Hacker attacking site, advice please! - Webmaster General forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Hacker attacking site, advice please!

Hacker using a script to intensively download graphic files

coburn

1:07 am on Jun 25, 2004 (gmt 0)

10+ Year Member

A hacker is attacking my site! At it's worst it locks out visitors - logs show much lower numbers and for some hours nobody else can get in.

Have now had the host company ban the relevant IP addresses - would really appreciate advise on what I can and should do to safeguard and combat against this. Hosts have advised that I get site-monitor software to alert them and myself more timeously. Loath to go to any additional expense, unless someone can recommend a free prog.

The following IP addresses have been downloading pics from my site - many jpg and gif files per second:
211.135.160.224 & .127 .152 - so the "ddd" range is changing. Host has now banned 211.135.160 for .001 to 255 (they have told me banning has to be done one by one - a tedious exercise. Their attempt at banning a range didn't work). At times of attack one of the things I've noticed is the site asking me to log in with username and password - have never seen this before.

Am I doing the right thing? The IP address appears to belong to a Japanese host. Should I contact them? If so, how? This has never happened to me before so I'm anxious to take the right action to prevent it in the future. I don't even know anyone in Japan!

Any and all help appreciated. I can happily reciprocate with linking campaign advice if you would like.
Calum

jdMorgan

1:48 am on Jun 25, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

You can look up the IP address here: [whois.nic.ad.jp...] and this script [webmasterworld.com] might help you.

Jim

coburn

2:02 am on Jun 25, 2004 (gmt 0)

10+ Year Member

Hi JpMorgan - thanks for the script link. Do you have a version for Windows server?

The whois link didn't work. Have picked up a few whois sites tho - am not sure what I should do with the info. I know that they are in Japan, I have found a general email address and phone number. Do you recommend I call?

Thanks
Calum

jdMorgan

3:57 am on Jun 25, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I don't know of a version for a Windows server, but you could use that script as an example, perhaps for use in conjunction with ISAPI rewrite.

If you remove the spurious comma from the end of the link, it will work. Take the admin info and file a complaint.

Jim

plumsauce

4:48 am on Jun 25, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

coburn,

windows iis *absolutely* can ban by ip ranges.

have them look in the management console.

it will still show up in the logs, but they get a 403.

if they ban using packet filters then iis never even
sees the connection

++

stef25

9:07 am on Jun 25, 2004 (gmt 0)

10+ Year Member

you should be able to find an adress to direct abuse to. when i get attacks on my pc, sygate firewall does an automatic backtrace + whois, and that information (coming from RIPE) nearly always list an abuse adress.

i forward the log to the adress and they respond. if the ip adress and other details are supplied they can determine exactly where it came from.

in your case, which is a more serious hack than a port scan on a personal pc, im sure action would be taken if you are able to document the attack

Leosghost

9:14 am on Jun 25, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I would also do the following ..temporarily allow only them access ..no one else but only them ..and "seed" everyone of your images with virii ( different ones ..start with variants of klez and go from there )..do it for a day ...then ban their Ip range and put up clean images...