|
k, my paysite security is breached, need help! $$
k, I have proxypass installed, have SQL Auth/htaccess and for over 6 months I have never had a pass shared, traffic to my member section is always where it should be, no spikes on the leased feeds, over the last couple days traffic has skyrocketed, can't find my site listed on password sharing sites, and even if it was proxypass woulda shut em down.
So I'm thinking I'm dealing with someone who is spoofing something to get in and send all his surfers through, but I'm not technical enough to figure it out, host is clueless and I'm eating 12x the normal bandwidth I should be. Can someone gimme a clue, point me in the right direction, anything? |
Can't you see which IP(s) is(are) causing the spike? Can't you then associate that with a customer's account?
|
Quote:
|
But a jerk with a website could be running a proxy, logging in through the proxy, and umpteen users could be going through his website, through his proxy, and into your members area. It would only show the IP of the proxy. That's why I ask if there's any particular IP producing a lot of the activity. Can you check your logs?
|
Try putting a limit on bandwidth per IP address until you detect the offender. Set it high at first then start ratcheting it down and you should find him.
Other people more technical than I am should have other solutions too (so bump for that). Surprised that your ISP can't help more... Good luck, ADG Webmaster |
hmmm.. I can't tell, I have access to apache server status, it all looks like normal http traffic
|
Quote:
|
Can you see in your stats the referring URL?
|
|
I guess your system admin should look into your log files
|
Quote:
|
I added you to ICQ. I think I know what your problem is. I ran into this same problem about a year ago with a customer of mine.
Get in touch with me ASAP, because it'll get worse if you don't deal with it trust me. Once someone finds out it works, it'll spread like crazy. |
Not sure if you were looking for suggestions for other software but I really like Strongboxxx.
|
if you have a managed server then I would switch, because if a host can't figure something like this out it's kind of fucked up and they are probably just some reseller without expertise in actual server administration
|
Quote:
|
they are friends of mine, so I'm not naming names.
|
how do you know your "security is breached"?
there are other ways to make your bandwidth go up, one is somoene could be hotlinking your images, they could be hotlinking a single large file in an attempt to screw with you. lots of reasons for this, check your log analyzer... you do have a log analyzer program correct? |
Quote:
or the host simply doesnt care or have the time |
Quote:
Also I see the traffic going to my leased plugins, so they are in there surfing, not hotlinking, hotlinks woulda showed up easy |
Most likely getting spoofed, what is the site that is being exploited?
|
you would think this would show up easy as well...
what log analyzer are you using? wusage ? Quote:
|
Quote:
www.RevengeTV.com I got bandwidth download limits on (thanks PHP-CODER-FOR-HIRE), doesn't catch it, IP traps, nothing, I'm done for the night, 5am here.. but I need some more help.. this is a good one. |
Quote:
http://www.ya-moon.com/start.asp it's japanese, but the word "revenge" shows up, but when you click anything you get some sort of message, which I assume is a "you must login" message, so I have no clue. :disgust |
Quote:
|
You may want to remove the empty login & password from your passlist... i can just log right in with nothing -> thus why its not showing in proxypass i bet.
|
I tried to login with nothing.. can't get in though
|
Quote:
gleem, feel free to hit me up on icq when you get back 157717888 |
bump for help
|
nice site you have there, hope someone can help you out
|
Quote:
|
Quote:
And yes the company I'm flying the sig for its one of them beeing run by hardcore sysadmins which over the years dealt with sites like ogrish,score-cash,webcams,spookycash,ebaumsworld and the list could go on. I'm also sure that companies like national-net,techiemedia, etc... know their shit as well. So your generalization its a bit biased. |
Quote:
Anyway, which paysites does the company you're supporting currently host? I'd like to check something for you and educate you. |
what type of firewall are you running? if it's anything decent like pf, then ask your host to look into the packet filter logs to see where the bandwidth is going.
Also get ntop installed asap - that'll tell you where all the traffic is going. If you need further help, hit me up on icq |
Quote:
|
sorry - forgot to include a link: nTOP
|
Quote:
|
Quote:
|
Quote:
|
Parse the server logs and install additional logging, so you can track down the offending user.
|
well it sounds like you're just being spoofed via one of the leased plugins - how any plugin companies are still using referer method is beyond me.
are you seeing a spike in the numbers of your own files in the members area being downloaded? if not then no doubt it's just simple spoofing to get into the plugins. whick company leases these feeds http://www.revengetv.com/chop1/index2.php ? |
| All times are GMT -7. The time now is 04:01 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc