1 emile Sep 18, 2007 18:35
3 gr8dude Feb 04, 2008 21:57
I am having a similar problem. Is it 'only' a problem of wasted bandwidth? Or should we worry about this? If you look at the tooltip, you will see that the URL contains a suspicious address.
http://img520.imageshack.us/img520/34/b2evohitspamdj1.jpg
So far there seems to be no harm done, except the fact that on a daily basis I spend 4x the bandwidth that would be used on a normal day.
The offending IP addresses are different. If I ban this one today, tomorrow it will happen again, a different IP being involved. Banning an IP post-factum doesn't do much.
Emile, do you happen to have 'Democracy poll' on your site?
4 edb Feb 04, 2008 22:36
It looks like a very rude robot based on the instantaneous hit times. Long ago I had a way to tweak the hitlog into showing me lots of info it had by IP but can't do it anymore.
Do your server logs help you narrow it down to maybe a 'bot you can ban with both robots.txt and .htaccess?
5 john Feb 04, 2008 22:39
I've also just been hit with this....
It does seem to have passed on though and things are back to normal, I hope
6 edb Feb 04, 2008 22:54
The IP that seemed to love me went back to ATT Worldnet - an ISP. Very rude 'bot in that it would hit pages just as fast as it could >:-<
7 gr8dude Feb 04, 2008 23:01
This has been happening for no longer than a month. Each time it's a different IP, so I guess there's no point in banning them; what if the owner of one of these zombie machines actually wants to visit my site? (-:
As John wrote, this did seem to go back to normal, but these hits come again after a while.
Taking into account the fact that the hits are "rude" (in terms used by EdB), I will see if my host offers an anti-DoS feature; it would be great if b2evo had such a function (if this problem becomes common).
The reason I mentioned Democracy poll is that the first time this happened to me was a couple of days after I installed the plugin. One of the polls had the "allow readers to add options" turned on. I changed the poll shortly (disabling the option), but afterwards I kept getting a lot of such hits, trying to open URL's such as ......./democracy_poll.php&add_option="http://blablabla" (you got the idea)
So my guess is that the purpose of these hits is to find open polls and post options that are links to malicious sites. I am not sure there is a connection between Democracy poll and these hits (the new hits don't attempt to use the poll), but this is what I've noticed, perhaps this piece of information will make the picture complete.
8 mn_cedars Feb 09, 2008 01:53
As a follow up to this, in my log files these posters info looks like this:
myBlog/index.php?blog=4&title=science_main_page&more=
http%3A%2F%2Fwww.syntasoft.com%2Fforum%2FThemes%2Frowizah%2Fnisahuc%2F
&c=1&tb=1&pb=1 HTTP/1.1
The above is legitimate up to science_main_page, then its not things from myBlog. There are multiple log entries like this with various .coms .ru .uk as addresses.
And some of the words are things that trigger flags for me such as this one:
rabotnitsa.ru%2Fjoomla%2Fadministrator%2Fincludes%
Can anyone interpret this for me; such as guesses about what is being attempted. So far, no damage, inconvience, etc. I was thinking its someone looking to hijack/hack email for spamming/botting others.
I am not shy about adding IPs to my ban list, but I am not sure how feeds work in the blog world. So is there anyway this could be legitimate?
1st example IP 80.78.81.194 out of Germany
2nd example IP 195.10.226.212 out of UK
9 yabba Feb 09, 2008 11:29
It's a kiddie scripter looking for open exploits
¥
Because the IP is from a distict range, you could best deny this range from your blog. You do so by adding a line in your .htacces. [url=http://forums.b2evolution.net/viewtopic.php?t=12665&start=0&postdays=0&postorder=asc&highlight=htaccess]This post[/url] is the most recent about this topic. It provides you a couple of links that should help you further.
Good luck