Welcome to WebmasterWorld Guest from 18.232.124.77

Forum Moderators: ocean10000

Message Too Old, No Replies

Identifying a hacker?

     
5:10 pm on Sep 9, 2009 (gmt 0)

New User

5+ Year Member

joined:Sept 9, 2009
posts: 1
votes: 0


My webserver has been the target of SQL injection attacks. Every time they try, it comes from a different IP address that maps back to China - but different parts of China.

I've tried setting a cookie on the first hack attempt with their IP address and the current time, and then retrieving that on subsequent attempts -- and it works, but the next day that they come in it's a new IP address and no cookie.

So, what I'd like to do is determine if it really is the same person over & over, or if it is a number of different people. There are two or three different attack signatures, and they come so quickly together that it appears to be a script, but that's all I can determine.

I am using classic ASP (vbscript) - I am not able to install ASP.net on this server.

Any suggestions?

Thanks!

9:04 pm on Sept 9, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Do you do any business In China what so ever? If you do not why not just block all of China? It would stop them at least from coming from that region at least.

Another question are the Injection attacks doing harm to your website? If they are block them sooner then later to give you more time to fix the problems.

I know websites I manage get hit all the time with any number of injection/php/exploiots attempts every day. I have secured my site and codebase so these attempts just result in 403, and them added to a black list of ip's and ranges. So they only get one try before they get black listed from further attempts.

5:11 pm on Sept 10, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3591
votes: 48


Ocean1000
and them added to a black list of ip's and ranges
I have as well done this only to get calls from customers asking why they can get on my site. This to me rings with problems because hackers usually are working from a hacked computer or server.

I agree with the part about if your not doing business in x country then yes you can block that but the other I feel needs to be done with extreme caution.

5:27 pm on Sept 10, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2638
votes: 5


Honestly, if I were you I wouldn't worry so much about stopping "a hacker", whom I suspect is more of an automated bot than an actual person.

Instead put your efforts into addressing the vulnerabilities themselves and close those holes up.

It might not even be the same person/bot doing this each time.

Ocean mentioned this but to elaborate some more.... what happens is bots will crawl sites and attempt to hit URLs like /VTI BIN or /PHPMYADMIN and other URLs that give info about the services running on your site.

Sites that return a 404/3 or whatever are ignored, sites that resolve the URL will be logged as a site with potential vulnerabilities, then either the bot will continue to make some automated attempts at compromising your server, OR someone who receives the logs of sites that are potential victims may come and make an attempt themselves.

If they succeed in "hacking" your site then usually what happens next is they automate the hacking so a bot can come back every day/hour/minute and do the dirty work for them.

There are literally 1000s of people trying this on sites daily. Finding 1 IP or a range of IPs and blocking them will not stop the problem. It will continue in perpetuity.

Find the hole and close it. Then you can work on trying to log these instances, once you start logging these things you will see how often attempts are made on your site.

I for one am not a fan of blocking IPs unless it is clear that the IP is highly suspect.

Most of the attempts will come from Zombie computers who's users don't even know their computer is performing these operations if they route through a proxy then banning IPs is pointless.

[edited by: Demaestro at 5:27 pm (utc) on Sep. 10, 2009]

5:27 pm on Sept 10, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Injection/exploit attempts I treat as a major threat, and do not give that computer many future attempts to find a hole. Do to the industry I mainly work in, I can not take that many chances. Most of the clients have IT staff and maintain there computers and networks. If I find out an IP comes from an clients range, it usually means a lot of paperwork on my part documenting it, and notifying everyone that is needed. I usually only have to deal with US based branches, so I can block all foreign countries without any worries for the secured sites.

[edited by: Ocean10000 at 5:34 pm (utc) on Sep. 10, 2009]

5:32 pm on Sept 10, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2638
votes: 5


Ocean that is a good policy when dealing with a specific country.

The nature of the site and the sensitivity of data on the webserver are definitely key factors in deciding how to deal with these things.

The severity of the exploit is also a factor. If all they are trying to do is put some files into the public folder then I usually leave that alone.

If they are trying to make an SSH connection or something like that then it is time to nuke their IP.

Regardless you can't leave holes open and try to block people who are exploiting them. You HAVE TO close the holes, then decide what to do about people trying to open them back up.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members