How do you handle them?
Recently, a fairly major site I run for a university was attacked in a big way. The attacker spent about 2 hours and sent well over 150 http requests attempting to penetrate the site's security. This particular site has been attacked several times in the past, so I'd installed fairly advanced security systems, and had hardened the site as best I could (run all updates on software, fixed known security vulnerabilities in current software by hand until patches were released, that sort of thing).
The attacker was persistent enough that they were willing to spend 2 hours just trying to find a security vulnerability; with that kind of dedication and the knowledge of PHP they displayed they would certainly be able to write a custom script to embed. It's been done before on this site; for some reason the university site attracts this kind of attack.
So, onto my (very possibly paranoid) questions:
How do you verify that the site is clean?
Another site was involved in the attack; the attacker attempted to transfer a file from their site to ours. I've notified the administrator of the site in question, as the site was legitimate and quite clearly not the instigator of the attack. Is there anything else I should do?
The attacks were run through an anonymizer (several, actually), and the attacker used the anonymizer to change IP addresses every 10 attacks for so. I've blacklisted the IP addresses used, but I get the feeling I'm attempting to behead a Hydra here. I had already blacklisted the entire Amazon AWS after repeated attacks from its hosted services. Is there a similar, more proactive measure I can use to block these anonymizers and proxy services, or is this a bad idea?
Why were we targeted? While the site does get a lot of traffic, it doesn't collect confidential information or payment details--all of that is handled through third-party services; the website doesn't touch that sort of information. The university in question is Christian, which may provide motivation for some, but apparently someone really, really wanted in this time. I'm mostly just curious here: why would someone spend so much effort attacking a harmless site that does not handle confidential information?
|why would someone spend so much effort attacking a harmless site that does not handle confidential information? |
Because if it is a big enough site with a lot of traffic and no-one particularly concerned about "bandwidth use" ( a University site would fit that profile, you aren't going to be watching ever last gig going out ) it can be used for parasitic hosting* for a while without someone necessarily catching on..
In these cases ( Uni' sites ) *illegal pron seems to be a favorite "payload".. likewise real estate sites etc .anything that serves lots of images normally and has high bandwidth available and logs that would be unrealistic to search through to see who was doing what and downloading what..
I would start looking at the modified date and time stamp of the files
You weren't. You get the same thing on, say, teeny little sites on shared hosting.* The site itself isn't the target; the aim is to break in and get upstairs. With luck, this will get you access to everything on the server-- and one of those is bound to have something worth stealing. Obvious analogy: You're not breaking into the janitor's closet to steal a mop. You're hoping to find a set of master keys.
* I've seen a few aggressive robot visits to my art studio's site, which is smaller than mine by orders of magnitude. (As noted elsewhere, this would seem to be mathematically impossible.) Obviously they weren't interested in the site itself. It was just a possible access point.