Welcome to WebmasterWorld Guest from 54.196.2.131

Forum Moderators: phranque

Message Too Old, No Replies

How can I stop this hacker?

Hacker changing his IP and trying to hack me.

     
8:07 pm on Apr 18, 2007 (gmt 0)

New User

10+ Year Member

joined:Dec 16, 2005
posts:27
votes: 0


Over the last 24 hours someone has hit the same file on my server "modules.php" 16000 times. I have blocked them with:

deny from <ip address>

every-time I block them a few mins later they switch IPs and start again.

Im not sure what they are trying to do but im guessing they are trying to get a password or something. does anyone know what they are doing and how to stop them?

[edited by: trillianjedi at 9:09 pm (utc) on April 18, 2007]
[edit reason] We don't need specifics - thanks ;) [/edit]

8:16 pm on Apr 18, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Feb 12, 2006
posts:2649
votes: 95


are you sure it's the same person? (or same 'thing'?) it can't be from one person, so it's either automated or from lots of different users.
if it's automated and it's switching IPS then i wouldn't bother blocking anymore. you'd be there all day, and you might just end up blocking a load of people that you want to keep.

i would just make sure that the file is secure and not worry about it.

but the name 'modules.php' sounds like something that might get delivered on every visit. what is in it? are you sure that it isn't just getting delivered to everyone who visits your site? or to everyone who visits a particular section of your site?

[edit --] if the page is just being referenced in your php script, then you could simply change the name of the file to something else. that would stop them. or if you feeling a bit braver, then you could move the page out of your root folder. because they won't be able to access it at all then, even if they know what the filename is.
but if it's an actual link that is in the search engines then obviously you wouldn't want to touch it

8:42 pm on Apr 18, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:May 17, 2006
posts:41
votes: 0


Rename that file to something else, and point all your scripts to it.
Create a new file with the same output as the original file (but all random crap in there) and put it in the place of the old one.

By the time your hacker figures it out, he would have gathered so much crap he won't know what to keep and what to trow away. :p

9:46 pm on Apr 18, 2007 (gmt 0)

New User

10+ Year Member

joined:Dec 16, 2005
posts: 27
votes: 0


I am sure it is the same person because they will hit the file with one ip over and over until i ban it, then 5 to 10 mins later they will start again with a new ip..

The file is a key script on my site but it is never called like they are calling it:

"modules.php"

its normal use is

/modules.php?name=module-name&op=op

I would change the name but most of the scripts in my CMS reference that file so it will very hard to change them all... also there are links in search engines to it like:

modules.php?name=module-name&op=op

Im guessing they are trying to log in or something, they are posting using a GET. is there any way for me to see what they are posting?

10:09 pm on Apr 18, 2007 (gmt 0)

New User

10+ Year Member

joined:Dec 16, 2005
posts:27
votes: 0


Also how can I tell if the script is fully secure? can I post the contents here? the file comes from a wildly used open source CMS.
10:24 pm on Apr 18, 2007 (gmt 0)

New User

10+ Year Member

joined:Dec 16, 2005
posts:27
votes: 0


Im going to set up a script to automatically catch each new ip and redirect it, is there any site set up to redirect hackers to?
11:13 pm on Apr 18, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 16, 2007
posts:914
votes: 0


Instead of doing it by IP you could do a rewrite rule that would act if there's no querystring. Personally I'd just do a 403 but I suppose you could redirect back to the originating IP. Whatever bot it is probably won't follow a redirect though.
1:35 am on Apr 19, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


is there any way for me to see what they are posting?

Add a little programming that logs all input *before* cleansing. Open a plain text file somewhere, append it, monitor it closely, it will reveal what they're up to and how to stop it.

Probably a bot.

5:48 am on Apr 19, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 4, 2004
posts:885
votes: 0


Having gone through a similar experience myself I can tell you why you possibly have multiple IP's trying to access it. I had a modification on my forum that could be easily found through search engines by the filename , this modification had a vulnerability. Once it became known for about 3 weeks I was getting hits on the vulnerable file over and over for about 3 or 4 weeks. I didn't check the IP's but I'll assume they were from multiple sources. Fortunately for me I was aware of the problem and had fixed it a day or two before this began.
6:50 am on Apr 19, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 29, 2003
posts:351
votes: 0


This sort of behavior is the one of a sort of virus attacking CMS and replicating itself as a worm does. It must be a web attacker which is updated very quickly (and automatically) as soon as a new CMS vulnerability is discovered and which is coming from all the infected websites.
In my case, the virus doesn't try to post anything but tries to exploit hundreds of known vulnerabilities or find new ones (it also attacks pages indexed as getting variables in the URL) to have perl and php scripts (about twenty different names and scripts) executed - these scripts would copy the virus/webattacker in a (hidden) directory, modify the site, add javascript in pages...
I may be wrong.
8:04 am on Apr 19, 2007 (gmt 0)

New User

10+ Year Member

joined:Dec 16, 2005
posts:27
votes: 0


how can I set it so that if there are no query strings it will redirect to the homepage?
7:46 pm on Apr 19, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Feb 12, 2006
posts:2649
votes: 95


this might not work (i'm a bit rusty) but you could stick this at the top of the modules page

if(!isset($_GET['blahblah'])) {
header('Location: [website.com...]
}

obviously you would change blahblah to whatever the variable is that you are testing for. if it finds that there is no value for the variable, then it should send you to the new page.

headers have to come at the very top of the script though-- before the page prints anything out-- so make sure it goes above the DOCTYPE, and everything else.

2:08 am on Apr 20, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:July 16, 2001
posts:545
votes: 0


if(!isset($_GET['blahblah'])) {
header('Location: http://www.website.com/');
exit();
}

Adding an exit will immediately stop execution of the script when the condition is met, take a small amount of load off your server, and keep it from dumping other info back to the bot.