phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

Server attacks.


 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 538
Location: North West UK


flag
PostPosted: Tue Aug 21, 2012 4:25 pm 
Post subject: Server attacks.

I wonder if anyone else has spotted this.
Whenever there is an attempt at an exploit the system blocks it and sends me an email detailing the attack type, the attack point (ftp/mailer etc), the IP of the miscreant and also the action taken by the system.
What I have noticed is that the attempted exploits come in groups and usually aimed at the same point and with the same code being used.
By this I mean that I can go for a few days with not attempts and then suddenly there are several all using the same method but from different countries.

Is it maybe that what I am seeing is some script that has been posted somewhere and several folks are trying it out. I find it very strange

Jim
Back to top
Holger
Board Member



Joined: 19 Jan 2009

Posts: 509
Location: Hanover


flag
PostPosted: Wed Nov 07, 2012 1:08 pm 
Post subject: Re: Server attacks.

Most attacks are automated and distributed, like DDOS, so the attacks come from several locations at the same time.
Nothing strange with that.

What are you using to detect and send you emails?

_________________
Love your data! Back it up!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 538
Location: North West UK


flag
PostPosted: Wed Nov 07, 2012 1:21 pm 
Post subject: Re: Server attacks.

ConfigServer Security & Firewall - csf v5.70

The server host installed it and it is configured via the WHM Panel. This software must communicate with Mod Sec as well for as well as the failed attempts to log in anywhere it also sends Emails if Modsec detects any attempt at a server compromise.

Jim

Edit
This is the sort of mail that I get

Quote:
Time: Tue Nov 6 19:49:41 2012 -0500
IP: 193.171.110.146 (AT/Austria/linux1.borg-feldbach.ac.at)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

2012-11-06 19:49:33 dovecot_login authenticator failed for linux1.borg-feldbach.ac.at (localhost) [193.171.110.146]:43862: 535 Incorrect authentication data (set_id=admin)
2012-11-06 19:49:34 dovecot_login authenticator failed for linux1.borg-feldbach.ac.at (localhost) [193.171.110.146]:55619: 535 Incorrect authentication data (set_id=admin)
2012-11-06 19:49:37 dovecot_login authenticator failed for linux1.borg-feldbach.ac.at (localhost) [193.171.110.146]:43864: 535 Incorrect authentication data (set_id=admin)
2012-11-06 19:49:38 dovecot_login authenticator failed for linux1.borg-feldbach.ac.at (localhost) [193.171.110.146]:55621: 535 Incorrect authentication data (set_id=admin)
2012-11-06 19:49:39 dovecot_login authenticator failed for linux1.borg-feldbach.ac.at (localhost) [193.171.110.146]:40947: 535 Incorrect authentication data (set_id=admin)
Back to top
Holger
Board Member



Joined: 19 Jan 2009

Posts: 509
Location: Hanover


flag
PostPosted: Wed Nov 07, 2012 1:22 pm 
Post subject: Re: Server attacks.

Thanks a lot! icon_biggrin.gif
_________________
Love your data! Back it up!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 538
Location: North West UK


flag
PostPosted: Wed Nov 07, 2012 1:25 pm 
Post subject: Re: Server attacks.

Just added a sample of the email.

Jim
Back to top
Holger
Board Member



Joined: 19 Jan 2009

Posts: 509
Location: Hanover


flag
PostPosted: Wed Nov 07, 2012 1:29 pm 
Post subject: Re: Server attacks.

Cool! Thanks!
_________________
Love your data! Back it up!
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 298
Location: U.S.A


flag
PostPosted: Wed Nov 07, 2012 2:59 pm 
Post subject: Re: Server attacks.

Jim_UK wrote:
I wonder if anyone else has spotted this.
Whenever there is an attempt at an exploit the system blocks it and sends me an email detailing the attack type, the attack point (ftp/mailer etc), the IP of the miscreant and also the action taken by the system.
What I have noticed is that the attempted exploits come in groups and usually aimed at the same point and with the same code being used.
By this I mean that I can go for a few days with not attempts and then suddenly there are several all using the same method but from different countries.

Is it maybe that what I am seeing is some script that has been posted somewhere and several folks are trying it out. I find it very strange

Jim


We see things like this every day. We experience thousands upon thousands of attack attempts everyday. Most are script kiddies and shoot in the dark listening for a scream

_________________
http://www.jlaforums.com
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 538
Location: North West UK


flag
PostPosted: Wed Nov 07, 2012 4:24 pm 
Post subject: Re: Server attacks.

You are missing my point. It is not the attacks or their numbers but the frequency.
I am wondering why I can sometimes go for a day or two without any but then suddenly there are floods of them.

Jim
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 298
Location: U.S.A


flag
PostPosted: Wed Nov 07, 2012 4:51 pm 
Post subject: Re: Server attacks.

Jim_UK wrote:
You are missing my point. It is not the attacks or their numbers but the frequency.
I am wondering why I can sometimes go for a day or two without any but then suddenly there are floods of them.

Jim


This is most likely an indication of a single script kiddy probing IP blocks. Depending on the popularity of your site and things that might be in your page source (certain words/phrases/etc are targeted by certain bots - we see alot like "Powered by PHPBB") you may see these intermittently occurring attacks.

_________________
http://www.jlaforums.com
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0190 seconds using 15 queries. (SQL 0.0023 Parse 0.0006 Other 0.0161)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo