phpbb3 - nuisance visitor

[blinky]

About three months ago I decided to set up a Ubuntu server complete with mail, web and ftp services. Not for any particular reason other than I just wanted to do it. I managed to get the everything up and running so have been looking at some add-ons, one of which is phpbb3.

It's up and running and I beleived everything was fine until yesterday when suddently there was a flurry of activity on this otherwise quite system. Just total nonsense was posted in the single forum from a variety of users (all of whom registered). I nuked the whole lot, locked down the forums a bit more but now continually get access attempts as follows:

Code:

178.137.165.56 - - [01/Dec/2012:22:21:44 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/phpbb/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
178.137.165.56 - - [01/Dec/2012:22:21:44 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/phpbb/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"

I've tried adding that IP address to the PHPBB "IP Ban" list. Tried adding it to an .htaccess file both in the root web directory and in the /usr/share/phpbb3/www directory... that didn't work either. I've even entered the IP address in the "advanced settings" of the router's "Inbound Filter" settings to deny access. Not even that worked.

It's like the IP address being reported in the apache2/access.log file isn't accurate.

I'm at a total loss......

Help! Au secour!

[falko]

Quote:

Originally Posted by blinky

Tried adding it to an .htaccess file both in the root web directory and in the /usr/share/phpbb3/www directory...

What exactly did you add to your .htaccess files?

[blinky]

Quote:

Originally Posted by falko

What exactly did you add to your .htaccess files?

I added the IP address of the offending site. (I also copied the .htaccess file from /var/www to /usr/share/phpbb3/www so both locations contain the same file. The .htaccess file is as follows:

Code:

#GLOBAL BAD BOT EXCLUSION
SetEnvIfNoCase User-Agent "^Yandex*" bad_bot
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>
#END GLOBAL BAD BOT EXCLUSION
#
#SPECIAL PROVISION TO BLOCK BAIBU-BOT
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [NC]
RewriteRule .* - [F]
#END SPECIAL PROVISION TO BLOCKI BAIDU-BOT
#
#BLOCK SPECIFIC IP ADDRESSES
Order deny,allow
Deny from 5.9.63.172
Deny from 37.140.141.15
Deny from 61.155.106.210
Deny from 65.55.24.87
Deny from 65.55.24.215
Deny from 65.55.24.244
Deny from 65.55.52.87
Deny from 66.249.74.221
Deny from 66.249.75.67
Deny from 78.158.11.226
Deny from 87.244.132.228
Deny from 91.121.169.209
Deny from 91.205.189.15
#Baidu Spider start
Deny from 123.125.71.15
Deny from 123.125.71.18
Deny from 123.125.71.35
Deny from 123.125.71.47
Deny from 123.125.71.53
Deny from 123.125.71.69
#Baudi spider end
Deny from 149.3.152.246
Deny from 157.55.35.35
Deny from 157.56.229.88
Deny from 168.62.176.62
Deny from 178.137.89.184
Deny from 178.137.165.56
Deny from 178.154.164.251
Deny from 180.76.5.98
Deny from 180.76.5.107
Deny from 180.76.5.177
Deny from 190.120.231.35
Deny from 193.43.252.252
Deny from 210.211.125.10
Deny from 220.181.51.81
#

I believe this has worked thus far. What I'm at a real loss to explain is why the router's "inbound filter" and it's "DENY" option isn't working. It's like the requests are coming from a different IP address that what Apache is showing in the access.log file.