Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Hacking Attempts

How do you handle them?

4:47 pm on Jun 15, 2012 (gmt 0)

Full Member

10+ Year Member

joined:July 13, 2007
votes: 0

Recently, a fairly major site I run for a university was attacked in a big way. The attacker spent about 2 hours and sent well over 150 http requests attempting to penetrate the site's security. This particular site has been attacked several times in the past, so I'd installed fairly advanced security systems, and had hardened the site as best I could (run all updates on software, fixed known security vulnerabilities in current software by hand until patches were released, that sort of thing).

The security system alerted me about the attack and stopped it dead in its tracks, so far as I can tell. However, given the nature and persistence of the attacker, I'm still hesitant to proclaim victory until the security of the site is verified. However, the site has something like 70,000 files on it, at least 30,000 of which are PHP, HTML, and Javascript--far too many to manually scan, and while using grep to check for known attack signatures in files is great, it still doesn't eliminate the possibility that a clever attacker might have hid something they wrote specifically for the occasion somewhere.

The attacker was persistent enough that they were willing to spend 2 hours just trying to find a security vulnerability; with that kind of dedication and the knowledge of PHP they displayed they would certainly be able to write a custom script to embed. It's been done before on this site; for some reason the university site attracts this kind of attack.

So, onto my (very possibly paranoid) questions:
  • How do you verify that the site is clean?
  • Another site was involved in the attack; the attacker attempted to transfer a file from their site to ours. I've notified the administrator of the site in question, as the site was legitimate and quite clearly not the instigator of the attack. Is there anything else I should do?
  • The attacks were run through an anonymizer (several, actually), and the attacker used the anonymizer to change IP addresses every 10 attacks for so. I've blacklisted the IP addresses used, but I get the feeling I'm attempting to behead a Hydra here. I had already blacklisted the entire Amazon AWS after repeated attacks from its hosted services. Is there a similar, more proactive measure I can use to block these anonymizers and proxy services, or is this a bad idea?
  • Why were we targeted? While the site does get a lot of traffic, it doesn't collect confidential information or payment details--all of that is handled through third-party services; the website doesn't touch that sort of information. The university in question is Christian, which may provide motivation for some, but apparently someone really, really wanted in this time. I'm mostly just curious here: why would someone spend so much effort attacking a harmless site that does not handle confidential information?
  • 5:44 pm on June 15, 2012 (gmt 0)

    Senior Member from FR 

    WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Feb 15, 2004
    votes: 230

    why would someone spend so much effort attacking a harmless site that does not handle confidential information?

    Because if it is a big enough site with a lot of traffic and no-one particularly concerned about "bandwidth use" ( a University site would fit that profile, you aren't going to be watching ever last gig going out ) it can be used for parasitic hosting* for a while without someone necessarily catching on..

    In these cases ( Uni' sites ) *illegal pron seems to be a favorite "payload".. likewise real estate sites etc .anything that serves lots of images normally and has high bandwidth available and logs that would be unrealistic to search through to see who was doing what and downloading what..
    10:10 pm on June 17, 2012 (gmt 0)

    Junior Member

    10+ Year Member

    joined:Apr 18, 2007
    votes: 0

    I would start looking at the modified date and time stamp of the files
    12:07 am on June 18, 2012 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:Apr 9, 2011
    votes: 598

    Why were we targeted?

    You weren't. You get the same thing on, say, teeny little sites on shared hosting.* The site itself isn't the target; the aim is to break in and get upstairs. With luck, this will get you access to everything on the server-- and one of those is bound to have something worth stealing. Obvious analogy: You're not breaking into the janitor's closet to steal a mop. You're hoping to find a set of master keys.

    * I've seen a few aggressive robot visits to my art studio's site, which is smaller than mine by orders of magnitude. (As noted elsewhere, this would seem to be mathematically impossible.) Obviously they weren't interested in the site itself. It was just a possible access point.