Being attacked by a hitbotter. Its killing all my trades through UCJ - GoFuckYourself.com

Plat · 02-25-2002, 05:31 PM

Ive been sittin here babysittin my trades all day and not more than 30 minutes ago someone started running a hitbot on my c.cgi file causing my "trades OUT" number to increase by 500%
Thus making all the trade cookies to -0.10 killing every large trade I have.

Is there something I can do to prevent this bastard from hitting me again?

Rename my c.cgi file?
Make a PHP file and encase the c.cgi file into it?

Please help im desprite

4Pics · 02-25-2002, 05:35 PM

in your hosts.allow file put

deny from 100.100.100.100

replace 100.100 with his ip

renaming c.cgi won't help

Also you can signup for proxyguard.com's service and get a week free (i read that in another thread)

Plat · 02-25-2002, 05:44 PM

K I looked in my "nocookie" thing on UCJ and I got this back...

"nocookie" under HOUR

36
0
12251

thats 36 in 12251 clicks. gawd damn
so now im opening Show Details

Incoming Repetitive IP's
195 - 194.230.114.50
47 - 212.31.117.80
38 - 172.131.28.103
33 - 148.233.133.202
22 - 144.134.77.156
18 - 172.183.28.103
14 - 61.156.195.31
14 - 61.156.205.147
13 - 193.250.58.153
12 - 64.12.96.73
12 - 205.188.208.38
9 - 211.200.167.8
9 - 172.150.251.145
8 - 195.93.65.12
7 - 217.18.130.24
6 - 205.188.209.39
4 - 195.93.50.11
4 - 210.220.73.22
3 - 195.93.73.7
3 - 200.213.110.132
3 - 80.228.4.51
3 - 24.205.60.168
2 - 65.34.152.247
2 - 61.156.195.202
2 - 61.117.175.27
2 - 24.222.98.245
2 - 66.185.84.68
2 - 194.6.2.152
2 - 217.235.151.141
2 - 62.104.210.68
543 - none
47 - 10.1.1.106
7 - 217.18.139.69
4 - 211.200.167.8
2 - 213.6.18.215
2 - 24.42.116.198
2 - 192.168.0.108
1 - 24.101.131.194
1 - 202.64.33.36
1 - unknown
1 - 209.240.221.59
1 - 200.176.54.72
1 - 62.136.25.11
1 - 213.224.41.161, 213.224.83.174
1 - 62.244.1.167
1 - 62.31.28.98
1 - 192.168.13.112
1 - 217.134.255.159
1 - 213.75.148.135
1 - 194.134.218.223
1 - 203.125.131.190
1 - 194.141.57.125
1 - 209.240.220.196
1 - 10.101.4.113, 10.101.4.31
1 - 192.168.28.170

Outgoing Repetitive IP's
7562 - 80.128.177.173
6470 - 151.29.193.109
5607 - 213.249.129.131
4021 - 151.38.61.21
2398 - 212.160.98.116
1893 - 149.156.102.212
544 - 151.29.208.128
398 - 24.171.26.41
395 - 213.66.124.243
390 - 217.226.16.12
362 - 212.185.248.154
350 - 131.191.34.64
346 - 212.185.248.153
340 - 212.185.248.156
318 - 62.216.3.3
317 - 212.198.0.97
314 - 212.108.239.40
311 - 141.154.36.209
289 - 64.12.102.47
287 - 212.185.248.151
287 - 80.228.4.51
285 - 212.185.248.150
284 - 212.185.248.152
281 - 80.129.26.2
280 - 212.30.114.9
280 - 212.185.248.155
279 - 217.81.127.214
271 - 212.185.248.149
257 - 200.176.220.114
253 - 24.222.98.245
100601 - none
398 - 24.171.26.41
395 - 217.208.70.63
257 - 213.203.103.85
232 - unknown
213 - 213.224.41.161
203 - 212.198.222.198
144 - 66.59.158.141
131 - 62.42.152.239
128 - 213.224.217.140
127 - 195.167.109.202
114 - 213.224.220.164
114 - 203.91.74.27
100 - 213.7.151.26
90 - 212.194.245.235
90 - 195.132.129.84
84 - 192.168.28.170
79 - 62.31.71.36
77 - 195.240.212.65
77 - 210.86.34.7
76 - 203.170.74.11
76 - 24.103.247.13
75 - 217.134.58.185
75 - 155.239.94.116
74 - 62.42.47.158
74 - 213.7.175.82
71 - 211.214.17.7
70 - 192.168.13.112
69 - 213.5.27.69
66 - 217.135.133.40

