homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

Hacking Attempts
How do you handle them?

5+ Year Member

Msg#: 4465928 posted 4:47 pm on Jun 15, 2012 (gmt 0)

Recently, a fairly major site I run for a university was attacked in a big way. The attacker spent about 2 hours and sent well over 150 http requests attempting to penetrate the site's security. This particular site has been attacked several times in the past, so I'd installed fairly advanced security systems, and had hardened the site as best I could (run all updates on software, fixed known security vulnerabilities in current software by hand until patches were released, that sort of thing).

The security system alerted me about the attack and stopped it dead in its tracks, so far as I can tell. However, given the nature and persistence of the attacker, I'm still hesitant to proclaim victory until the security of the site is verified. However, the site has something like 70,000 files on it, at least 30,000 of which are PHP, HTML, and Javascript--far too many to manually scan, and while using grep to check for known attack signatures in files is great, it still doesn't eliminate the possibility that a clever attacker might have hid something they wrote specifically for the occasion somewhere.

The attacker was persistent enough that they were willing to spend 2 hours just trying to find a security vulnerability; with that kind of dedication and the knowledge of PHP they displayed they would certainly be able to write a custom script to embed. It's been done before on this site; for some reason the university site attracts this kind of attack.

So, onto my (very possibly paranoid) questions:
  • How do you verify that the site is clean?
  • Another site was involved in the attack; the attacker attempted to transfer a file from their site to ours. I've notified the administrator of the site in question, as the site was legitimate and quite clearly not the instigator of the attack. Is there anything else I should do?
  • The attacks were run through an anonymizer (several, actually), and the attacker used the anonymizer to change IP addresses every 10 attacks for so. I've blacklisted the IP addresses used, but I get the feeling I'm attempting to behead a Hydra here. I had already blacklisted the entire Amazon AWS after repeated attacks from its hosted services. Is there a similar, more proactive measure I can use to block these anonymizers and proxy services, or is this a bad idea?
  • Why were we targeted? While the site does get a lot of traffic, it doesn't collect confidential information or payment details--all of that is handled through third-party services; the website doesn't touch that sort of information. The university in question is Christian, which may provide motivation for some, but apparently someone really, really wanted in this time. I'm mostly just curious here: why would someone spend so much effort attacking a harmless site that does not handle confidential information?


    WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    Msg#: 4465928 posted 5:44 pm on Jun 15, 2012 (gmt 0)

    why would someone spend so much effort attacking a harmless site that does not handle confidential information?

    Because if it is a big enough site with a lot of traffic and no-one particularly concerned about "bandwidth use" ( a University site would fit that profile, you aren't going to be watching ever last gig going out ) it can be used for parasitic hosting* for a while without someone necessarily catching on..

    In these cases ( Uni' sites ) *illegal pron seems to be a favorite "payload".. likewise real estate sites etc .anything that serves lots of images normally and has high bandwidth available and logs that would be unrealistic to search through to see who was doing what and downloading what..


    5+ Year Member

    Msg#: 4465928 posted 10:10 pm on Jun 17, 2012 (gmt 0)

    I would start looking at the modified date and time stamp of the files


    WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

    Msg#: 4465928 posted 12:07 am on Jun 18, 2012 (gmt 0)

    Why were we targeted?

    You weren't. You get the same thing on, say, teeny little sites on shared hosting.* The site itself isn't the target; the aim is to break in and get upstairs. With luck, this will get you access to everything on the server-- and one of those is bound to have something worth stealing. Obvious analogy: You're not breaking into the janitor's closet to steal a mop. You're hoping to find a set of master keys.

    * I've seen a few aggressive robot visits to my art studio's site, which is smaller than mine by orders of magnitude. (As noted elsewhere, this would seem to be mathematically impossible.) Obviously they weren't interested in the site itself. It was just a possible access point.

    Global Options:
     top home search open messages active posts  

    Home / Forums Index / WebmasterWorld / Webmaster General
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved