Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Under Attack  (Read 737 times)

0 Members and 1 Guest are viewing this topic.

wildwalker

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 25
Under Attack
« on: May 29, 2018, 11:50:51 am »

Hello All,

For the last few days I have had someone (something) looking at the same two images over and over. The number of views can be around a 100 or so per day, maybe slightly more. The source IP is always the same.

Coppermine Gallery version is 1.6.03 (stable)

So far I have:

Banned the IP several times, it just changes.
Deleted the first two pictures (its always two pictures that are targeted) to see if a second set of images is targeted, from the same IP, and it is.

This is what I see in wireshark - 436   100.049282   195.154.187.229   192.168.1.11   HTTP   600   GET /displayimage.php?album=28&pid=4922 HTTP/1.0
 
So I can't block them via IP Address.
I am trying to get the MAC, to see if I can block this in the router (assuming it's not spoofed)

Does anyone have any insight in to what these people are trying to do, and how I could stop it?

Thanks All.
Logged

ron4mac

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Posts: 912
Re: Under Attack
« Reply #1 on: May 29, 2018, 01:57:17 pm »

It's coming from poneytelecom.eu
https://www.systemtek.co.uk/2017/08/blocking-poneytelecom-eu/

It may be trying to exploit some old security hole that may have existed in older CPG versions.
« Last Edit: May 29, 2018, 02:03:09 pm by ron4mac »
Logged

ron4mac

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Posts: 912
Re: Under Attack
« Reply #2 on: May 29, 2018, 02:32:12 pm »

Rather than trying to block IPs, I run a PHP script via cron once everyday that emails me about any new or changed files. When I've caused changes to the site I just pull up the script and regenerate the snapshot.
Logged

wildwalker

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 25
Re: Re: Under Attack
« Reply #3 on: May 29, 2018, 03:47:43 pm »

It's coming from poneytelecom.eu
https://www.systemtek.co.uk/2017/08/blocking-poneytelecom-eu/

It may be trying to exploit some old security hole that may have existed in older CPG versions.

Hello ron4mac. I have checked each IP as they have come in, and some are listed as Russian, some from France. I did think they are trying to find an older security flaw, but wanted to check that there wasn't a newer one I had missed, hopefully this attack will end soon when they realise they are banging their head against a wall.

I will continue to ban their IPs, I might even plug in a Cisco use a country wide ACL list :)

Thanks for the reply.
Logged

wildwalker

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 25
Re: Under Attack
« Reply #4 on: May 31, 2018, 01:29:11 pm »

Just a quick update.

So first of all I banned all of the following IPs from your link.

62.210.0.0/16
195.154.0.0/16
212.129.0.0/18
62.4.0.0/19
212.83.128.0/19
212.83.160.0/19
212.47.224.0/19
163.172.0.0/16
51.15.0.0/16
151.115.0.0/16 (Added 29-08-2017)

I continued to ban each IP Address (actually on a subnet level /16) that was used, and the frequency of attacks slowed, until yesterday when, after adding the last IP range, it stopped :)

Additional bans are:

46.161.0.0/16
195.154.187.0/24
195.154.0.0/16
151.106.0.0/16

Now, they could have just given up, but either way I wanted to share this information as if they are not attacking my site, they probably moved on to attacking someone else, if so hopefully this information will be useful.

Thank you for your help.

Alan.
Logged
Pages: [1]   Go Up
 

Page created in 0.016 seconds with 20 queries.