Over the past two weeks, the Joomla "j4age" statistics extension has been
recording and showing over 40 hosts (95%+ foreign) coming directly to one and
only one article (page) at our web site. This is highly unusual. The article
in question was nothing more than a simple text paragraph with a URL to
Registrar's class schedule information web page.
I asked Network Security to apprise me of potential security issues as I could
not ascertain whether it was an attempt at OUR web site or an attempt to get
through to the Registrar's web site. I checked the files/directories for our
web site and did not find anything unusual or unexpected. The page being
accessed had not been altered.
As I kept trying to find things and figure out what was going on, I installed
the Joomla "Ban IP Address" extension (mentioned in my previous note) and
started filling in addresses associated with suspicious accesses. N.S.
provided the response below which includes URLs for two web sites that may be
of use to others of y'all in discerning the nature/identity of some suspicious
hosts.
Let me say this - if you don't wear gloves you're gonna get burnt. Make sure
you have adequate web security in place AND that logs and/or statistics get
looked at. They don't (normally) do anything on their own!
P.S. Apache server logs were available when the analysis was initially
performed, but they were not adequately identified at that time.
-------- Original Message --------
Received: from [131.230.6.132] (ws006132.it.siu.edu [131.230.6.132]) by
mx.google.com with ESMTPS id k38sm5165686ick.21.2010.12.21.14.19.32
(version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 21 Dec 2010 14:19:33 -0800 (PST)
Message-ID: <[log in to unmask]>
Date: Tue, 21 Dec 2010 16:19:31 -0600
From: Curt Wilson <[log in to unmask]>
MIME-Version: 1.0
To: Jim Dutton <[log in to unmask]>
Subject: Fwd: Jim's Equine Site
X-Enigmail-Version: 1.1.1
Content-Type: multipart/mixed;
boundary="------------080201080503020203050206"
Jim,
Based on Dave's analysis, it looks like forum spammers going through
proxies are the bulk of the traffic. Annoying, but nothing to get too
concerned about.
Having an HTTP referer might help pinpoint where and why the link has
made it's way around the world, if the referer is easily obtained.
Thanks for your research, Dave.
-------- Original Message --------
Subject: Jim's Equine Site
Date: Tue, 21 Dec 2010 16:15:48 -0600
From: Dave Loftus <[log in to unmask]>
To: [log in to unmask]
Jim's list of addresses that were accessing his equine site are proxies
used to spam forums/blogs with comments. The majority of them were found
listed on the http://stopforumspam.com or http://projecthoneypot.com
websites.
Proxy countries included:
India, Japan, Russian Federation, Kuwait, Georgia, Ukraine, Brazil,
Czech Republic, United Kingdom, and Denmark.
A breakdown per address is listed in the attached document. I've
imported Jim's Joomla log database. Apache logs would be better, but I
can to see if there are any referrers (assuming Joomla logs that
information). With the majority being comment spammers, I'm still not
that concerned about it.
Dave
|
