phpBB hit with lots of cron job

milonic · 2022-11-07 11:52 am

Hi Guys,

I've a question about some very wierd stuff going on, on my phpBB forum that I was hoping somebody here might know the answer to.

The forum is currently being hit with many, many visits to its cron tasks.

Random stuff like this:

20.109.241.96 - - [07/Nov/2022:11:29:18 +0000] "GET /app.php/cron/cron.task.core.tidy_warnings?sid=426204b4dcddd0fe83544e6b4004683c HTTP/1.1" 200 43
40.77.51.85 - - [07/Nov/2022:11:29:20 +0000] "GET /app.php/cron/cron.task.core.prune_notifications?sid=90b590a8ec7bac69f36525f50af65cae HTTP/1.1" 200 43
40.122.230.188 - - [07/Nov/2022:11:29:20 +0000] "GET /app.php/cron/cron.task.core.tidy_cache?sid=4ae658111ba99a063804c119ffef91ba HTTP/1.1" 200 43
20.29.110.170 - - [07/Nov/2022:11:29:23 +0000] "GET /app.php/cron/cron.task.core.tidy_sessions?sid=a9001d9af1281b091982c45e24f476ad HTTP/1.1" 200 43

and so on.........

A quick whois shows that all the IP Addresses belong to Microsoft, which is even weirder,

So, A: Does anybody know what is happening and B: Should these IP Addresses be added to the SFS database?

Cheers,
Andy

Alex Kemp · 2022-11-07 2:54 pm

Has your forum been spammed? You know, links added to a forum post gratuitously promoting weight-gain pills (or some such)?

If yes, it can be added to the SFS dB. If not, fix your lousy site programming which is allowing Bing (or some such) to discover what should be internal links.

Maikuolan · 2022-11-07 2:55 pm

Those IP addresses belong to Azure. Azure is owned by Microsoft, and operates from within Microsoft's ASNs, but that doesn't necessarily mean that requests from Azure *are* Microsoft. Anyone can pay to have their code, their cloud software, etc, hosted on the Azure platform, and so, for the purpose of the question of "should these IP Addresses be added to the SFS database", they shouldn't be regarded any differently than requests originating from a traditional webhosting service. I hope that helps. :-)

That said, regardless of the source, whether from Azure, from a webhosting service, from an ISP, or from wherever else, first and foremost, the most important question to ask will always be: Has this request/entity/IP/whatever actually posted any actual spam at your forum, or not? If the answer is no, then they shouldn't be reported, ever. Otherwise, if actual spam has been posted, and you're able to verify their email address and other details relevant to the report, then yes, they should be reported.

Last edited by Maikuolan (2022-11-07 2:58 pm)

Maikuolan · 2022-11-07 3:06 pm

BTW.. Unfortunately, I *can't* say that requests from Azure are *never* Bing requests, because Bingbot is dumb, and despite their own documentation to the contrary (e.g., the claim that reverse-forward lookups can be used to verify whether Bingbot is actually Bingbot or something else entirely, and Azure ranges *don't* resolve back to *.search.msn.com, the host which all Bingbot requests *should* resolve back to), I *have* encountered Bingbot requests originating from Azure, and have been able to verify that those requests were, in fact, Bingbot. However, that said.. a request from Azure, even if it claims to be Bingbot, isn't necessarily actually Bingbot. I've *also* encountered spambots before at websites I help maintain, which originated from Azure, and claimed to be from Bingbot, but which weren't actually Bingbot at all. So.. yeah.. things aren't always black and white, unfortunately.

milonic · 2022-11-07 3:20 pm

>> If not, fix your lousy site programming

WOW!

This is a bog standard phpBB forum LOL So, there's NONE of my lousy programming in there i'm afraid. These links are publicly exposed cron tasks that are only supposed to be used for site maintenance under certain conditions. I assumed, WRONGLY, that you guys might want to know about this. I won't bother you again.

Oh and Alex, maybe you should fix YOUR lousy programming on your website, the link at https://etmg.altervista.org/ is stuck in a "too many redirect" loops. Oh the irony LMFAO

Alex Kemp · 2022-11-07 4:15 pm

Yeah, perhaps too direct. And, of course, you will be correct about etmg.altervista.org (thanks for the notice - not kept up to date for some time).

If you expose links then other entities will attempt to use them. Too many bots use brain-dead programming. It is therefore for *you* to setup your server to prevent accesses from IPs that you do not want to access specific links, if you cannot help but expose them (better not to do that in the first place). Thus, lousy setup if you do not do that.

As far as the "bog standard phpBB forum" is concerned: thanks again for the notice, but there is zero that we can do about that. We have zilch input into it's programming or setup.

#1 2022-11-07 11:52 am

phpBB hit with lots of cron job

#2 2022-11-07 2:54 pm

Re: phpBB hit with lots of cron job

#3 2022-11-07 2:55 pm

Re: phpBB hit with lots of cron job

#4 2022-11-07 3:06 pm

Re: phpBB hit with lots of cron job

#5 2022-11-07 3:20 pm

Re: phpBB hit with lots of cron job

#6 2022-11-07 4:15 pm

Re: phpBB hit with lots of cron job

Board footer