Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: ocean10000
I've tried setting a cookie on the first hack attempt with their IP address and the current time, and then retrieving that on subsequent attempts -- and it works, but the next day that they come in it's a new IP address and no cookie.
So, what I'd like to do is determine if it really is the same person over & over, or if it is a number of different people. There are two or three different attack signatures, and they come so quickly together that it appears to be a script, but that's all I can determine.
I am using classic ASP (vbscript) - I am not able to install ASP.net on this server.
Another question are the Injection attacks doing harm to your website? If they are block them sooner then later to give you more time to fix the problems.
I know websites I manage get hit all the time with any number of injection/php/exploiots attempts every day. I have secured my site and codebase so these attempts just result in 403, and them added to a black list of ip's and ranges. So they only get one try before they get black listed from further attempts.
and them added to a black list of ip's and rangesI have as well done this only to get calls from customers asking why they can get on my site. This to me rings with problems because hackers usually are working from a hacked computer or server.
I agree with the part about if your not doing business in x country then yes you can block that but the other I feel needs to be done with extreme caution.
Instead put your efforts into addressing the vulnerabilities themselves and close those holes up.
It might not even be the same person/bot doing this each time.
Ocean mentioned this but to elaborate some more.... what happens is bots will crawl sites and attempt to hit URLs like /VTI BIN or /PHPMYADMIN and other URLs that give info about the services running on your site.
Sites that return a 404/3 or whatever are ignored, sites that resolve the URL will be logged as a site with potential vulnerabilities, then either the bot will continue to make some automated attempts at compromising your server, OR someone who receives the logs of sites that are potential victims may come and make an attempt themselves.
If they succeed in "hacking" your site then usually what happens next is they automate the hacking so a bot can come back every day/hour/minute and do the dirty work for them.
There are literally 1000s of people trying this on sites daily. Finding 1 IP or a range of IPs and blocking them will not stop the problem. It will continue in perpetuity.
Find the hole and close it. Then you can work on trying to log these instances, once you start logging these things you will see how often attempts are made on your site.
I for one am not a fan of blocking IPs unless it is clear that the IP is highly suspect.
Most of the attempts will come from Zombie computers who's users don't even know their computer is performing these operations if they route through a proxy then banning IPs is pointless.
[edited by: Demaestro at 5:27 pm (utc) on Sep. 10, 2009]
[edited by: Ocean10000 at 5:34 pm (utc) on Sep. 10, 2009]
The nature of the site and the sensitivity of data on the webserver are definitely key factors in deciding how to deal with these things.
The severity of the exploit is also a factor. If all they are trying to do is put some files into the public folder then I usually leave that alone.
If they are trying to make an SSH connection or something like that then it is time to nuke their IP.
Regardless you can't leave holes open and try to block people who are exploiting them. You HAVE TO close the holes, then decide what to do about people trying to open them back up.