Web Hosting Forum | Lunarpages
News: April 3, 2008 - New Contest! - Win 5 Years of Hosting and $1,000!
June 30, 2008 - Submit Your Site for the July 08 Site of the Month Award!
 
Home Help Search Calendar Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		July 05, 2008, 06:45:52 PM


Login with username, password and session length


Web Hosting Forum | Lunarpages > Lunarpages Web Hosting - Advanced Assistance > Lunarpages - Web Hosting, Email & PC Security > Being hit by old SMF exploit
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Being hit by old SMF exploit  (Read 1028 times)
nutn2lewz
Trekkie
**
Offline Offline

Posts: 13
« on: January 31, 2008, 09:53:09 AM »
My subdomain forums.homepokertourney.com on my dedicated server is being hit from ip's around he
world, especially eastern Europe, and this is crashing MySQL and overloading
my server. I have a SMF forum installed and I receive thousands of these
requests in two or three minutes ...

 /index.php?action=quickmod2;topic=6634.0
 Http Code: 200 Date: Jan 30 13:06:29 Http Version: HTTP/1.0 Size in Bytes:
12299
 Referer: -
 Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

I am assured by SMF that this is an old exploit of the forum software and
has been patched. My forum is up to date and I only have problems when I
receive thousands of these hits from rotating ip's throughout the world.

Top Process %CPU 38.0 httpd [forums.homepokertourney.com]
[/index.php?actionquickmod2;topic6312.20]
Top Process %CPU 21.0 httpd [forums.homepokertourney.com]
[/index.php?actionquickmod2;topic150.0]
Top Process %CPU 16.0 httpd [forums.homepokertourney.com]
[/index.php?actionquickmod2;topic4028.80]

Restarting MySQL and/or HTTP (Apache) always resolves the problem until I am
once again hit by numerous requests.

Here is the response from Tech Support ..

---- TECH RESPONSE STARTS HERE ----
Hello,

First of all i advise you to update your SMF scripts. We will also optimizing mysql database at 35$ one time fee. In order to do, we will need to verify account ownership with your last 4 digit of your cc. If you have any questions, please don't hesitate to ask us, we will be happy to answer them. Please feel free to contact us for further help.  We are committed to making your hosting experiences pleasant and fulfilling.

Thank you for contacting lunar pages support team.
----

With all due respect to the 30 seconds that Tech Support spent on my problem ... I do not think that optimizing my database will solve the problem. My SMF forum scripts are all up to date. Any help would be appreciated.

Thanks, Barry
Logged
Mitch
Lunarpages Traffic Cop
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 6741



WWW
« Reply #1 on: January 31, 2008, 10:06:46 AM »
Well for direct help on this server side issue, I would still recommend talking with support.  Tell them exactly the same thing you told us and I am sure they will review your comments and reconsider the direction if needed.  What version of SMF are you running?
Logged
+ Submit Your Web Site for the July 08 Web Site of the Month Award!
+ Also Read the JUNE 2008 Lunarpages Newsletter! Good Stuff!

Mitch the Moderator - Please Respect & Review the Lunarforums Rules Before Posting!
Lunarpages Web Hosting | Lunarpages Forums | Lunarpages Affiliate Program
Need something to read?  Try Lunartics & the Lunarpages Newsletter!

Lunar Fun! - Share Your Computer's Desktop Thread!
nutn2lewz
Trekkie
**
Offline Offline

Posts: 13
« Reply #2 on: February 01, 2008, 09:55:08 AM »
I am running the latest (1.14) version of SMF. All my files are up to date.

I'm not sure what you mean by suggesting that I talk with support - I sent them the message that I posted below and their suggestions were to update my SMF scripts (they are all up to date) and that LP could optimize my database for $35. Should I try emailing again?

Thanks, Barry
Logged
white_hacker
Trekkie
**
Offline Offline

Posts: 11
« Reply #3 on: February 03, 2008, 10:33:06 PM »
I did a very fast search through my hacking & security related websites. I came across one entry for cross-site scripting vulnerabilities. Involving SMF version 1.14 with no listed fixes or solutions yet. The trouble especially with scripts is as soon as they're patched there are always new ones out circulating the hacker community. Your tech reply is typical for updating & support give very little help when it comes to scripting. It may be worth replying to ask how they feel optimizing the database will help. Also exactly what they'll do to optimize it. At least initially if you notice the IP addresses show any type of pattern. You can keep adding them to the ban list. Without further investigation & doing IP tracing which can be tricky and time consuming to do well. It's tough to give any real solution without knowing more details. Since you're paying for dedicated, I would keep after support for better assistance. Especially if it's stuff up resources enough to cause SQL to hang & crash your server.
Logged
Toon_Dawg
Spaceship Navigator
*****
Offline Offline

Posts: 93



WWW
« Reply #4 on: February 07, 2008, 02:26:14 PM »
Ban their IP range if possible to see if that helps.
Logged
http://www.dawgtoons.com/
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.3 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM