Member Avatar for genieuk

Hi,

I wonder if someone can advise.

My website has been working great ever since i first launched it.

I made a script months ago to notify me of errors like 404, 500 etc and so on and it works perfectly.

Two days ago someone accessed my website and they kept trying to access the same link constantly. This link is to download a file and is only available to members only and if i or anyone else access we never get errors i also never get any errors sent to me via email or in my cpanel error log file. The error log in my cpanel and the error i get via email shows the same ip and it only ever happens to this particular IP. This went on for several hours so i banned the IP.

I unbanned the IP that night and it stopped. but today the same IP apart from the last three digits was different must be doing something as i am having the errors again.

I am getting dozens of emails every few minutes.

Another thing i done a search on my members and notice two accounts one was registered today both have the same IP apart from the last 3 digits. The first account i suspended back two days ago until they contact me but the same IP apart from last 3 digits was logged when someone was registering today. Suspiciously they have the same first name and username is similar to last account i suspended.

So i am guessing if someone can tell me what you think this person might be trying to do maybe hack my site or something althou i dont think they are. But the error only happens to this particluar IP.

What is confusing me i only get this error from those two IP addresses below.

My error log shows as:

mydomain.co.uk [Wed Mar 24 12:23:39 2010] [error] [client 117.98.175.138] Premature end of script headers: download.php, referer: http://www.mydomain.co.uk/download/extension.php

The error i get from my script i made months ago shows:

There was a 500 Not Found error on the www.genieuk.co.cc domain

Details
----------------------------------------------------------------------
When: Wed Mar 24 2010 12:17:59 pm UTC
(Who) IP Address: 117.98.175.138
(What) Tried to Access: http://www.mydomain.co.uk/download/downloads/download.php?filename=iextension.zip
(From where) HTTP Referer: http://www.mydomain.co.uk/download/extension.php

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

I done some reasearch and both IP comes up on the blacklist.

117.98.175.138
ISP: Bharti Broadband
Organization: BCL West
Country: India
State/Region: Maharashtra
City: Mumbai
Latitude: 18.975
Longitude: 72.8258

117.98.76.147
ISP: Bharti Broadband
Organization: BCL West
Country: India
State/Region: Maharashtra
City: Mumbai
Latitude: 18.975
Longitude: 72.8258

Both IP's are said to becoming from India, Mumbai.

Anyone any suggestions, i am completely baffeled.

Thanks
GUK

  • 2 Contributors
  • 3 Replies
  • 120 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by genieuk

Recommended Answers

All 3 Replies

Member Avatar for jmo

Is the download freely available to registered members, and registration is free - i.e. it's not a file that requires payment?

Assuming it's freely available...

The only hacking effort I can think of is a rather weak DoS attack, asking your server to download a potentially huge file repeatedly. I would only suspect malicious intent if the timestamps on the errors indicate some type of automated process.

Could it be that the user can't complete the download on his end, so is just repeating the process? If I were in your shoes, I might put a trap page for the IP range 117.98, and push them to a temporary page that recommends they send an email if they're having difficulty with the download.

Member Avatar for genieuk

Is the download freely available to registered members, and registration is free - i.e. it's not a file that requires payment?

Assuming it's freely available...

The only hacking effort I can think of is a rather weak DoS attack, asking your server to download a potentially huge file repeatedly. I would only suspect malicious intent if the timestamps on the errors indicate some type of automated process.

Could it be that the user can't complete the download on his end, so is just repeating the process? If I were in your shoes, I might put a trap page for the IP range 117.98, and push them to a temporary page that recommends they send an email if they're having difficulty with the download.

hi,

Thanks for your reply.

Registration is free so is the download, my entire website is free.

The file is only a few KB's in size.

I will take your suggestion on board about page trap sounds good idea, will take a look around to see how i could implement something like this.

Myself and everyone else has no problems accessing the file and page and i only get errors in error log and receive email from those two IP's

Thanks
GUK

Edited by genieuk because: n/a
Member Avatar for genieuk

Just an update,

I used some code i found online to setup a redirect in .htaccess.

So what happens now is user with that IP will be redirected to a secret/hidden non indexed page to tell them to contact me as i beleive they maybe having problems with site etc, i kept it polite incase they are genuine. I also placed on the page they are redirected to that if IP does not match the redirected one that is having problems to redirect to homepage.

So far so good :)

So thanks for your help.

Thanks
GUK

Edited by genieuk because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.