Jump to content
TNG Community
Feldman

Entries in site log

Recommended Posts

Feldman

I am trying to figure out if I have something to worry about. For the last several weeks I have been seeing connects to my site form random IP addresses. As many as 500 in a day.

They all are connecting with the following link, "http://www.feldmanfamily.ws/genroot/showtree.php?tree=Pulfords" (not a valid tree on my site)

Any ideas?

Thanks

Fred

Share this post


Link to post
Share on other sites
Rush

They are searching for a vulnerability. It's possible the vulnerability existed on one particular site and that is why you are seeing the search string 'Pulfords' as the hack gets passed around to different people.

I had the same hits on my site awhile back, but after blocking the user-agent 'libwww-perl', I haven't had a problem.

Rush

Share this post


Link to post
Share on other sites
Feldman

They are searching for a vulnerability. It's possible the vulnerability existed on one particular site and that is why you are seeing the search string 'Pulfords' as the hack gets passed around to different people.

I had the same hits on my site awhile back, but after blocking the user-agent 'libwww-perl', I haven't had a problem.

Rush

How would I go about blocking that user-agent?

Thanks

Fred

Share this post


Link to post
Share on other sites
Rush

If you using an Apache server, you can use .htaccess to block it at the server level.

I use this in the .htaccess file (in my root www folder):

SetEnvIfNoCase User-Agent "libwww-perl" keep_out

<Limit GET POST >

order allow,deny

allow from all

deny from env=keep_out

</Limit>

You can also add more user agents to block with additional SetEnvIfNoCase statement, e.g.:

SetEnvIfNoCase User-Agent "Mail.Ru" keep_out

This will kick a 403 error to anything using the libwww-perl agent, which is about 70% of the junk out there.

You can check it out against my site using this page.

Type in:

User Agent Box: libwww-perl

URL Box: http://www.bythedrop.com

and hit the 'Go' button.

Rush

Share this post


Link to post
Share on other sites
Feldman

I set it on my site and it worked fine. Is there a way to modify the log on TNG so the user-agent info is added to log? Just thinking it would be handy to have the additional information.

Thanks,

Fred

Share this post


Link to post
Share on other sites
Rush

It should be possible using the global:

$_SERVER['HTTP_USER_AGENT']

I'm getting ready to head out the door (Isn't that just like a husband :wink: ), but I can mess around with it later and see how it works out.

Rush

Share this post


Link to post
Share on other sites
Feldman

It should be possible using the global:

$_SERVER['HTTP_USER_AGENT']

I'm getting ready to head out the door (Isn't that just like a husband :wink: ), but I can mess around with it later and see how it works out.

Rush

Thanks, understand the balancing issues. Dinner with family, help kids with homework, etc. 8-)

I tried adding a little code to log.php and got it working. Don't like the formating, but at least I have more info now. My knowledge of PHP is improving, still need to learn more though.

Fred

Share this post


Link to post
Share on other sites
birdman

I have also been visited by libwww-perl searching for Pulfords which don't exist on my site. I'm not sure what these folks are up to, but I don't like and am frustrated to the point of taking the site down.

I don't understand how to put a .htaccess file on my site. Can someone explain it, please, and be fairly detailed as I am a dummy when it comes to this kind of stuff.

Thanks to all who help out.

Tom Sparrow

Share this post


Link to post
Share on other sites
arnold

birdman,

As a start, do you use cPanelX? It may be provided by your ISP/host.

Arnold

Share this post


Link to post
Share on other sites
birdman

Hi, Arnold ...

I'm afraid I don't know what a cPanelX is.

Tom

Share this post


Link to post
Share on other sites
arnold

birdman,

cPanelX looks like this. cPanelX allows you to control your website in many, many different ways.

What is the name of your ISP/host? Once we know that, we will have a better way to help you with your .htaccess file.

Arnold

P.S. Anyone else feel free to jump in. I will be going off-line soon for the evening.

Share this post


Link to post
Share on other sites
birdman

Hi, Arnold ...

I don't have anything that looks like that. My host is Cedant net. They've been the host since 2003 when I first put TNG on-line. The hackers are a fairly recent problem. But I have the libwww-perl dude pluse a bunch of visits from just about all over the world if I can believe their addresses. Many of them search for Pulfords and try to use the history template which is not on my site. I have no idea what they're up to, but I don't like them there. I have the site password protected at the moment.

Share this post


Link to post
Share on other sites
arnold

I went to Cedant.net and do not see anything like an ISP/host.

Help.

Share this post


Link to post
Share on other sites
birdman

Hi, Arnold ...

First of all, thanks for being willing to help.

I call my host CedantNet. You can find it at www.cedant.com

Thanks.

Tom

Share this post


Link to post
Share on other sites
arnold

Hi birdman (like this better than Mr. Sparrow)

We are getting there, slowly but surely.

Your ISP/host does have a control panel. You can read about it at www.cedant.com/web-hosting/unix/ced...sting-plan.html. Unfortunately, your ISP/host does not show what the control panel looks like. It gives a description of it if you hover your mouse over the small orange icon. However, the description only appears in M$IE. Not a user-friendly ISP/host, IMHO.

It will be in the control panel that you can easily get to and edit the .htaccess file. Not all ISPs/hosts use cPanelX as their control panel. I had assumed, hoped, that yours did. If any of us knew what your control panel looked like, we could help.

Arnold

Share this post


Link to post
Share on other sites
birdman

Hi, Arnold ...

I do like birdman better than Mr. Sparrow. But, I like Tom better than birdman. :)

I have a control panel at Cedant net, but don't find anything related to cPanelX. My control panel has a bunch of stuff in it, but I can't see anything related to blocking certain isps.

Tom

Share this post


Link to post
Share on other sites
arnold

Hi Tom,

In cPanelX, you go to File Manager/public_html and click on .htaccess. In the upper right-hand corner, click on Edit File. Yours may be blank. Here is what I see/have entered in the past:

<Files 403.shtml>

order allow,deny

allow from all

</Files>

deny from archive.org

deny from 4u.com.gh

deny from tactics.be

deny from popl.cable.ntl.com

deny from 64.124.85.76

deny from csupomona.edu

deny from 205.209.170.*

deny from tamu.edu

deny from 75.71.71.225

deny from 70.42.51.10

deny from goo.ne.jp

deny from 61.247.217.36

deny from 61.247.217.

deny from 82.99.30.

deny from 208.96.54.88

deny from 71.136.41.81

deny from 76.22.38.216

After you make any changes, click on Save.

That should do it.

Piece of cake. :grin:

Share this post


Link to post
Share on other sites
birdman

Hi, Arnold ...

OK. I found some kind of file manager and I found an .htaccess file. Here is what's already in it.

How should I modify it?

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>

order deny,allow

deny from all

allow from all

</Limit>

<Limit PUT DELETE>

order deny,allow

deny from all

</Limit>

AuthName tomsparrow.net

AuthUserFile /usr/local/www/virtual3/66/175/28/152/html/_vti_pvt/service.pwd

AuthGroupFile /usr/local/www/virtual3/66/175/28/152/html/_vti_pvt/service.grp

Share this post


Link to post
Share on other sites
arnold

In an earlier post, you noted this visitor libwww-perl searching for Pulfords .

How did this visitor actually appear in your showlog.php file? Here is what our website's showlog file looks like.

Yes, someday you will get an answer from us. But, for now, lots of preliminary questions.

Share this post


Link to post
Share on other sites
birdman

Mine is very similar. However, when I look at the server's log is where I find libwww-perl.

In your log, I think you are also being visitied/probed/whatever from some of the same people coming to mine.

These two lines from your log in particular are ones I would question ...

Thu 21 Feb 2008 07:25:20 PM Surname List: All Surnames accessed by vanadium.onspeed.com.

Thu 21 Feb 2008 07:24:58 PM Surname List: All Surnames accessed by host86-154-157-123.range86-154.btcentralplus.com.

Here are some similar entries from my TNG log ...

Mon 18 Feb 2008 07:38:31 AM Dates and Anniversaries accessed by 58.90.32.216.static.reverse.ltdomains.com.

Mon 18 Feb 2008 07:38:30 AM Dates and Anniversaries accessed by 201-41-225-237.jvece701.dsl.brasiltelecom.net.br.

Mon 18 Feb 2008 07:36:54 AM Dates and Anniversaries accessed by 201-43-44-99.dsl.telesp.net.br.

Mon 18 Feb 2008 07:36:35 AM Dates and Anniversaries accessed by ppp-20021652220.censanet.com.br.

Mon 18 Feb 2008 07:35:05 AM Dates and Anniversaries accessed by c-98-224-153-16.hsd1.mi.comcast.net.

Mon 18 Feb 2008 07:33:09 AM Dates and Anniversaries accessed by ad3-1-pip1.bluedome.net.

Share this post


Link to post
Share on other sites
TNGUSER

They are searching for a vulnerability. It's possible the vulnerability existed on one particular site and that is why you are seeing the search string 'Pulfords' as the hack gets passed around to different people.

I had the same hits on my site awhile back, but after blocking the user-agent 'libwww-perl', I haven't had a problem.

Rush

I checked my log file which is set to 500 entries and found that the entire page was filled with two IP addresses ALyon-754-1-9-91.w90-53.abo.wanadoo.fr and vps.artikaweb.it. What caught my eye was that multiple entries were preceded by parenthesis so they look like this: () accessed by vps.artikaweb.it and () accessed by ALyon-754-1-9-91.w90-53.abo.wanadoo.fr. When I click on the "()" I get a 404 Error Page.

Is the () entry an attempt to find a vulerability?

Carol

Share this post


Link to post
Share on other sites
wombmate

In an earlier post, you noted this visitor libwww-perl searching for Pulfords .

How did this visitor actually appear in your showlog.php file? Here is what our website's showlog file looks like.

Arnold,

I viewed your log file and many of the same entries appear in mine as well. Notably, access by 92.66.66.131. According to Project Honey Pot, behavior from the IP address is consistent with that of a comment spammer. I am seeing more and more of these types of entries on a daily basis and while they worry me due to my lack of knowledge about these types of attacks, it doesn't appear that my site has experienced any damage from them. While I have been busy banning the IP addresses, new ones appear daily so I am giving up on banning them as it is wasted energy.

It is, however, very aggravating to sort through the entries to see what normal people are searching for in the way of common ancestors. At times, I take these entries as clues as to who I need to do more research on. I often get excited over finding information for another individual by accident that I get off on tangents and never complete one individual or family. Seeing an entry will bring me back on task.

I implemented Roger's reCAPTCHA on the new user registration, suggest and contact form and it has helped eliminate these scripts from being hammered as the entries from the logfile have all but disappeared. I tried implementing it on the photos, documents, cemeteries and a couple other scripts and it appears to work except that the scripts results are not correct. The mediatypeID passed through the browser after successfully passing the captcha mod is being truncated and everything considered as a document is being displayed.

Like my genealogy, my post is wandering but just wanted to mention that implementing a captcha might eliminate a few of the hits that you (and others) are experiencing.

Darlene

www.sorenson-robey.org

I got to thinking about the logfile during an errand and wanted to clarify about what I stated above. I took a look at my raw access logs and did see where a specific IP address accessed my site but the entry was not recorded in my logfile. Because of the way that the captcha is implemented in my scripts, the logfile entry would only be recorded by the successful completion of answering the captcha questions.

echo tng_coreicons();

@include($cms[tngpath] . "TNG_captcha.php");

writelog( "<a href=....

If a user or bot or ?? were linking directly to the suggest.php script for example, the raw access log would record the hit but unless they completed the captcha, an entry into the logfile would not occur. I didn't mean to imply that the captcha would stop the user from executing a specific script.

If anyone has any thought on how to better implement the captcha mod, I am open to suggestions/recommendations. Would it better to write the entry to the logfile first thereby recording the fact that a specific script was executed regardless of whether the capchta was answered correctly? Would this more closely correlate with the site's raw access log?

Share this post


Link to post
Share on other sites
arnold

Darlene,

While I have been busy banning the IP addresses, new ones appear daily so I am giving up on banning them as it is wasted energy.
I do not see it as wasted energy. I use IP Deny Manager to keep them away. That (1) keeps them away and (2) unclogs my log.

I implemented Roger's reCAPTCHA on the new user registration, suggest and contact form and it has helped eliminate these scripts from being hammered as the entries from the logfile have all but disappeared.
For some reason, reCAPTCHA does not work on SimplyHosting. It works on 1and1 for another website I have.

I chuckled over how you described your genealogical adventures. Mine are close to it.

Share this post


Link to post
Share on other sites
wombmate

Darlene,

I do not see it as wasted energy. I use IP Deny Manager to keep them away. That (1) keeps them away and (2) unclogs my log.

For some reason, reCAPTCHA does not work on SimplyHosting. It works on 1and1 for another website I have.

I chuckled over how you described your genealogical adventures. Mine are close to it.

Arnold,

I am hosted on Simply Hosting as well and didn't have any problems with Roger's reCAPTCHA mod. As I said, I implemented it on suggest.php. You may want to give mine a try. It could be something simple that is causing yours to fail. I am also using Brian's mod for blocking IPs and document site access.

I have been using the Project Honey Pot, SenderBase, Geotool, and whois trying to figure out where all these IPs are coming from. One common IP address I have identified thus far is 85.17.90.80, located in the Netherlands, no host identified. I can't repeat a search on another IP address that I searched for the other day but I went through multiple sites and actually ended up with a street address where the computer was located. I typed the address into goggle maps and came up with a street view of the house. Unbelievable that I could see where the computer was located but not stop it from hitting my site. It is definitely frustrating.

Now that I am at Simply Hosting (moved two weeks ago and love it), I am looking at the Raw Access Log to try to identify the IPs that may not get recorded in my logfile or site access. My .htaccess file is beginning to look like a Who's Who (not quite but it could be) and hence the remark about wasted energy as they just come from another direction. Perhaps I should continue to ban them and eventually, whoever/whatever they are will go away.

Thanks for your encouragement and recommendation not to give up.

Darlene

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×