bots overloading my server everyday.

ok, i really hope i am making this thread in the right place.

i have been reading around this forum as a guest for a while,
i did search on "fighting DDOS attacks and preventing"
and came across this thread:
http://forums.digitalpoint.com/showthread.php?t=7918

ok whats happening everyday i go to access my site, some idiot is using a bot program to overload my server and has had my account suspended 3 times.

what i no about this program he is using is that he is using AltaVista Spider and Inktomi Spider with 100's of different ip's and programing these bots to point at eg: memberlist.php on my vbulletin board, then flooding in at much guests as possible viewing that 1 location. a few days ago i renamed the file to memberlist1.php just to brake his program and it worked.
but then i get complaints from members not being able see member list etc.
well thismorning my server was overloaded again, this time he had his program set on the arcade.php file so i disabled that file also to brake his program. the idiot even had the cheek to sign up and post on our forum laughing about how its him thats overloading the server everyday.
i honestly do not reply in a bad manner i just say we are not worried blah blah. but as you all no this is very frustrating to all us admins.

ok i'll get to the point and as again i hope this thread is in the right spot
and in completely off topic.

i have tryed robot texts and they dont seem to be working against these spiders and i was actually hoping someone could give me a code to add to .htaccess or another spider/bot text to try out.

im really not that good with coding or reading so sorry about that,
this thread here:
http://forums.digitalpoint.com/showthread.php?t=7918

it has a code in the first post, will that help me against DDOS attacks? and where do i put that code please. im really unsure if it goes in my index.php file or not.

i really hope some can help

thanks: chris.

 

Put here some of the IPs from his bot. They must just be Datacenter IP addresses. If they are you just block the whole datacenter and it won't matter really as no human browses the internet threw a server. Unless there using their server as a proxy. But in your case the good outweighs the bad.
#example of ThePlanet.com Datacenter IPs
deny from 64.246.0.0/18
deny from 74.52.0.0/15
deny from 74.54.0.0/16
deny from 75.125.0.0/16
deny from 207.44.128.0/17
deny from 209.62.0.0/17

 

i banned all ips below but yet he still keeps coming back.
220.178.42.42
86.166.232.139
82.38.201.3
77.97.71.56
202.7.176.132
209.59.43.171
74.171.68.229
68.154.94.251
86.140.184.21
64.250.208.82
86.140.184.21
64.250.208.82
72.130.223.249
86.140.184.21
64.250.208.82
72.130.223.249
64.250.208.82
86.140.184.21
64.250.208.82
72.130.223.249
86.130.237.12
68.186.133.58
24.117.187.125
202.137.102.254
24.117.187.125
98.26.220.21
81.108.191.141
86.29.80.195
81.108.186.123
86.29.91.116
70.230.235.44
86.29.86.237
70.230.235.44
-------------------

im also unsure as where to put eg:
#The Planet.com
deny from 69.41.224.0/19

does this go in .htaccess?
also what does #The Planet.com do?

sorry m8 not that good at understanding stuff but i do my best.
thanks.

 

The # symbol is for putting comments in the .htaccess, and yes to ban an IP in .htaccess you put
<Limit GET HEAD POST>
order allow,deny
deny from IP_ADDRESS/or CIDR notation
allow from all
</LIMIT>
A CIDR notation is range like 74.54.0.0/16 which is 74.52.0.0 - 74.55.255.255
You can get this usefull tool to look up IPs
http://www.mytoolpad.com/open/iplookup/

Very usefull, Okay well looking at from those IPs alot look to be Residential IP addresses from people's computers. He is some how using these as proxies to attack your server. They might be infected computers or proxies from open proxy lists. (Where you can find at some places)

Are you using a VPS or a shared hosting?

 

I did an search on google for this IP 202.7.176.132
http://www.google.com/search?hl=en&...official&hs=ghH&q=202.7.176.132&start=20&sa=N

Appears it already quite a history of abuse. This one appears to be a open proxy called "TPG proxy server."
You can see the IP has a server running on it.
http://202.7.176.132/

 

If you have a VPS or dedicated you could install mod_security for apache. This will detect if someone is trying to flood your site and will block the requests.

 

thanks for that, i downloaded that ip program and i did a seach on his actual IP: 70.253.179.42
thats the ip he uses to post on my sites and laugh about over loading the server.
i worst thing about this is im on a reseller account.
i will have a look at those links you have posted thanks.
i also reported abuse to after looking up that ip
on that program you gave me.

just a thought here, but would this code help me out?
thread: http: //forums.digitalpoint.com/showthread.php?t=7918

im just not sure where the code goes.

thanks.

 

more ip's
soon as i enable my arcade.php the bots come back strait away.
86.104.216.91
86.104.216.91
24.86.253.25
86.104.216.91
86.104.216.91
86.104.216.91
86.104.216.91
67.195.37.98
86.104.216.91
86.104.216.91
71.31.14.195
86.104.216.91
119.63.194.91

 

I've seen a similar anti-flood script like that before from here. Its bit more simpler. It detects if there making request for the php file too much then redirects them to html saying to go away (or whatever you want to put in it)
To use those script you simply open for example arcade.php and put the code right at the Top

like

<?php
anti flood code
?>
<?php
//regural code
?>

Could be a cheap fix as it would redirect them away and would stop the rest of script from being parsed from php and save you a bit of cpu.
I would try it out and see if it works. Also if you can deffinatly install mod_security it will detect attacks like this (calling the same script over and over by the same IP) and auto-block them. Its a application level firewall and its open source.

 

so like this?

also the hacker is targeting different files everyday

 

Yes. So if anyone browses that php file faster then 1 times every 2 seconds it will block them.

 

i set it on 10 seconds to see if it works and works like a charm thanks heaps

should i do this to all the main files? because he overload using memberlist.php the other day.

 

sorry for these questions but would that code work for a .html page? as my chats are eg: teenchat.html

thanks.

 

No php code work inside a .html file. You could rename the extension of it to teenchat.php and put the code at the top.

 

ok thanks will do that then,

cheers man you saved the day thanks.

 

Quench

Call the planet's security/customer service team. They will not like this.

If that doesn't work, call their marketing team and tell them that they are getting bad mouthed on DP. That should work.

And as last resort, write a letter to the planet's president explaining what is going on and post that letter here and inform him you are doing that. That will work.

And since they are stealing your bandwidth, talk with your cities District Attorney office about computer theft. It is election time and they might link the case for visibility reasons.

And when that is done, write an article about this and post/submit it everywhere using everyone's real names. Have fun with this.

 

hi, i have re-installed windows and are looking to download iplookup,
but that link now leads somewhere else.
please is there any other iplookup? i can use, thanks.

hey catanich, thanks for this helpful post, i will do just that if the hacker strikes again and im sure he will.

 

Report this issue immediately to your hosting company! They have the means to block such IPs and report those IPs further to relevant companies and authorities.

 

Yes it appears the file is no longer available on there website.
It is quite usefull program and I have made available here for download.

 

thank you very much Dollar, very helpful indeed

cheers.