Recently, a fairly major site I run for a university was attacked in a big way. The attacker spent about 2 hours and sent well over 150 http requests attempting to penetrate the site's security. This particular site has been attacked several times in the past, so I'd installed fairly advanced security systems, and had hardened the site as best I could (run all updates on software, fixed known security vulnerabilities in current software by hand until patches were released, that sort of thing).
The attacker was persistent enough that they were willing to spend 2 hours just trying to find a security vulnerability; with that kind of dedication and the knowledge of PHP they displayed they would certainly be able to write a custom script to embed. It's been done before on this site; for some reason the university site attracts this kind of attack.
So, onto my (very possibly paranoid) questions:
How do you verify that the site is clean?
Another site was involved in the attack; the attacker attempted to transfer a file from their site to ours. I've notified the administrator of the site in question, as the site was legitimate and quite clearly not the instigator of the attack. Is there anything else I should do?
The attacks were run through an anonymizer (several, actually), and the attacker used the anonymizer to change IP addresses every 10 attacks for so. I've blacklisted the IP addresses used, but I get the feeling I'm attempting to behead a Hydra here. I had already blacklisted the entire Amazon AWS after repeated attacks from its hosted services. Is there a similar, more proactive measure I can use to block these anonymizers and proxy services, or is this a bad idea?
Why were we targeted? While the site does get a lot of traffic, it doesn't collect confidential information or payment details--all of that is handled through third-party services; the website doesn't touch that sort of information. The university in question is Christian, which may provide motivation for some, but apparently someone really, really wanted in this time. I'm mostly just curious here: why would someone spend so much effort attacking a harmless site that does not handle confidential information?