Web Wiz Support and Community Forums : Advice wanted on suspicious activity

Web Wiz Support and Community Forums : Advice wanted on suspicious activity https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Thu, 09 Apr 2026 01:23:25 +0000 Mon, 18 Sep 2006 14:21:42 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=21329 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[Advice wanted on suspicious activity : Topic renamed to reflect my intentions...]]> https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114204.html#114204 Author: ToJaRo
Subject: 21329
Posted: 18 September 2006 at 2:21pm

Topic renamed to reflect my intentions with the original post.

Another tidbit of info... I run multiple websites on my servers and this particular site is the only one I have with WWF. I also have host headers enabled on each site and if it was just a bot port scanning just by IP it would have been directed to a honeypot I have set up.

It picked this site and thread for a reason I believe... I wanted to know what others in the community thought about this particular activity.

Edited by ToJaRo - 18 September 2006 at 2:45pm]]> Mon, 18 Sep 2006 14:21:42 +0000 https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114204.html#114204 <![CDATA[Advice wanted on suspicious activity : My apologies borg if that came...]]> https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114202.html#114202 Author: ToJaRo
Subject: 21329
Posted: 18 September 2006 at 1:56pm

My apologies borg if that came across wrong, I should have been more clear. I was in not trying to say your software is insecure. I would not be using it if I believed it was insecure. You have done a great job in keeping the software up to date and that is why I purchased your Forum software. My intent was to see if anyone else was having this issue or seeing something weird like this on their forum from a suspect connection.

I do not have guest posting enabled and this could have potentially be a bot using a thread with a lot of pictures in it to begin a DOS attack or since it knows I have image uploads enabled it was trying to crack into that with multiple IIS exploits scanners.

You're probably correct that it is just a bot trying to post some sort of SPAM... but why it was stuck to one thread with several images was strange to say the least.

]]> Mon, 18 Sep 2006 13:56:47 +0000 https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114202.html#114202 <![CDATA[Advice wanted on suspicious activity : Web Wiz Forums is probably the...]]> https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114194.html#114194 Author: WebWiz-Bruce
Subject: 21329
Posted: 18 September 2006 at 9:54am

Web Wiz Forums is probably the most secure bulletin board system you can get.

Security web sites are constantly monitored for any reported exploits and any found are patched, so far all within 12 hours.

Many 100's of hours have been spent on researching hacking techniques and coding Web Wiz Forums to be as secure as it possibly can, which is why any exploits ever found have always been quite minor and always patched with a new version released within hours of any found.

If you look at your log files long enough you will always find strange things like you mention, this site has 100's everyday.

I would imagine that the problem in your case is that robot has got hold of the URL on your site and is scanning it periodically for things like email addresses to harvest or forms to auto file in to spam your site.

If you have Guest posting enabled I would imagine that the hits are from a bot trying to remote file in the post form to spam your site, however, the CAPTCHA security image that is displayed for Guest Posting will prevent this type of spam.
]]> Mon, 18 Sep 2006 09:54:36 +0000 https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114194.html#114194 <![CDATA[Advice wanted on suspicious activity : I have had some strange behavior...]]> https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114184.html#114184 Author: ToJaRo
Subject: 21329
Posted: 18 September 2006 at 3:39am

I have had some strange behavior occur on my site over the past 24 hours that I have watched closely.

I watch Active Users quite frequently on my site and I started to see multiple browsers with Windows XP all viewing an old topic that has several post with pictures in it. I noticed that a new 'guest' was hitting that particular thread every 1 minute. Very strange, so I watched this over the next 24 hours to see if it was just some friends that had stumbled across the site and were viewing it simultaneously. I constantly watched the netstat log on my computer and my Firewall and noticed that ALL of them were coming from two subnet ranges. 59.x.x.x, 149.135.x.x and 210.x.x.x. Most of which were coming from three particular IP's.

I then did a lookup on these IP's and all of them where from the OrgName: Asia Pacific Network Information Centre.

I then blocked these three subnets from my firewall and but I am wondering if they are looking for something in particular or if they were trying to exploit just my server or if it was a fluke incident, which I doubt. We are pretty much a localized forum and I dont think we have an international following.

As soon as I block one another appears to replace it.

I run an SQL forum on 8.04 and I have upload images enabled on my forum... any body else seeing this sorta thing? I block one IP range and a new one from the APNIC shows up looking at the same topic with multiple 'hits' to the same thread.

Edited by ToJaRo - 18 September 2006 at 2:20pm]]> Mon, 18 Sep 2006 03:39:41 +0000 https://forums.webwiz.net/advice-wanted-on-suspicious-activity_topic21329_post114184.html#114184