Welcome to WebmasterWorld Guest from 54.161.201.189

Forum Moderators: Ocean10000 & incrediBILL & phranque

CHINANET Beijing Province Network hammering my site!

They eat 403s but keeping coming like a mad-dog!

   
10:24 pm on Feb 25, 2012 (gmt 0)

10+ Year Member



Hi,
Log files for just 1 day, various times.

Why do they keep coming?
Cyberwar?
Hold the course?
Thanks,
E

1.202.218.8 - - [25/Feb/2012:02:29:22 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:03:16:23 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:04:44:25 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:05:33:05 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:06:30:51 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:08:19:41 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:08:53:46 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:10:11:50 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:12:04:56 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:12:14:55 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
11:36 pm on Feb 27, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Sure! what's your number? I'm in the mood


"hold the line and I'll get back to you"
OR null


Get the drift mow!
12:09 am on Feb 28, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



erlandc, as a last resort, setup a single html page on your website NOT linked to any other pages and with NO links on it, just an orphan.
Fill the page with any text that you can find on the net putting CN in a bad light.
Redirect all visits of this bot to that page.
They won't like it and most likely go away.
12:11 am on Feb 28, 2012 (gmt 0)

10+ Year Member



mow?
12:35 am on Feb 28, 2012 (gmt 0)

10+ Year Member



Thanks alot Staffa! will do!
1:50 am on Feb 28, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Who's Annie?

That would be me.

Didn't know that myself until a few days ago. Always pictured more of an Agatha. Or Clytemnestra, or possibly Xanthippe. What was the character's name in Young Frankenstein who always made the horses whinny in terror?

* * *

Whoops! Didn't see the Next Page link hiding among all those Tweets and Likes and +1 buttons.

For some reason I've never got especially riled about Chinese robots. I just lock them out, end of story. For a while I was absolutely enraged by the Ukrainians, but I guess you develop tolerance. Or maybe they developed inverse tolerance, so they no longer come by in batches of 15. Just 6, and only once or twice a day.

Now, hotlinkers...
2:08 am on Feb 28, 2012 (gmt 0)

10+ Year Member



ah, Ukrainians, blocked them out too. S'pose I'll just let them eat 403s. don't want to waste time like someone said here. will attempt to re-direct them with the stuff you said. maybe I'll test it on myself 1st. ho-hum
5:22 am on Feb 28, 2012 (gmt 0)

10+ Year Member



Whew! Anyone?

does this look right?

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_HOST} 1\.202\.218\.8
RewriteRule \.php$

thanks
6:34 am on Feb 28, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



So far so good. What happens after they ask for .php files?
12:56 pm on Feb 28, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Wait. There's more. [webmasterworld.com...]
7:19 pm on Feb 28, 2012 (gmt 0)

10+ Year Member



I tested this on myself:

RewriteCond %{REMOTE_HOST} 70\.83\.210\.151
RewriteRule \.php$ [siteisentthemto.com...] [R=301,L]

didn't work...

thanks for your time
11:26 pm on Feb 28, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



You mean you went to your own site in your own name-- er, I mean from your own IP-- asked for something ending in .php and you didn't get redirected?

###. What happened instead?

That's assuming for the sake of discussion that you have a fixed IP. Mine changes at random intervals-- most recently yesterday when the power was out for many hours. (Planned and pre-announced repairs, but try explaining why the fish are in the dark, the rat cage is cold and the cats' fountains don't work :()
11:42 pm on Feb 28, 2012 (gmt 0)

10+ Year Member



yes, I went to my site, grabbed my IP, put it in htaccess, nada, was able to view my site, didn't get re-directed.
numb
1:15 am on Feb 29, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



And you're in your logs as a perfectly normal 200?

Does other stuff in htaccess work? This is probably not the time to find out that the server has override permissions turned off (AllowOverride None) so you can't do anything with htaccess anyway :( Luckily this is a wildly unlikely explanation because Apache Docs seem to say that if you try to do something you're not allowed to do, you get walloped with a 500-class error. You'd have noticed.

More likely there's something else intercepting your request before you get as far as the attempted lockout. Put it right at the top of your Rewrites. That's where it ought to go anyway: normally you'd list directives in order of seriousness, from [F] to [G] to [R=301] to internal rewrites.

