HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Should I be worried?

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#60412 (In Topic #13121)
Avatar

Community saint

An IP address has been automatically banned

I have gotten this email from my website - should I be worried?
Previously I had noted this IP address spotlighted in an email titled: Suspected hacking attempt

++++++++++++++++++++++++++++++++++++++

An IP address, 188.92.74.40, has been automatically banned for generating 5 hackattack alerts. If you believe these were false alarms, or that the user was manipulated into triggering the alerts, you may wish to unban this IP address. A summary of the alerts follows:


A suspicious GET parameter was given (filter as 1" [/backend.php?type=atom&mode=ocf_forumview&cutoff=1271629397
&filter=1%22;]
A suspicious GET parameter was given (filter as 1" [/backend.php?type=atom&mode=ocf_forumview&cutoff=1271629397
&filter=1%22;]
A suspicious GET parameter was given (filter as 1" [/backend.php?type=atom&mode=ocf_forumview&cutoff=1271629397
&filter=1%22;]
A suspicious GET parameter was given (filter as 1" [/backend.php?type=atom&mode=ocf_forumview&cutoff=1271629397
&filter=1%22;]
A suspicious GET parameter was given (filter as 1" [/backend.php?type=atom&mode=ocf_forumview&cutoff=1271629397
&filter=1%22;]
A suspicious GET parameter was given (filter as 1" [/backend.php?type=atom&mode=ocf_forumview&cutoff=1271629397
&filter=1%22;]


Art and Imagination
of David L Friend

http://davidlfriend.com

  My Art Gallery
powered by ocPortal
Back to the top
 
Posted
Rating:
#60414
Avatar

Community saint

I have no idea whether you should be worried or not but your post did bring up a page that I had not seen before. if you go to yoursite.com/backend.php it brings up a list of Atom and RSS feeds. So it looks like someone was trying to access those feeds. As to the alert, my guess was they were trying to access those feeds and maybe use a command to try to force some info that they were not supposed to have access to.

I did a couple of searches on the IP and came up with these links. It appears whoever it is is from Latvia

Stop Forum Spam - IP Check - 188.92.74.40
Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS sbl 188.92.74.40
It does not appear they are Blacklisted yet, Maybe you can change that…

Rick Henson

OCP 4.3.2 & 5.0.1
PHP 5.2.5
MySQL 5.0.51a
FireFox 3.6.8
Back to the top
 
Posted
Rating:
#60420
Avatar

It just looks like a poorly written bot. The bot is finding URLs in your HTML but not parsing it properly, it's leaving a quote mark on the URL, when actually that quote mark is for closing off the URL.

This is fairly common. The bot could be doing lots of things - it could be trying to hack, but it might equally be someone in a computer lab experimenting with writing a toy search engine.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#60554
Avatar

Community saint

I got another of those hacking incidences. Do the rest of you also get this kind of stuff?

____________________________________________________________
__________________________
An IP address, 91.201.66.33, has been automatically banned for generating 5 hackattack alerts. If you believe these were false alarms, or that the user was manipulated into triggering the alerts, you may wish to unban this IP address. A summary of the alerts follows:


Gave incorrect login details 30 times over a 15 minute period (brute-force attack) [/index.php?page=login&type=login&redirect=http%3A%2F%2Fpreh
istoricsillustrated.com%2Fforum%2Findex.php%3Fpage%3Dforumvi
e
w%26keep_session%3D1486812293&filtered=1]
Gave incorrect login details 30 times over a 15 minute period (brute-force attack) [/index.php?page=login&type=login&redirect=http%3A%2F%2Fpreh
istoricsillustrated.com%2Fforum%2Findex.php%3Fpage%3Dforumvi
e
w%26keep_session%3D1486812293&filtered=1]
Gave incorrect login details 30 times over a 15 minute period (brute-force attack) [/index.php?page=login&type=login&redirect=http%3A%2F%2Fpreh
istoricsillustrated.com%2Fforum%2Findex.php%3Fpage%3Dforumvi
e
w%26keep_session%3D1486812293&filtered=1]
Gave incorrect login details 30 times over a 15 minute period (brute-force attack) [/index.php?page=login&type=login&redirect=http%3A%2F%2Fpreh
istoricsillustrated.com%2Fforum%2Findex.php%3Fpage%3Dforumvi
e
w%26keep_session%3D1486812293&filtered=1]
Gave incorrect login details 30 times over a 15 minute period (brute-force attack) [/index.php?page=login&type=login&redirect=http%3A%2F%2Fpreh
istoricsillustrated.com%2Fforum%2Findex.php%3Fpage%3Dforumvi
e
w%26keep_session%3D1486812293&filtered=1]
Gave incorrect login details 30 times over a 15 minute period (brute-force attack) [/index.php?page=login&type=login&redirect=http%3A%2F%2Fpreh
istoricsillustrated.com%2Fforum%2Findex.php%3Fpage%3Dforumvi
e
w%26keep_session%3D1486812293&filtered=1]

Manage IP bans from this screen:
http://prehistoricsillustrated.com/adminzone/index.php?page=admin_ipban&type=misc


Art and Imagination
of David L Friend

http://davidlfriend.com

  My Art Gallery
powered by ocPortal
Back to the top
 
Posted
Rating:
#60644
Avatar

Community saint

Aye, I have gotten a few of them as well, and have been grateful that ocportal caught and banned them.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Rating:
#60649
Avatar

Community saint

I get a few now and then, but just ignore it. Nothing is happening to my site to worry about it. {finds wood to knock on}

Eric DeMars . com
My electronic portfolio and personal site. Uses ocPortal!
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: