Support > cpg1.6 miscellaneous

Under Attack

(1/2) > >>

wildwalker:
Hello All,

For the last few days I have had someone (something) looking at the same two images over and over. The number of views can be around a 100 or so per day, maybe slightly more. The source IP is always the same.

Coppermine Gallery version is 1.6.03 (stable)

So far I have:

Banned the IP several times, it just changes.
Deleted the first two pictures (its always two pictures that are targeted) to see if a second set of images is targeted, from the same IP, and it is.

This is what I see in wireshark - 436   100.049282   195.154.187.229   192.168.1.11   HTTP   600   GET /displayimage.php?album=28&pid=4922 HTTP/1.0
 
So I can't block them via IP Address.
I am trying to get the MAC, to see if I can block this in the router (assuming it's not spoofed)

Does anyone have any insight in to what these people are trying to do, and how I could stop it?

Thanks All.

ron4mac:
It's coming from poneytelecom.eu
https://www.systemtek.co.uk/2017/08/blocking-poneytelecom-eu/

It may be trying to exploit some old security hole that may have existed in older CPG versions.

ron4mac:
Rather than trying to block IPs, I run a PHP script via cron once everyday that emails me about any new or changed files. When I've caused changes to the site I just pull up the script and regenerate the snapshot.

wildwalker:

--- Quote from: ron4mac on May 29, 2018, 01:57:17 pm ---It's coming from poneytelecom.eu
https://www.systemtek.co.uk/2017/08/blocking-poneytelecom-eu/

It may be trying to exploit some old security hole that may have existed in older CPG versions.

--- End quote ---

Hello ron4mac. I have checked each IP as they have come in, and some are listed as Russian, some from France. I did think they are trying to find an older security flaw, but wanted to check that there wasn't a newer one I had missed, hopefully this attack will end soon when they realise they are banging their head against a wall.

I will continue to ban their IPs, I might even plug in a Cisco use a country wide ACL list :)

Thanks for the reply.

wildwalker:
Just a quick update.

So first of all I banned all of the following IPs from your link.

62.210.0.0/16
195.154.0.0/16
212.129.0.0/18
62.4.0.0/19
212.83.128.0/19
212.83.160.0/19
212.47.224.0/19
163.172.0.0/16
51.15.0.0/16
151.115.0.0/16 (Added 29-08-2017)

I continued to ban each IP Address (actually on a subnet level /16) that was used, and the frequency of attacks slowed, until yesterday when, after adding the last IP range, it stopped :)

Additional bans are:

46.161.0.0/16
195.154.187.0/24
195.154.0.0/16
151.106.0.0/16

Now, they could have just given up, but either way I wanted to share this information as if they are not attacking my site, they probably moved on to attacking someone else, if so hopefully this information will be useful.

Thank you for your help.

Alan.

Navigation

[0] Message Index

[#] Next page