Are those big outgoing ip's the hitbotter?

boneprone · 02-25-2002, 05:47 PM

im lost. What happened?
what exactly did they do and what did it show on your admin page?

boneprone · 02-25-2002, 05:56 PM

look at that outgoing repeat ip list!
Wow!

Where did you acces your ip list?

Plat · 02-25-2002, 06:11 PM

thats from the "nocookie"

u know those 4 things that are in along with each member

error
gallery
no ref
nocookie

then i clicked Show Details

boneprone · 02-25-2002, 06:15 PM

waht version of UCJ do you have?
Im still lost?
I dont have that shit in my ucj?
I have no cookie and no refferer

Plat · 02-25-2002, 06:17 PM

nocookie is the one im talking about

4.1.5 i think

s9ann0 · 02-25-2002, 06:48 PM

dude go into your webserver confing file and above the virtualhost entries add something like this:

<Directory />
order deny,allow
deny from hitbotters_ip
</Directory>

and restart apache -

s9ann0 · 02-25-2002, 06:48 PM

you need to add that in a

directory /

entry the board removed the code

TheFLY · 02-25-2002, 06:58 PM

Nobody is safe from a dos attack... I'm pretty sure there's no way to block such attacks... best to have more than one site in this case -- and don't make enemies...

Plat · 02-25-2002, 10:37 PM

check out this crazyness after a couple hours

9101 - 151.29.208.128
7562 - 80.128.177.173
5607 - 213.249.129.131
5023 - 151.202.107.101
4021 - 151.38.61.21
1893 - 149.156.102.212
1121 - 212.160.98.116
1007 - 211.96.110.3
398 - 24.171.26.41
395 - 213.66.124.243
390 - 217.226.16.12
362 - 212.185.248.154
346 - 212.185.248.153
346 - 131.191.34.64
340 - 212.185.248.156
323 - 212.198.0.97
318 - 62.216.3.3
317 - 212.30.114.9
314 - 212.108.239.40
287 - 80.228.4.51
287 - 212.185.248.151
285 - 212.185.248.150
284 - 212.185.248.152
280 - 212.185.248.155
279 - 217.81.127.214
273 - 141.154.36.209
271 - 212.185.248.149
269 - 200.191.112.188
253 - 24.222.98.245
253 - 62.26.68.19
109192 - none
398 - 24.171.26.41
395 - 217.208.70.63
257 - 213.203.103.85
226 - unknown
213 - 213.224.41.161
203 - 212.198.222.198
169 - 62.25.249.204
144 - 66.59.158.141
131 - 62.42.152.239
128 - 213.224.217.140
127 - 195.167.109.202
114 - 203.91.74.27
114 - 213.224.220.164
99 - 213.7.57.98
99 - 10.50.9.13
92 - 216.244.197.57
90 - 212.194.245.235
90 - 195.132.129.84
89 - 62.136.25.11
84 - 192.168.28.170
77 - 210.86.34.7
77 - 195.240.212.65
76 - 24.103.247.13
76 - 203.170.74.11
75 - 155.239.94.116
75 - 217.134.58.185
74 - 62.42.47.158
74 - 213.7.175.82
71 - 213.5.27.69

Compare that list and the one above.

Plat · 02-25-2002, 10:43 PM

Here's the main culprits this round....

151.29.193.109 aka ppp-109-193.29-151.libero.it

151.202.107.101 aka pool-151-202-107-101.ny5030.east.verizon.net

212.160.98.116 aka promien.prz.rzeszow.pl
211.96.110.3 aka unknown

If anyone else wants to help me out here.

Are these proxies?
Can you probe some ports?
Get some computer names?
nbtstat get some shared folders?

eh? :c)

TheFLY · 02-25-2002, 11:05 PM

This one is in Poland and not anonymous...

212.160.98.116

you could find out what IP is using this proxy -- depending on what kind of logs/script you have...

Plat · 02-26-2002, 10:39 AM

Just been attacked again by

11244 - 149.156.102.212

This .. sucks!

Plat · 02-26-2002, 10:40 AM

BTW I asked Tim what to do about it.

He advised me to change all my trades to Capped 1.7 ratios.
So far it seems to be working out but I havent seen another attack since then to test it out.

Burtman · 02-26-2002, 05:22 PM

Plat it started with me a few weeks ago. I know what script it is and I imagine Tim does as well.
I have the site bookmarked. It is an image harvesting software that surfers are installing. So far all I have been doing is watching my nocookie stats and blocking the ip's via htaccess.
They still sneak in though and in a matter of minutes completely fuck up productivity on all trades.

Burtman

Theo · 02-26-2002, 05:25 PM

I'm hitbotting you!!

02-25-2002, 05:31 PM	#1
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	Being attacked by a hitbotter. Its killing all my trades through UCJ Ive been sittin here babysittin my trades all day and not more than 30 minutes ago someone started running a hitbot on my c.cgi file causing my "trades OUT" number to increase by 500% Thus making all the trade cookies to -0.10 killing every large trade I have. Is there something I can do to prevent this bastard from hitting me again? Rename my c.cgi file? Make a PHP file and encase the c.cgi file into it? Please help im desprite __________________ Im fuckin retired

02-25-2002, 05:44 PM	#3
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	K I looked in my "nocookie" thing on UCJ and I got this back... "nocookie" under HOUR 36 0 12251 thats 36 in 12251 clicks. gawd damn so now im opening Show Details Incoming Repetitive IP's 195 - 194.230.114.50 47 - 212.31.117.80 38 - 172.131.28.103 33 - 148.233.133.202 22 - 144.134.77.156 18 - 172.183.28.103 14 - 61.156.195.31 14 - 61.156.205.147 13 - 193.250.58.153 12 - 64.12.96.73 12 - 205.188.208.38 9 - 211.200.167.8 9 - 172.150.251.145 8 - 195.93.65.12 7 - 217.18.130.24 6 - 205.188.209.39 4 - 195.93.50.11 4 - 210.220.73.22 3 - 195.93.73.7 3 - 200.213.110.132 3 - 80.228.4.51 3 - 24.205.60.168 2 - 65.34.152.247 2 - 61.156.195.202 2 - 61.117.175.27 2 - 24.222.98.245 2 - 66.185.84.68 2 - 194.6.2.152 2 - 217.235.151.141 2 - 62.104.210.68 543 - none 47 - 10.1.1.106 7 - 217.18.139.69 4 - 211.200.167.8 2 - 213.6.18.215 2 - 24.42.116.198 2 - 192.168.0.108 1 - 24.101.131.194 1 - 202.64.33.36 1 - unknown 1 - 209.240.221.59 1 - 200.176.54.72 1 - 62.136.25.11 1 - 213.224.41.161, 213.224.83.174 1 - 62.244.1.167 1 - 62.31.28.98 1 - 192.168.13.112 1 - 217.134.255.159 1 - 213.75.148.135 1 - 194.134.218.223 1 - 203.125.131.190 1 - 194.141.57.125 1 - 209.240.220.196 1 - 10.101.4.113, 10.101.4.31 1 - 192.168.28.170 Outgoing Repetitive IP's 7562 - 80.128.177.173 6470 - 151.29.193.109 5607 - 213.249.129.131 4021 - 151.38.61.21 2398 - 212.160.98.116 1893 - 149.156.102.212 544 - 151.29.208.128 398 - 24.171.26.41 395 - 213.66.124.243 390 - 217.226.16.12 362 - 212.185.248.154 350 - 131.191.34.64 346 - 212.185.248.153 340 - 212.185.248.156 318 - 62.216.3.3 317 - 212.198.0.97 314 - 212.108.239.40 311 - 141.154.36.209 289 - 64.12.102.47 287 - 212.185.248.151 287 - 80.228.4.51 285 - 212.185.248.150 284 - 212.185.248.152 281 - 80.129.26.2 280 - 212.30.114.9 280 - 212.185.248.155 279 - 217.81.127.214 271 - 212.185.248.149 257 - 200.176.220.114 253 - 24.222.98.245 100601 - none 398 - 24.171.26.41 395 - 217.208.70.63 257 - 213.203.103.85 232 - unknown 213 - 213.224.41.161 203 - 212.198.222.198 144 - 66.59.158.141 131 - 62.42.152.239 128 - 213.224.217.140 127 - 195.167.109.202 114 - 213.224.220.164 114 - 203.91.74.27 100 - 213.7.151.26 90 - 212.194.245.235 90 - 195.132.129.84 84 - 192.168.28.170 79 - 62.31.71.36 77 - 195.240.212.65 77 - 210.86.34.7 76 - 203.170.74.11 76 - 24.103.247.13 75 - 217.134.58.185 75 - 155.239.94.116 74 - 62.42.47.158 74 - 213.7.175.82 71 - 211.214.17.7 70 - 192.168.13.112 69 - 213.5.27.69 66 - 217.135.133.40 Are those big outgoing ip's the hitbotter? __________________ Im fuckin retired

