Hacker attack...log file within...
 

Hi,

Is there anyway I can stop this attack....my log files are filled with thousands of these entries:

[Tue Feb 12 18:45:55 2002] [error] [client 212.216.172.65] user fuvex123 not found: /members/
[Tue Feb 12 18:45:55 2002] [error] [client 193.193.193.97] user 072998 not found: /members//
[Tue Feb 12 18:45:56 2002] [error] [client 200.245.82.66] user graham not found: /members/
[Tue Feb 12 18:45:56 2002] [error] [client 195.58.191.18] user maxiner not found: /members/
[Tue Feb 12 18:45:56 2002] [error] [client 210.201.31.226] user domrot not found: /members/
[Tue Feb 12 18:45:56 2002] [error] [client 217.59.184.182] user tatara not found: /members/
[Tue Feb 12 18:45:57 2002] [error] [client 210.160.73.210] user mchawk not found: /members/
[Tue Feb 12 18:45:57 2002] [error] [client 210.160.240.22] user jmprxxx not found: /members/ /
[Tue Feb 12 18:45:58 2002] [error] [client 57.68.137.6] user vdoggg not found: /members/
[Tue Feb 12 18:45:58 2002] [error] [client 194.78.102.155] user humans not found: /members/
[Tue Feb 12 18:45:58 2002] [error] [client 217.58.162.210] user jmprxxx not found: /members/
[Tue Feb 12 18:45:58 2002] [error] [client 61.136.187.66] user lofficer not found: /members/
[Tue Feb 12 18:45:58 2002] [error] [client 194.79.109.46] user darkone not found: /members/
[Tue Feb 12 18:45:58 2002] [error] [client 200.27.182.30] user samalex not found: /members/
[Tue Feb 12 18:45:58 2002] [error] [client 200.245.82.66] user zxcv not found: /members/

Any help will be much appreciated!

Jade

Not really an attack I think
Looks more like someone using a program and trying to find the right password
The program use a list of proxies and a file with tons of passwords and it will start scanning and hope it'll find something.

If they would attack you they would knock your server down.

I'm not sure but I heard creating a bunch of fake passwords would work well

Just create users with login: user password: user
or login: free password: free
just a bunch of easy ones and direct them to a fake area or better sent them to your joinpage

Might be a brute force attack - trying endless combinations of usernames/passwords.

Scripts like pennywize.com usually stop brute force attacks.

P.

It does keep killing my server! Can software stop it even though it shows a different IP address for each attempt?

I would start by seeing if you can find any uniquely identifiable information about the attacker. Chances are, he reports the same user agent every time he hits -- If the user agent is an unusual (or unique) agent, just set up a mod_rewrite rule that forbids him. He won't even notice (cause he already gets forbid errors when he sends the wrong password), but he will never hit a correct password. You could also send a shorter forbidden document to save bandwidth, and if it persists for more than a few days, contact the proxy owners to let them know their open proxy's are being used for hacking attempts.

I joined pennywize.com. It's catching some but because there are thousands of attempts all with different ip addresses pennywize isn't catching them. Any other alternatives to put a stop to this? It is ruining my site...server keeps crashing and members are cancelling!

Kisses,

Jade

Go to the Cavecreek password theft site at www.passwordforum.com and politely ask them to stop.

:Graucho

From what I can tell from the limited info here is that this is a coordinated attack of trojaned computers. It is becoming a quite frequent method of attack on servers and is extremely difficult to thwart.

The way it works is trojans are placed on individuals computers giving the attacker root access and total control of said computers. When a computer (i.e. your server) is targeted, all of the trojaned computers send predefined commands to the target. It is a very hard attack to stop. Here is an example of a Denial of Service attack recorded in detail using this attack method.

http://grc.com/dos/grcdos.htm

The information that the attacker is looking for (password) must be relayed back to the attacker. Since each i.p address is different, the attacks are coming from different computers. The i.p. addresses cannot be faked because a packet must be sent back if the password is to be found. Spoofed attacks are good for Denial of Service attacks but nothing else. Your attacker CAN be traced.

I would suggest logging all of the i.p. numbers, tracing them and attempt to contact as many of the owners as possible. When you can contact someone who is willing to help, inform them of the fact that their computer is being used to attack your server. Locate the trojan file on their computer, decompile it or do whatever to establish where the trojan is SENDING the information. The course of action that you take depends on where the information is being funneled to.

A computer security professional will most likely have to be consulted. The best place to find the best in the business is

http://www.securityfocus.com/archive/1

my :2 cents:

It's just some kid with Goldeneye and a proxy list trying to hack the server.

Is it becomes real trouble you can exclude routes for each of these ip's. But I can guess who is probably doing this (see my previous post).

If you have not adjusted your server to handle more than 256 processes it can be a bitch and shut it right down.

Check out my log from yesterday:

Feb 14 08:13:39 pinkworld ftpd[559]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:39 pinkworld ftpd[562]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:39 pinkworld ftpd[570]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:39 pinkworld ftpd[557]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:39 pinkworld ftpd[571]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:39 pinkworld ftpd[565]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:39 pinkworld ftpd[573]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:39 pinkworld ftpd[574]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[568]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:40 pinkworld ftpd[572]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:40 pinkworld ftpd[577]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[579]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[583]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[578]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[575]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, adm
Feb 14 08:13:40 pinkworld ftpd[580]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[581]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[582]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[584]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[585]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[586]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[587]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:40 pinkworld ftpd[588]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, root
Feb 14 08:13:42 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 082263
Feb 14 08:13:44 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 293736
Feb 14 08:13:46 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 241827
Feb 14 08:13:50 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 050767
Feb 14 08:13:54 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 262074
Feb 14 08:13:59 pinkworld ftpd[591]: FTP LOGIN FAILED FROM 53.163.ts24.dn.dialup.cityline.ru, 977119

Pretty simple - just block the IP. Use any number of utilities for any operating system to do this. Should take no more than 10 minutes.

What OS are your running?

Hello : )

anyone that has a paysite should check out this script.
http://www.monster-submit.com/sentry/ its called password sentry. its only $65 to own, none of that renting crap.. and its not $600 bucks like other password scripts that wont do what this script will do.

Jade listen to me buy this script, as long as its installed and set up correctly you will be very happy.

i used to get that all the time, tried pennywize but it takes to long to delete the password. about a year ago i found this script and have no problems. it runs on your server and will ban IP's on the fly you can set it to ban an IP after 3 tries. really helps with brute force attacks also. you set the amount of IP's the passwords can access, has a handy admin that shows you how many times each password is used each day and the IP's that used it.

if you get it, set it up to use fourms not .htaccess after about two months of getting blocked they will leave your site alone :)