Web logs, dealing with bots, and an AutoHotKey tip
I've written about my site’s log files before, noting some strange activity and popular search terms. Every time I check my log I find attempts to break into an admin area on my site or to post something, even though I don’t allow comments on my blog. Sometimes I take time to add offending IP addresses to a blacklist, although that’s like trying to plug a leak in a dike.
One such log entry that caught my eye today was one from someone looking for the page “/blog/tag-Whining Goto: Forum List "Attach a file ..." illumination&ct=clnk.” I do have a Whining blog tag but there’s no place on my website where people can attach files. This entry came from 192.69.90.198, which belongs to volumedrive.com, which seems to host a lot of spambots.
Another log entry was from 192.119.154.162, an Avante Hosting Services address assigned to Ryan Wilson. This entry had POST data for a spammy comment (“Me and my neighbor were just preparing to do a little research about this. We got a grab a book from our area library however I think I found out more clear from this post.”). I won’t include the URL but will mention that it was for a domain that is not even registered. Perhaps this spammer was just testing to see if a comment would go through,
although a quick glance at this site would show that there are no comments.
Another set of interesting log entries were from IP addresses 95.160.18.178 and 95.160.105.174, both of which belong to the Polish cable company Vectra. Someone from Poland wanted to log into my website’s WordPress admin page but wasn’t able to. If you’d like to try, visit http://www.davidlauri.com/wp-login.php. Why don’t I care if you try to get into WordPress on my site? Because WordPress isn’t installed on my site. I do have a WordPress login page, but it’s just a dummy page I set up after I realized people were trying to hack into WordPress here. I don’t doubt that there are hackers who could get into WordPress if I had it installed, which is why they look for it, but it’s not really here to be found.
I used to block unwanted IP addresses using my site’s .htaccess with rewrite lines like:
RewriteCond %{REMOTE_ADDR} 192\.119\.154\.162
RewriteRule .* - [F]
but a couple years ago I switched my site’s DNS to CloudFlare, which blocks a lot of abusive bots and crawlers automatically and also makes it much easier to block additional IP addresses, either individually or by entire ranges (e.g., 95.160.18.0/24). CloudFlare offers free and paid accounts, but the free account’s been sufficient for my needs and has drastically reduced the amount of hits on my site from bots, although some, like the ones mentioned above, do still get through.
Images used in AutoHotKey macro
I visit CloudFlare about once a week to block some more IP addresses. That’s often enough that I wrote an AutoHotKey macro so that I can press F1 on CloudFlare’s threat control page to activate the IP address field and then F1 again to click on the block button. If you have AutoHotKey, you can copy the macro below (click on the to expand it). You’ll also need to copy the two images to the right.
myImageSearch(ByRef X, ByRef Y, X1, Y1, X2, Y2, options, image) {
myImageSearch(ByRef X, ByRef Y, X1, Y1, X2, Y2, options, image) {
; search for an image and exit gracefully if there's an error in the search
optionsandimage := options . " " . image
ImageSearch, X, Y, X1, Y1, X2, Y2, %optionsandimage%
if (ErrorLevel = 2) {
; problem with the search
MsgBox % "Error conducting image search: " X ", " Y ", " X1 ", " Y1 ", " X2 ", " Y2 ", " optionsandimage
return -2
} else if (ErrorLevel = 1) {
; just haven't found it yet
return 0
} else {
; found it
return 1
}
} ; end myImageSearch
$F1::
WinGetTitle, Title, A
if ((substr(title, 1, 14) = "Threat control") && (substr(title, -6) = "Firefox")) {
; make F1 the shortcut for the custom rule IP address field and the custom rule block button (depending on which is available)
; get window's width and height for image search
CoordMode, Pixel, Relative
CoordMode, Mouse, Relative
WinGetPos, Xpos, Ypos, Width, Height, A
; first look for a blank IP address field (actually we're going to look for a greyed out block button)
searchresult := myImageSearch(X, Y, 0, 0, Width, Height, "*10", "cloudflare-greyblock.png")
if (searchresult = -2) {
; problem with the search
CoordMode, Pixel, Screen
CoordMode, Mouse, Screen
return
}
if (searchresult) {
; found it, so click on it (to the left a ways because we actually searched for the block button)
; MsgBox, Found it at %X% %Y%
MouseClick, Left, X - 100, Y + 5, 1, 0
CoordMode, Pixel, Screen
CoordMode, Mouse, Screen
return
}
; next look for red block button
searchresult := myImageSearch(X, Y, 0, 0, Width, Height, "*10", "cloudflare-redblock-part.png")
if (searchresult = -2) {
; problem with the search
CoordMode, Pixel, Screen
CoordMode, Mouse, Screen
return
}
if (searchresult) {
; found it, so click on it
; MsgBox, Found it at %X% %Y%
MouseClick, Left, X + 5, Y + 5, 1, 0
CoordMode, Pixel, Screen
CoordMode, Mouse, Screen
return
}
MsgBox, Unable to find CloudFlare fields %searchresult% - %width% - %height%
CoordMode, Pixel, Screen
CoordMode, Mouse, Screen
} else {
Send {F1}
}
return
|