02-25-2002, 05:47 PM	#4
boneprone Hall Of Fame Industry Role: Join Date: Jan 2001 Location: Portland Oregon USA Posts: 34,415	im lost. What happened? what exactly did they do and what did it show on your admin page? __________________ Industry Hall Of Fame Legend Mike Jones Bow to the Power - Still BP4L http://gfyawards.com/hall-of-fame Learn about it kids.

02-25-2002, 05:56 PM	#5
boneprone Hall Of Fame Industry Role: Join Date: Jan 2001 Location: Portland Oregon USA Posts: 34,415	look at that outgoing repeat ip list! Wow! Where did you acces your ip list? __________________ Industry Hall Of Fame Legend Mike Jones Bow to the Power - Still BP4L http://gfyawards.com/hall-of-fame Learn about it kids.

02-25-2002, 06:11 PM	#6
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	thats from the "nocookie" u know those 4 things that are in along with each member error gallery no ref nocookie then i clicked Show Details __________________ Im fuckin retired

02-25-2002, 05:35 PM	#2
4Pics Confirmed User Industry Role: Join Date: Dec 2001 Posts: 7,952	in your hosts.allow file put deny from 100.100.100.100 replace 100.100 with his ip renaming c.cgi won't help Also you can signup for proxyguard.com's service and get a week free (i read that in another thread)

02-25-2002, 06:15 PM	#7
boneprone Hall Of Fame Industry Role: Join Date: Jan 2001 Location: Portland Oregon USA Posts: 34,415	waht version of UCJ do you have? Im still lost? I dont have that shit in my ucj? I have no cookie and no refferer __________________ Industry Hall Of Fame Legend Mike Jones Bow to the Power - Still BP4L http://gfyawards.com/hall-of-fame Learn about it kids.

02-25-2002, 06:17 PM	#8
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	nocookie is the one im talking about 4.1.5 i think __________________ Im fuckin retired

02-25-2002, 06:48 PM	#9
s9ann0 Confirmed User Join Date: Sep 2001 Location: Boston Posts: 4,873	dude go into your webserver confing file and above the virtualhost entries add something like this: <Directory /> order deny,allow deny from hitbotters_ip </Directory> and restart apache -

02-25-2002, 06:58 PM	#11
TheFLY So Fucking Banned Join Date: Jan 2001 Location: http://www.thefly.net/ --- Quit your job and live off steady traffic. Posts: 11,856	Nobody is safe from a dos attack... I'm pretty sure there's no way to block such attacks... best to have more than one site in this case -- and don't make enemies...

