Not logged in. · Lost password · Register
Forum: General Help and Support General Stuff RSS
Dokuwiki under attack
Avatar
Albrecht #1
Member since Dec 2012 · 93 posts
Group memberships: Members
Show profile · Link to this post
Subject: Dokuwiki under attack
Last time I see hundrets of requests like this in the server logs:

anon-144-76-95-173.your-server.de - - [14/May/2014:05:55:23 +0200] "GET /doku.php?id=startseite&do=login&sectok=c8fb5f3bd3904183385654a4ef4669b3 HTTP/1.0" 200 3292 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)"
anon-144-76-95-173.your-server.de - - [14/May/2014:05:55:27 +0200] "GET /doku.php?id=startseite&do=login&sectok=c9206b6d0f01a01304cc3d7c31965604 HTTP/1.0" 200 3292 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)"
anon-144-76-95-173.your-server.de - - [14/May/2014:05:55:29 +0200] "GET /doku.php?id=startseite&do=login&sectok=c973332d2d2c92b0a4c0357fd31f7f53 HTTP/1.0" 200 3293 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)"

(Last byte of IP address is anonymised for "privacy protection" by the provider. User agent is obviously faked.)
This post was edited on 2014-05-14, 10:36 by Albrecht.
Avatar
turnermm (Moderator) #2
Member since Oct 2009 · 4675 posts · Location: Canada
Group memberships: Global Moderators, Members, Super Mods
Show profile · Link to this post
www.majestic12.co.uk is a genuine address, so they are not trying to hide. They are data miners. You can try writing to their abuse address:  abuse@datatechuk.com.   Almost never helps, although just recently I got a very mice reply from one.
Myron Turner
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
Albrecht #3
Member since Dec 2012 · 93 posts
Group memberships: Members
Show profile · Link to this post
I know, that www.majestic12.co.uk is a genuine address, but 44.76. is an IP block from Hetzner Stuttgart, Germany - maybe, I'm wrong, but this looks more like a hacked server, that tries to attack others. User agent headers are faked.
Avatar
turnermm (Moderator) #4
Member since Oct 2009 · 4675 posts · Location: Canada
Group memberships: Global Moderators, Members, Super Mods
Show profile · Link to this post
Quote by Albrecht:
I know, that www.majestic12.co.uk is a genuine address, but 44.76. is an IP block from Hetzner Stuttgart, Germany - maybe, I'm wrong, but this looks more like a hacked server, that tries to attack others. User agent headers are faked.
Would it be helpful to be able to block this IP address from having access to your server?  If you can't do this at the server level, you could do this with the Quickstats plugin.  It has an aborts configuration option which aborts any attempts by the listed IP's from accessing your Dokuwiki. It's overkill for just that single putpose, but it might be worth trying for a short while.
Myron Turner
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
Michitux #5
Member since Apr 2008 · 377 posts · Location: Karlsruhe, Germany
Group memberships: Members, Wiki Managers
Show profile · Link to this post
In reply to post #3
As these are only get requests without login data these are no login attempts. So I'm not sure what an attacker would do with that. Maybe just a DoS-attack? If it's just one IP address, why don't you just block/drop the requests using iptables?
Did you like my help or work for DokuWiki (plugins)? Consider giving something back.
Avatar
andi (Administrator) #6
User title: splitbrain
Member since May 2006 · 3450 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Majestic-12 is a distributed search engine. My guess is that someone installed their software on his Hetzner server to help the spidering effort and their spider is a bit stupid. They honor the robots.txt protocol so adding this should help:

User-agent: MJ12bot
Disallow: /

As Michitux explained, this does not look like an attack.
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
Albrecht #7
Member since Dec 2012 · 93 posts
Group memberships: Members
Show profile · Link to this post
In reply to post #5
If it's just one IP address, why don't you just block/drop the requests using iptables?

Its a very simple hosting packet - only ftp access, only anonymised IP addresses in server logs. No system access.

you could do this with the Quickstats plugin

They stopped this stupid game, but I'll keep the Quickstats plugin in mind. But the anonymized IPs in the system log will prevent using the plugin.
This post was edited on 2014-05-14, 16:05 by Albrecht.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-07-23, 13:55:38 (UTC +02:00)