone who is willing to help, inform them of the fact that their computer is being used to attack your server. Locate the trojan file on their computer, decompile it or do whatever to establish where the trojan is SENDING the information. The course of action that you take depends on where the information is being funneled to.

                  A computer security professional will most likely have to be consulted. The best place to find the best in the business is

                  http://www.securityfocus.com/archive/1

                  my

                  Comment

                  • Shoplifter
                    Richest man in Babylon
                    • Jan 2002
                    • 5848

                    #10
                    It's just some kid with Goldeneye and a proxy list trying to hack the server.

                    Is it becomes real trouble you can exclude routes for each of these ip's. But I can guess who is probably doing this (see my previous post).

                    If you have not adjusted your server to handle more than 256 processes it can be a bitch and shut it right down.
                    I Like Blondes

                    Comment

                    • cosis
                      Confirmed User
                      • Aug 2001
                      • 5292

                      #11
                      Check out my log from yesterday:

                      Feb 14 08:13:39 pinkworld ftpd[559]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:39 pinkworld ftpd[562]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:39 pinkworld ftpd[570]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:39 pinkworld ftpd[557]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:39 pinkworld ftpd[571]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:39 pinkworld ftpd[565]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:39 pinkworld ftpd[573]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:39 pinkworld ftpd[574]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[568]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:40 pinkworld ftpd[572]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:40 pinkworld ftpd[577]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[579]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[583]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[578]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[575]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
                      Feb 14 08:13:40 pinkworld ftpd[580]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[581]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[582]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[584]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[585]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[586]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[587]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:40 pinkworld ftpd[588]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
                      Feb 14 08:13:42 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 082263
                      Feb 14 08:13:44 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 293736
                      Feb 14 08:13:46 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 241827
                      Feb 14 08:13:50 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 050767
                      Feb 14 08:13:54 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 262074
                      Feb 14 08:13:59 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 977119

                      Comment

                      • Smegma
                        Confirmed User
                        • Feb 2002
                        • 1751

                        #12
                        Pretty simple - just block the IP. Use any number of utilities for any operating system to do this. Should take no more than 10 minutes.

                        What OS are your running?
                        <a href="http://www.jupiterhosting.com"><img src="http://www.jupiterhosting.com/banners/55x55.jupiter.gif" alt="" border="0" align=""></a>

                        Comment

                        • Speedy26
                          Confirmed User
                          • Apr 2001
                          • 950

                          #13
                          Originally posted by Jade
                          I joined pennywize.com. It's catching some but because there are thousands of attempts all with different ip addresses pennywize isn't catching them. Any other alternatives to put a stop to this? It is ruining my site...server keeps crashing and members are cancelling!

                          Kisses,

                          Jade


                          Hello : )

                          anyone that has a paysite should check out this script.
                          http://www.monster-submit.com/sentry/ its called password sentry. its only $65 to own, none of that renting crap.. and its not $600 bucks like other password scripts that wont do what this script will do.

                          Jade listen to me buy this script, as long as its installed and set up correctly you will be very happy.

                          i used to get that all the time, tried pennywize but it takes to long to delete the password. about a year ago i found this script and have no problems. it runs on your server and will ban IP's on the fly you can set it to ban an IP after 3 tries. really helps with brute force attacks also. you set the amount of IP's the passwords can access, has a handy admin that shows you how many times each password is used each day and the IP's that used it.

                          if you get it, set it up to use fourms not .htaccess after about two months of getting blocked they will leave your site alone
                          http://www.amberscash.com webmaster {at} crazynakedchick [dot] com

                          Comment

                          Working...