It appears that someone does not like us much.Yesterday morning at about 3:30AM CDT someone with access to what is likely a botnet decided either this forum is unworthy, or they did not like me personally. The logs are huge, and I have not slept in 2 days, mostly up all last night trying to remotely figure out why this was down.
It seems from skimming and some work with awk searching the logs,
The site was hit with a number of attacks not just a DDOS
My overall thoughts on this are it was done by a script kiddy with either friends in low places, or he otherwise has access to a botnet.
I do not think that if this were a very serious hacker he would have been so easily defeated.
This all seems to have began with a single chinese IP -
(listed here)
http://www.projecthoneypot.org/ip_123.156.184.43-crawling the site for poster names.
Then a large number of other IP addresses were attempting the normal stupid passwords people use like password, and then a short lived dictionary attack on a few users ( I was one),
This appears to have failed at getting them any sort of user access, but it did lock out all the users on the system.
While this was going on, a number of other things were happening such as automated registration attempts.
Thanks to some of RossW's keen scripting skills early in the initial deployment of this forum there was a bit of added security that was banning the IPs of pretty much all these bot attempts.
These failed at the gates as well because of those hard things it makes you do and everyone complains about it when registering.
Other things like cross site scripting vulnerabilities were being tested.
Judging by the random nature and timing, these were likely being performed by hand.
Other vulnerabilities in packages that may or may not be installed on here were being searched out by bots as well.
This is common but at this particular time it was not the hit and miss stuff every half hour to couple of hours it was a consistent onslaught buried in the other things going on.
I had a database backup of only an hour before hand, so I took a backup of the live one after this event, and then rolled back to that recent earlier backup in order to unblock all the users, and fix a few other things that were kinda made a mess from all the data generated.
None of these troubles were serious, but all added up to a significant amount of repair/recovery time and would leave annoying relics.
Restoring the backup easily avoided all of this, without any major loses, if any.
I have not gotten all the details worked out but to sum it up.
In under an hour of the initial attack looking for server vulnerabilities the log files racked up a couple hundred meg of data.
It seems that these attack(s) failed to get what they wanted.
Frustrated the attacker decided to DDOS'ed the site to take it offline,, as it remained until just seconds after midnight when the entire attack completely halted.
Now to make matters worse I was on a trip across the state when this all went down.
My first thoughts and concerns were that the RE system failed. ( nope rock solid).
I also had fears the house had caught fire, so I woke up the neighbors at 4 in the morning to go check on my house
(sorry, and thank you)
I have to thank RossW for his help and offers in this matter, I very much appreciate all your help always.
Plus thank and also apologize to my bandwidth provider for helping to get back online once I got home and the help plus coordination letting me know when the attack had seemed to actually stop.
I had to know so I could reverse certain things I did to try to stop some of the data flow that was even hurting their massive pipe..
They REALLY took a major hit over this one.. MASSIVE amounts of data where launched at this site.
Hopefully they don't decide I am somehow liable for any costs they might have incurred. (YIPE)
I sincerely hope whomever did this leaves us alone in the future.
We have nothing here of interest that is worth your time or the resources you expended to do this. Sorry to all of you that had to go the day wondering..
Thanks for sticking it out those of you.