And, ahem, did you clear your browser cache (or preferably use a different browser than usual) and refresh the page? Everyone gets bitten by that one sooner or later.
1:33 am on Feb 29, 2012 (gmt 0)

10+ Year Member



yes, showed 200, and some 304s, and no, I didn't use a different browser, or did a refresh.
as I said in revisited, I'm not an expert at this. I'll try decipher what you wrote.
that IP is all over the web now, smashing. this is why I wanna send off to a site that'll blow their little minds.
can't seem to find this directive anywhere, and what I did find, it didn't work. did you see "revisited'?
thanks
3:45 am on Mar 10, 2012 (gmt 0)

10+ Year Member



I did it! Whew! Did a test on my IP & it worked. Thanks for your time ya'll!

Now that site can go to h e l l !

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_HOST} 1.202.218.8
RewriteRule .* [churchofsatan.com...] [R=301,L]
3:50 am on Mar 10, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



so what happens when they simply change to 1.202.218.9 or one of the their other ranges?

Denying to the precise Class D is a bad practice.
4:06 am on Mar 10, 2012 (gmt 0)

10+ Year Member



not sure what Class D is, as I said, I'm no expert at this. Bad practice? me? who me? they're the bad guys if you think it's me.

I think I messed up. I took off my IP & added theirs, now when I come to my site, I get re-directed to satan's site as well. back to the drawing bored

I'll block the whole range, I hope.
RewriteCond %{REMOTE_HOST} 1.0.0.0/8
Not sure if it'll work, but I'm here to learn
4:22 am on Mar 10, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



1.202.218.8

Class A 1.
Class B 202.
Class C 218.
Class D 8

Just change this portion
RewriteCond %{REMOTE_HOST} 1.0.0.0/8

to
RewriteCond %{REMOTE_HOST} ^1.
4:32 am on Mar 10, 2012 (gmt 0)

10+ Year Member



thanks alot, done. but now I still go to the re-direct site when I go to my site.

RewriteCond %{REMOTE_HOST} ^1.
RewriteCond %{REQUEST_URI} /www.mysite.com$
RewriteRule .* [churchofsatan.com...] [R=301,L]

has it got something to do with the 301?
4:38 am on Mar 10, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



wtf is this?
RewriteCond %{REQUEST_URI} /www.mysite.com$

at 10:45 PM EST you submitted the following as functioning:
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_HOST} 1.202.218.8
RewriteRule .* [churchofsatan.com...] [R=301,L]


no such line existed in that code?

BTW use of example.com prevents links, however I'm quite sure you've been told that previously.
4:46 am on Mar 10, 2012 (gmt 0)

10+ Year Member



thanks, I took off RewriteCond %{REQUEST_URI} /www.mysite.com$

question is, when I go to my site, I still go the church etc site. what did I do wrong?
4:48 am on Mar 10, 2012 (gmt 0)

10+ Year Member



this is what I have now

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_HOST} ^1.
RewriteRule .* [churchofsatan.com...] [R=301,L]

and I'm still going the hell site
4:54 am on Mar 10, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I did it! Whew! Did a test on my IP & it worked. Thanks for your time ya'll!

Now that site can go to h e l l !


Apparently not!
4:56 am on Mar 10, 2012 (gmt 0)

10+ Year Member



it worked, then I re-tested and whack!

Apparently not! you are right!

everyone coming to my site now will go to h e l l !

kinda funny 'tho

back to the drawing board

#*$!
5:55 am on Mar 10, 2012 (gmt 0)

10+ Year Member



wilderness, what did I do wrong? thanks
6:10 am on Mar 10, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



#Turn on Rewrite, unless on previously
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^1\.
RewriteRule .* - [F]
6:15 am on Mar 10, 2012 (gmt 0)

10+ Year Member



like this? want to send them that h e l l site

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^1.
RewriteRule .* [churchofsatan.com...] [F]

thx
8:54 am on Mar 10, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



RewriteCond %{REMOTE_ADDR} ^1\.

Well, it's about ### time someone noticed that detail ;)

Erland, you have to escape the period \. otherwise it will mean "any character". So any IP that happens to begin in 1-- whether it's 12. or 198. or 15. or 137. or, et cetera-- will be caught by the rule.
9:11 am on Mar 10, 2012 (gmt 0)

10+ Year Member



Hi Lucy,
oh gee! I'll try decipher what you said. I thought I did it right but it didn't quite work. It re-directed to that site, but from me too, of which I didn't put my IP, so I figured everyone coming to my site would go there as well. So I took it off for & left the deny IP. It's 4:10 AM & I'm going slightly mad about this. Must sleep.
Thanks for popping Lucy.
I'll be back after some tweep.
9:12 pm on Mar 10, 2012 (gmt 0)

10+ Year Member



lucy
does escape the period mean delete?
This 73 message thread spans 3 pages: 73
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month