I.P 127.0.0.1 (Guests & new Sign ups)

MadTaffy · 2010-03-13 7:22 pm

Hey there, sorry for the lack of introduction but i wanted to get to the bottom of this before i remove this user that i suspect is a spambot!

Right I don't quite understand this 127.0.0.1 Localhost, It some kind of loopback IP address, now i've noticed recently a few guests and when checking their I.P's i keep getting this 127.0.0.1 but i just had a new users register but not complete MichealTracy and going by yur search this is a spammer and i will remove them accordingly, my only confusion is i've always had their normal I.P to use as a reference to if they are a spammer or not previously but not this time,

Is there is a easy explanation to why they would have this loopback I.P and not a proper one, i thought initially it might be a proxy but this doesn't seen the case....any help explaining this would be appreciated!

Also when banning these Bots do i just ban the name and email or do i ban the I.P as well, this was another concern as this isn't their genuine I.P it seems but some kind of "loopback" (whatever that is) and i don't want to Ban an I.P if its causes issues for other members or future sign ups!

Very much appreciated and many thanks in advance for any advice you could give me,

P.S i did use the search function but got a bit confused as there wasn't anything that really explained in easy terms my question!

I'm using PHPBB 3.0.6 and i'm owner/admin so have axx to all CP's and root axx. to database etc.

Again Many thanks in advance!

MadTaffy

Alex Kemp · 2010-03-13 8:28 pm

Hi MadTaffy, welcome to SFS.

Whatever you do, do NOT ban 127.0.0.1 (nor `Localhost', which 127.0.0.x--there are 8 possible IPs--is a synonym for). The very bad news is that your server has, possibly, been compromised.

Brief explanation of `127.0.0.1': The idea of an IP address is that you can contact any other computer on a Wide-Area-Network, since every computer on that WAN has an IP address. There will occur situations in which you want to access your own computer (the so-called `loopback' address). Whilst it is possible to use the IP address of that computer--it has an IP, just like every other computer--to save time, and as a shortcut, `127.0.0.1' -> `127.0.0.8' universally means `the computer being used by the TCP process'. At the introduction of hostnames, `localhost' became the usual host-lookup for `127.0.0.1'.

So, if phpBB3 is showing a post IP of `127.0.0.1' that is exceptionally bad news, since it means that the post has come from the server itself.

MysteryFCM · 2010-03-13 8:54 pm

Just an FYI for clarification, aside from the possibility of being compromised, it is also highly possible that the visitors are simply coming through a gateway (on your servers side), and the gateway software isn't passing the visitors IP properly (and/or phpBB isn't picking it up from the appropriate header properly).

You can check your server logs to verifiy which of the two is the case.

computerforumz · 2010-03-13 11:04 pm

Interesting. IP address spoofing is also used in Denial of Service attacks.

http://en.wikipedia.org/wiki/IP_address_spoofing

Someone could be targeting your server. Of course your Web site may not be the intended target. If there are other sites that are also served off of that same server, they may be the target.

You might be the victim of someone else's attack. Sort of like the poor unfortunate guy who was walking in front of the wrong house during a drive-by shooting.

Please let us know if the problem continues.

irokin · 2010-03-14 2:36 am

Its also possible they're running a (local?) proxy and when you try to get the HTTP_X_FORWARDED_FOR the proxy is filling that out as localhost. I quite often get one of my moderators IPs as 192.168.x.x when they're at work. Its also quite easy to spoof the HTTP_X_FORWARDED_FOR variable so its possible the spambot itself is setting it in an attempt to avoid detection.

One possible solution is to detect when HTTP_X_FORWARDED_FOR is set to 127.0.0.1 or any other non-routable IP you log HTTP_CLIENT_IP or REMOTE_ADDR instead.

MadTaffy · 2010-03-14 6:48 pm

@ Alex Kemp
MysteryFCM
computerforumz
irokin

Many Thanks for the replies, Right i've had the server checked double checked and checked again and there is no sign of any attack or someone trying to get access, we done some searching through logs etc. with nothing and the only conclusion we could come up with is PHPBB3 didn't recognize the i.p so for some odd reason used the local host I.P instead, I've yet to contact PHPBB to see what their outtake on this is and i'm intrigued to see what they come up with!

To be honest i was quite concerned after reading your replies that we were under some kind of attack, the site is still very young (3 months) and we are still trying to build it up and get more users so last thing we needed right now was some kind of attack by a complete and utter low life with nothing better to do than try and make peoples life awkward and potentially ruin all their hard work..and for what gain...nothing, i really don't understand why people do these things its beyond me!...Since I started the site in December 09 i've had fuffly 1/week spammers joining up, the first 2 got through but since then i have changed some setting and they dont get past the conformation process anymore before I spot them and ban then!

I don't pretend to be an expert where it comes to all this but i'm learning as i go along but I'm very lucky to have a coder who is top notch but i could only get hold of him like an hour ago so thanks again for your help guys,

Thank god though he assures me that all the security measures he has put in place there is a very small chance anyone could get in without a hell of allot of trouble and allot of knowledge which is very reassuring,

So just wanted to update you on the conclusion we have come to which is PHPBB have not recognized the "hidden" I.P the MichealTracy (bot/person) has used,

I have a question, how does these spammer get past the reCapatcha code at the registration process, they seem to get past that but when it comes to activating their acc. through the email conformation to login they don't get any further,
So one how do they get the code correct or is that a human entering the code or if it is a bot doing the reCapatcha code I though it was fairly bot proof, i have the latest reCapatcha code system,
Another thing when i find out its a spammer (thanks to checking them against this site, thank you very much) do i Ban their username/email/ and the I.P?
I was told or read somewhere that banning the I.P isn't always a good idea and obviously in this case would of been a very bad idea, but in general is it worth banning their I.P as well as their Username and Email??

Sorry for all the questions and any further advice on the localhost i.p "spammer" and the other questions i've put forward i would be (as i'm very new to owning/running my own forum) VERY grateful

Many many thanks in Advance

Jeff!

Alex Kemp · 2010-03-14 7:51 pm

This is the code from phpBB2 that finds the IP; I'm not sure what the code is in phpBB3, but show this to your PHP expert (phpBB2 has it located in `common.php'):

//
// Obtain and encode users IP
//
// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
// private range IP's appearing instead of the guilty routable IP, tough, don't
// even bother complaining ... go scream and shout at the idiots out there who feel
// "clever" is doing harm rather than good ... karma is a great thing ... :)
//
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
$user_ip = encode_ip($client_ip);

The code above should never show `localhost' (accepting other comments about Gateway gaffes).

reCapatcha code is normally broken these days by a human working together with a bot.

Alessandra · 2010-03-15 2:23 pm

We've got a welcome mat that says "There's no place like 127.0.0.1" on our front porch. Which I realize is not really relevant, only cute.

Last edited by Alessandra (2010-03-15 2:23 pm)

zaphod · 2010-03-15 8:28 pm

I prefer the older "There's no place like CHR$(2)"

Zap

P.S. There's no CHR$(27)ing the logic.

Alex Kemp · 2010-03-15 11:21 pm

to MadTaffy:

re-reading the comments in the code from `common.php' that I posted previously, I've just realised that it is saying that it says `there is every possibility of a private IP' (eg `127.0.0.1') being declared as the post-IP.

The problem is that (as irokin pointed out in an earlier post) `HTTP_X_FORWARDED_FOR' is easily spoofed and thus cannot be relied upon. `REMOTE_ADDR' *should* always be the sender-IP... Personally, I've *never* seen a local IP reported (several thousand posts).

MadTaffy · 2010-04-08 1:27 pm

Sorry for the delay in replying guys!

As i mentioned previously i'm not to clued up with the process and how all this board system works especially the host side of things which thankfully i have a friend who is a coder that does all the stuff i can't, i'm doing my best to learn as i go along and just wish there was more hours in the day to cram it all in,

Speaking to my mate again about this he did say it was something wrong in the settings on our behalf...now he did explain but as i have very limited knowledge he might as well of been speaking in "code" as most of it made no sense to me.... so sorry unless i get him to write it down exactly what it was i can't tell you as i wouldn't want to pass on incorrect info, but be assured it wasn't an attack and it was down to something we had done our end, we had just moved to a new server and there was some kind of conflict in the settings that's as much as i can say without getting it all wrong

So just wanted to say sorry for the late reply and I appreciate all the help you gave, luckily it was a mistake I made and not a hacker/spammer phew!

Very best regards MT

p.s I was just about to submit a spammer on here but i notice you need a API Key so couldn't do it, when i get more time i'll look into sorting out this API key so i can submit spam data,

Again thanks!

#1 2010-03-13 7:22 pm

I.P 127.0.0.1 (Guests & new Sign ups)

#2 2010-03-13 8:28 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#3 2010-03-13 8:54 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#4 2010-03-13 11:04 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#5 2010-03-14 2:36 am

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#6 2010-03-14 6:48 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#7 2010-03-14 7:51 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#8 2010-03-15 2:23 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#9 2010-03-15 8:28 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#10 2010-03-15 11:21 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

#11 2010-04-08 1:27 pm

Re: I.P 127.0.0.1 (Guests & new Sign ups)

Board footer