1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:26 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

#RefRef to attack your server in September

New hacking tools from anonymous might target your server

         

pontifex

10:05 am on Aug 6, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Folks - no reason to panic, but with an increased presence of easy tools for hackers, I thought I share some thoughts on the announced #RefRef tool from anonymous:

(http://www.thehackernews.com/2011/07/refref-denial-of-service-ddos-tool.html)

that also spawns some other forms of potential attacks on your servers.

First of all: all these tools make use of basic security flaws. If your server is not setup right, takes unfiltered variables from the public, does not filter SQL out of REQUEST variables or simple carries outdated Wordpress templates in a sub-directory you forgot about (http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/) - it might also be vulnerable for the #RefRef attack.

So, what to do? Don`t panic (just yet):

- there are no 100% safe systems, just very good protected ones

- people who want to bring your site down are in a destruction mode. if the scripts they use do not work, they move on. It is (in most cases) not personal.

Here is, what you need to do (in general):

a) take security seriously, if you live from online income

b) have 1 day a month reserved for security checks

c) do not trust any external scripts, software, tools that are hosted on your site - wordpress, phpBB or cool AJAX tools are nice but most likely have a security bug!

d) security by obscurity (nobody will find that security hole I know about, because it is so complicated) will eventually not work!

If you are pretty sure, you have some open holes or if you have no idea, what I am talking about, it is time to act!

I am a big fan of the following approach, which might not cover all of it, but gives you some kind of basic protection:

Reverse proxy with SQUID + SNORT + Guardian - I have talked about this on Pubcon the last 2 years and it is your cheapest and fasted option to cover a broad range of potential attacks with minimal efforts!

- take a dedicated server with Linux (preferably with your provider)
- install SQUID on it with a reverse proxy config (I mail you one, if you need it)
- add SNORT+Guardian on top of it (snort looks at the traffic, guarding firewalls it out, if it triggers alerts)
- move your domain to the IP number of the squid box

If you take a Linux savvy person, this setup takes about 3-5 hours to get it going and at least you are safe from all these basic SQL injection attacks! Reverse proxies also have the advantage that your javascript, image and CSS are cached for your surfers!

You may also take your old server and have it respond to your IP number only for detailed admin work that you want to do without any filters...

Code away!

P!

pontifex

5:29 pm on Aug 8, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



History shows that there is nothing so easy to enslave and nothing so hard to emancipate as ignorance, hence it becomes the double enemy of civilization. By its servility it is the prey of tyranny, and by its credulity it is the foe of enlightenment. ~Lemuel K. Washburn

coopster

1:01 pm on Aug 11, 2011 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



Why did you choose to use Guardian as your active response mechanism?
Are you banning IP addresses?

An old artcile but with some good basic information for those that want to read a little more:
[symantec.com...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:26 am May 21, 2026