vBulletin Mods

The Official vBulletin Modifications Site

Weird IP behavior for the last few weeks.
by Scalemotorcars
14 Oct 2020 22:13

So I keep getting DB errors and it looks like someone is trying to hack the site.

Of the last 100 or so most recent registrations, all have IP addresses look almost exactly the same. They start with 10.30.94 And all the DB errors are coming from 2 IP's. Also, this IP range seems to be private so I cant get a fix on where it's coming from. Maybe everyone is using VPNs???

So, of course, I block the IP and did a wildcard on the end but then I myself the admin got locked out of the site. Not the backend but I definitely got locked out of the front end. My IP is nothing like this so now I'm curious. Maybe it's some kind of glitch in the system that keeps recording the same or almost the same IP when someone new registers.

Now to be clear a few of these members with the same exact IP actually posted legit messages but I have like 100 members with the same IP. ???

It looks very fishy to me but I figured I would run it by you guys here before I start deleting accounts.

In Omnibus 15 Oct 2020 15:01

Do you use Cloudflare or something similar?

Scalemotorcars 15 Oct 2020 16:18

Hosted on Register.com

I thought it had something to do with the forum spam plugin Im using. They switched from http to https but I changed the links in the plugin. I then did some digging in the DB and noticed the same "User ID keeps popping up in the DB erros. With this the wierd this is it appears to be coming from the integrated Photopost pluggings. Also when I blocked the IP above the DB errors increaded.

Hostboard 15 Oct 2020 16:59

Have you tried to use .htaccess instead of vBulletin?

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Scalemotorcars 15 Oct 2020 20:37

Yes I actually have a bunch of countries blocked by .htaccess along with a blacklist. The weird part is that all new registrations are coming from the same IP range 10.30.94 (100-201). I cant seem to find out why? The IP recored on the site for new members isnt their actual IP. I had a friend register and his IP came up in the same range listed above where I know its completely different.

z3r0 16 Oct 2020 05:53

It looks like your host may have put something in front of your site.

You could try adding the following to your config.php file and see if the IP's sort themselves out.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Scalemotorcars 16 Oct 2020 17:27

Thanks for the code Ill give this a try. Could you tell me a safe area of the config file to put this?

Edit, I added it to the end. Lets see if this fixes it. Ill post back just in case someone else runs into this.

Scalemotorcars 17 Oct 2020 21:22

Well nuts that didnt work. All that happened is the entire site DNS IP was blocked. It looks like my host is using something like Cloudflare or changes something with the apache server. Ill give them a call and see I can get it sorted.

z3r0 18 Oct 2020 06:47

Actually I've just looked at your site and I don't thing that would have worked anyway as it looks like you are on an 4.2.2 and I don't think the proxy header stuff went in until 4.2.4.

Looking at your page response headers if you say you are on an Apache server then there is definitely something been placed in front of the site.

Hostboard 22 Oct 2020 14:33

I use the pro version of this:

This allows me to easily identify multiple registrations per IP.

I believe if you ask Joe he will send it or make it available as he is no longer selling and has released the Pro versions here in the past

All times are GMT. The time now is 10:11.

Powered by vBulletin® Version 3.8.14
Copyright © 2022, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.