security attack finally was stopped

I kept getting this info a couple of hundred times within an hour. After I checked with whois and blocked the remote IP address, attack attempts stopped.

Also, IP blockage doesn't work in admin, actually it's a calender issue again and date can't be set. It shows error occurred after trying to save the date.

I had to block it in cPanel

better watch out in this IP range which belongs to a hosting company located in Texas

the IP in question is also mentioned by http://www.projecthoneypot.org/ip_74.53.3.132 which successfully chases down spammers

To track harvesters and other malicious robots visiting your own website, sign up with Project Honey Pot today. It's fast, free, easy, and one of the ways you can help make the Internet a better, safer place.

Is there a way we can implement the code from projecthoneypot?

Total impact: 36
Affected tags: xss, csrf, id, rfe, sqli, lfi

Variable: REQUEST.CFGLOBALS | Value: urltoken=CFID#=3548901&CFTOKEN#=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908&jsessionid#=6e307f32aed41b75522c#lastvisit={ts \'2009-12-06 13:01:46\'}#timecreated={ts \'2009-12-06 12:54:46\'}#hitcount=16#cftoken=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908#cfid=3548901#
Impact: 18 | Tags: xss, csrf, id, rfe, sqli, lfi
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31
Description: Detects common comment types | Tags: xss, csrf, id | ID: 35
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.CFGLOBALS | Value: urltoken=CFID#=3548901&CFTOKEN#=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908&jsessionid#=6e307f32aed41b75522c#lastvisit={ts \'2009-12-06 13:01:46\'}#timecreated={ts \'2009-12-06 12:54:46\'}#hitcount=16#cftoken=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908#cfid=3548901#
Impact: 18 | Tags: xss, csrf, id, rfe, sqli, lfi
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31
Description: Detects common comment types | Tags: xss, csrf, id | ID: 35
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Centrifuge detection data  Threshold: 3.49  Ratio: 3.2307692307692

REMOTE_ADDR: 74.53.3.132
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home/xxxxxco/public_html/xxxx.com/index.php
QUERY_STRING: bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page}
REQUEST_URI: /index.php?bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page}
QUERY_STRING: bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page}
SCRIPT_NAME: /index.php
PHP_SELF: /index.php

Since my ISP is also located in Texas, I did an IP lookup, and found it to be a company called "Theplanet".  It seems to be a pretty big shared server company.  If you block them, you might block traffic you want as well.  Maybe it would be worth the time to drop them a quick note to their complaint email: abuse@theplanet.com.  They say they investigate everything.

Rob

I dropped them a mail and additionally installed projecthoneypot on my site. I still have to link from various folders/files to the tracker. Let's see how that works out.

Due to Prjecthoneypot report I found out that it must be coming from this site which is at the IP as mentioned above  - Linksmanager.com is hosted on a dedicated server

LOL, not even one hour has passed and google indexed this thread already. I found when I searched the IP address by number

@ elc...

It would be a big help if you told us what the user agent from the offending IP was.

Houston..., the user agent shows as unknown. I will get more info in the coming days, hopefully.

Nevertheless, it came from that particular dedicated IP address. It all stopped after I blocked this one.

I suspect a black-hat seo plus some other illegal activities.

I really encourage everybody to join Project Honey Pot. It will help everyone. Their scripts lay out some traps and follow their activities until enough evidence is gathered and hand it over to law enforcement. Have a look at their services. I'm glad to see a service like this around. I remember I installed their script it a year ago on another site and never had any problems since then.

Read their stats they have gathered.

Just when I thought it was stopped!!!

Guess what it has started again. :(

I have the same problem as you, and resorted to blocking the IP's in the CP on the server. It stopped for 1 day. They are now back with avengence.

Where the suspected attack was previously from 89.149.242.25 then113 then 191 repeatedly, this has now changed and the address that shows now is different on every email.

BTW the host company was thought by honeypot to be in Germany !? A ticket has been put forward as urgent regarding the inability to block from the tool box in admin, but I for one dont want to be blocking IP addresses every day. I hope that the techies find an answer to this. I am considereing having to pull the site until they do.

I dont want the site banned by the hosting company cos I am being spammed over 1000 emails a day!!!

Any help would be great.

Regards

Belinda

Belinda,

you may block the whole IP range.  Report it to the host and try it again after a week or so. Check it with whois.sc and look up the IP range.

In my case the hosting company is investigating the issue, they take it serious, but they won't let me know any details. that was their reply.

Regards

Arnie

Hence the first post with the IP  and compare with the IP starting 74.53.xxx  here. --- The same host.

KUDOS TO BOONEX AND THE SECURITY SCRIPT DEVELOPERS

On Wednesday, December 9, 2009 at 06:20 (GMT) Project Honey Pot received its billionth email spam message. The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India (122.167.68.1). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (74.53.249.34) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot

http://www.projecthoneypot.org/1_billionth_spam_message_stats.php