CiviCRM Community Forums (archive)

my site seems to be constantly under attack at the moment. I'm seeing entries like:
May 01 22:02:43  [info] $IDS Detector Details = Array
(
   

• => Array

        (
            [name] => postal_code-1
            [value] => jubdbsfbdi/psh/vl, <a href="http://newschooljournal.com/">Sildenafil pulmonary hypertension</a>, PsKmurL, Buy sildenafil citrate, uGtlwPi, http://newschooljournal.com/ Sildenafil, iYtAkPx, <a href="http://grapweb.com/">Discount vigrx plus</a>, aasvqau, Vigrx plus comparison, LNlJCEQ, http://grapweb.com/ Is vigrx plus safe, ffUMRkC, <a href="http://hewle.com/">Maxoderm videos</a>, TFrdnHV, Maxoderm phone, UDiGxkc, http://hewle.com/ Maxoderm, DuVNHYa, <a href="http://azvetdentists.com/">Cialis hearing loss</a>, wfoKhna, Cialis soft tabs half, jCJjfew, http://azvetdentists.com/ Male enhancements viagra and cialis, ezCCUmY, <a href="http://globalizationstudies.org/">Order vigrx plus</a>, ltWLkfc, VigRX Plus, QbpJTNR, http://globalizationstudies.org/ Vigrx plus amazon, KrfQQJO, <a href="http://fuelish.net/">Wix company info</a>, hXRzOgH, Wix cross reference, wROcnAN, http://fuelish.net/ Wix challenger, YfCiwKF.
            [page] => /index.php?option=com_civicrm&task=civicrm/contribute/transact&Itemid=21
            [userid] =>
            [session] => 0c0d076a88b7e83dfb53843ea896a9c5
            [ip] => 5.152.204.148
            [reaction] => 2
            [impact] => 62
        )
 
    [1] => Array
        (
            [name] => billing_postal_code-5
            [value] => jubdbsfbdi/psh/vl, <a href="http://newschooljournal.com/">Sildenafil pulmonary hypertension</a>, PsKmurL, Buy sildenafil citrate, uGtlwPi, http://newschooljournal.com/ Sildenafil, iYtAkPx, <a href="http://grapweb.com/">Discount vigrx plus</a>, aasvqau, Vigrx plus comparison, LNlJCEQ, http://grapweb.com/ Is vigrx plus safe, ffUMRkC, <a href="http://hewle.com/">Maxoderm videos</a>, TFrdnHV, Maxoderm phone, UDiGxkc, http://hewle.com/ Maxoderm, DuVNHYa, <a href="http://azvetdentists.com/">Cialis hearing loss</a>, wfoKhna, Cialis soft tabs half, jCJjfew, http://azvetdentists.com/ Male enhancements viagra and cialis, ezCCUmY, <a href="http://globalizationstudies.org/">Order vigrx plus</a>, ltWLkfc, VigRX Plus, QbpJTNR, http://globalizationstudies.org/ Vigrx plus amazon, KrfQQJO, <a href="http://fuelish.net/">Wix company info</a>, hXRzOgH, Wix cross reference, wROcnAN, http://fuelish.net/ Wix challenger, YfCiwKF.
            [page] => /index.php?option=com_civicrm&task=civicrm/contribute/transact&Itemid=21
            [userid] =>
            [session] => 0c0d076a88b7e83dfb53843ea896a9c5
            [ip] => 5.152.204.148
            [reaction] => 2
            [impact] => 62
        )
 
    [2] => Array
        (
            [name] => IDS_request_uri
            [value] => /index.php?option=com_civicrm&task=civicrm/contribute/transact&Itemid=21
            [page] => /index.php?option=com_civicrm&task=civicrm/contribute/transact&Itemid=21
            [userid] =>
            [session] => 0c0d076a88b7e83dfb53843ea896a9c5
            [ip] => 5.152.204.148
            [reaction] => 2
            [impact] => 62
        )
 
)

in the /media/civicrm/ConfigAndLog log files. Does this mean that an attack was detected and stopped? Or that this was the attack succeeding?

I've blocked the ip in question for the moment, but I've no doubt that he'll be back later with a new IP to try.

Any help would be appreciated, I'm getting fed up of unhacking the site and am struggling to work out how they are getting in.

Hi
Thanks for the reply, very clear. I might try dropping the threshold to 60 for a bit and see if that slows them down ..