Thread: homeworkshop.org.uk
View Single Post
  #28   Report Post  
Posted to uk.d-i-y
John Rumm John Rumm is offline
external usenet poster
  
Posts: 25,191
Default homeworkshop.org.uk
On 07/04/2021 17:49, Bob Minchin wrote:
Bob Minchin wrote:
Does anyone know what has happend to this advert site?
I know Adam did not have be the best of health a while back.

TIA
Bob

Just to follow up on this.
I've heard back from Adam with this message.
"Hi Bob, your IP address has been blocked by our security and firewall
system because of suspicious behaviour coming from a device using that
connection. I have removed the entry we should now allow you back on the
site but as they have said if something else is using your connection to
carry out this behaviour it will be blocked again. Below is the
following entry from the log file;
csf.deny: 80.7.35.195 # lfd: (mod_security) mod_security (id:949110)
triggered by 80.7.35.195 (GB/United
Kingdom/cpc76102-ando7-2-0-cust962.15-1.cable.virginm.net): 5 in the
last 3600 secs - Mon AprĀ* 5 10:58:17 2021"

I've no idea what I might have done

Probably nothing yourself...

to cause this and I don't really understand the log entry.

You would need to see more of the log messages to form a proper opinion.
mod_security (add on module for the Apache2 web server (and possibly
others)) is designed to pick up on "unusual" patterns of traffic using a
rule set. Those rules will then in some cases block access from a
specific client IP if it is deemed a threat.

Maybe my son is up to some mischief??

You may be able to trigger something by hitting pages that return enough
"403 forbidden" errors. (i.e. manually editing URLs to try and real
directories that are not intended to be readable by the web server)

Also many of the security rules will be setup to catch people running
vulnerability scanners against the web server (e.g. for research before
attempting to hack a server, a perp may run various scanners to see if
they crash a server or get it to do other unexpected stuff by hitting it
will lots of malformed requests, and attempts at buffer overflows etc.

So someone playing with hacking tools could do it, or alternatively a
machine on the network that has been compromised and is now carrying out
surrogate attacks for someone else.

If unsure, then running a Malwarebytes scan on all the machines would be
worth doing (assuming all Windows or Macs).


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
Reply With QuoteReply With Quote