02-25-2002, 10:37 PM	#12
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	check out this crazyness after a couple hours 9101 - 151.29.208.128 7562 - 80.128.177.173 5607 - 213.249.129.131 5023 - 151.202.107.101 4021 - 151.38.61.21 1893 - 149.156.102.212 1121 - 212.160.98.116 1007 - 211.96.110.3 398 - 24.171.26.41 395 - 213.66.124.243 390 - 217.226.16.12 362 - 212.185.248.154 346 - 212.185.248.153 346 - 131.191.34.64 340 - 212.185.248.156 323 - 212.198.0.97 318 - 62.216.3.3 317 - 212.30.114.9 314 - 212.108.239.40 287 - 80.228.4.51 287 - 212.185.248.151 285 - 212.185.248.150 284 - 212.185.248.152 280 - 212.185.248.155 279 - 217.81.127.214 273 - 141.154.36.209 271 - 212.185.248.149 269 - 200.191.112.188 253 - 24.222.98.245 253 - 62.26.68.19 109192 - none 398 - 24.171.26.41 395 - 217.208.70.63 257 - 213.203.103.85 226 - unknown 213 - 213.224.41.161 203 - 212.198.222.198 169 - 62.25.249.204 144 - 66.59.158.141 131 - 62.42.152.239 128 - 213.224.217.140 127 - 195.167.109.202 114 - 203.91.74.27 114 - 213.224.220.164 99 - 213.7.57.98 99 - 10.50.9.13 92 - 216.244.197.57 90 - 212.194.245.235 90 - 195.132.129.84 89 - 62.136.25.11 84 - 192.168.28.170 77 - 210.86.34.7 77 - 195.240.212.65 76 - 24.103.247.13 76 - 203.170.74.11 75 - 155.239.94.116 75 - 217.134.58.185 74 - 62.42.47.158 74 - 213.7.175.82 71 - 213.5.27.69 Compare that list and the one above. __________________ Im fuckin retired

02-25-2002, 10:43 PM	#13
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	Here's the main culprits this round.... 151.29.193.109 aka ppp-109-193.29-151.libero.it 151.202.107.101 aka pool-151-202-107-101.ny5030.east.verizon.net 212.160.98.116 aka promien.prz.rzeszow.pl 211.96.110.3 aka unknown If anyone else wants to help me out here. Are these proxies? Can you probe some ports? Get some computer names? nbtstat get some shared folders? eh? :c) __________________ Im fuckin retired

02-25-2002, 11:05 PM	#14
TheFLY So Fucking Banned Join Date: Jan 2001 Location: http://www.thefly.net/ --- Quit your job and live off steady traffic. Posts: 11,856	This one is in Poland and not anonymous... 212.160.98.116 you could find out what IP is using this proxy -- depending on what kind of logs/script you have...

02-26-2002, 10:39 AM	#15
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	Just been attacked again by 11244 - 149.156.102.212 This .. sucks! __________________ Im fuckin retired

02-26-2002, 10:40 AM	#16
Plat Confirmed User Industry Role: Join Date: Jan 2002 Location: Clearwater, Florida Posts: 2,680	BTW I asked Tim what to do about it. He advised me to change all my trades to Capped 1.7 ratios. So far it seems to be working out but I havent seen another attack since then to test it out. __________________ Im fuckin retired

02-26-2002, 05:22 PM	#17
Burtman Registered User Join Date: Feb 2001 Posts: 484	Plat it started with me a few weeks ago. I know what script it is and I imagine Tim does as well. I have the site bookmarked. It is an image harvesting software that surfers are installing. So far all I have been doing is watching my nocookie stats and blocking the ip's via htaccess. They still sneak in though and in a matter of minutes completely fuck up productivity on all trades. Burtman

02-26-2002, 05:25 PM	#18
Theo HAL 9000 Industry Role: Join Date: May 2001 Posts: 34,515	I'm hitbotting you!! Last edited by Theo; 02-26-2002 at 05:33 PM..