Topic: Attempted hack?

Something strange happened on our forums last night, it appears that the view count on any posting with zero replies suddenly shot up to around 13 thousand views. Any ideas? How can I check that the forum is still secure?

I have recently upgraded to 1.2.14.

Thanks

Ste

Re: Attempted hack?

Hack? No tongue
The view count tracks the number of times a topic is looked at, that's all. Someone (or something) was obviously refreshing those topics a lot. No hack involved tongue

Re: Attempted hack?

Still not convinced, having checked the log files for apache I managed to track down the IP address of the machine that was hitting the forum.

This Machine read various pages on the forum 879,292 times, it was only topics that had 0 replies of which there were 28. On viewing the log files with Awstat this machine used over 5gb of bandwith. there was deffo something going on.

As I say we have narrowed it down to a specific IP address and have informed the relevant ISP.

Ste

Re: Attempted hack?

Obviously, he wasn't using any vulnerabilities to access your board. Probably just the script that fetched empty topics in an attempt to slow/bring down the site, or use some bandwidth tongue

5

Re: Attempted hack?

Jansson wrote:

Obviously, he wasn't using any vulnerabilities to access your board. Probably just the script that fetched empty topics in an attempt to slow/bring down the site, or use some bandwidth tongue

That's pretty much what I was thinking happened as well.

Re: Attempted hack?

Maybe someone was eager to know when a reply got posted. wink

Looking for a certain modification for your forum? Please take a look here before posting.

Re: Attempted hack?

Jansson wrote:

Obviously, he wasn't using any vulnerabilities to access your board. Probably just the script that fetched empty topics in an attempt to slow/bring down the site, or use some bandwidth tongue

Yeah, but how useless it that... if you'd write a script to overload/use bandwidth, wouldn't you load topics with posts? tongue

Re: Attempted hack?

I noticed a lot of bandwith usage with various rss parsers/readers.
They often update to verify if there are changes in the topic/blog/site and are sometimes very badly configured with a wait time of 5 minutes (a case i had with a website using my rss feed parsed on their site).

Re: Attempted hack?

We had something similar happen here at punbb.org about a year ago. I was able to track down the person behind it. Turns out he had written a script that grabbed a page of PunBB.org, but he had made some mistakes in the code so the script grabbed the page a couple of thousand times. He had also confused the time parameters in the scheduled cron job which meant it was pretty much running constantly. The bandwidth graphs from that month are funny looking big_smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."