IntegraMOD

Hi all,

I've been having some problems recently with hackers etc (Im running IM14 currently, but not for much longer!) and upon close examination of my server's long I've discovered what I call a "hoverbot" which seems to just sit there looking at every single file in the forums, totally idnoring the htaccess, robots.txt and forums bots management panel!

This "hoverbot" acts like a standard user (although doesn't always show up on the forums!) looks at posts, calendar events, PM's etc, and then attempts to access the functions.php file and redirect to another site!

It calls itself:

crawl.66.249.72.243.googlebot.com

and comes from this ip: 216.22.3.9

Its obviously not a googlebot so I advise you all the block this things access on the server cp asap, and i mean both the name and the IP!!!


(These are my findings, you may know differently, and im not intending to have a go at google either! <img>)

The ACP will only allow to ban the ip.
Can't ban the username because it doesn't exist in userlist

66.249.72.243 is a legitimate googlebot. Anything 66.249.X.X is pretty much a legitimate googlebot. I have found on many different occasions that googlebot has wandered out of it's boundaries (such as clicking on the "find all posts by user" link in someone's profile which would put them on search.php which is in the disallowl ist.)

Now 216.22.3.9 looks to be a ServInt machine.

Not sure what's going on there. When I put 216.22.3.9 into ip information it doesn't come up with googlebot. Where are you getting that it's calling itself a googlebot?

That being said, IM 1.4.0 is subject to RFI (I think that's what it's called) hacks. I was dealing with this a couple weeks ago. They are usually targeting your includes/functions_portal.php file and the RFI file they are trying to link you to is usually called "borek.txt" on another server.

Your best option is to upgrade to 1.4.1 but the only problem is that even banning their IP's at your Integramod ACP won't stop them from running requests on your server. I actuallly have all non-US IP ranges banned from using my server at the moment but even after I did that last week they were still running requests on that same file from foreign IP's.

In my case they were hitting me with hundreds of different server IP's and after they realized I had fixed the problem and they could no longer get through they eventually left.

Zac

I got the name of the "googlebot" from the server control panel itself (not the forums one) in the access logs for the last two days! The actual source came from USLEC Corp USA's server (which has doubtlessly been hacked without them knowing!)

To add to the fun I've also got lots of other insainely annoying attacks from other us servers which eventually (when traced and blocked) come from 216.22.3.6 (I have about 200 traces from that ip so far!

As to the upgrade to 141, its now heavily on the cards! I've had enough of these morons wrecking the performance of my forums! <img> :angry: