Blocking directory scans on web server - Website Technology Issues forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Blocking directory scans on web server

stopping hacker scans

vtwins

3:22 pm on Aug 7, 2010 (gmt 0)

10+ Year Member

Hello All,

I'm getting hundreds to thousands of directory scans on my server every day. The country IP changes every time (mostly China, Philippines, Poland and Russia) and when I try to block them by country using .htaccess they just move to another ISP in another country and continue.

They scan for:
/websql/scripts/setup.php
/webdb/scripts/setup.php
/vhcs2/tools/pma/scripts/setup...
/sqlweb/scripts/setup.php
/pma2005/scripts/setup.php
/phpMyAdmin1/scripts/setup.php
/phpMyAdmin-3/scripts/setup.php
/phpMyAdmin-2.8.0/scripts/setup.php

These are a very small random sample of the 1700+ attempts in the last 12 hrs. They hit the server with 1-2 requests per second. I can no longer see the stats for my real visitors without an hour of reading because of this, not to mention the server load and bandwidth.

The .htaccess became useless due to the overhead needed to parse the 2MB file of countries I was blocking, and it wasn't working anyway.

Is there some other way? Like after 3-5 404's in under 1 minute block the requesting IP for 30 minutes, or something similar? I've searched everywhere and can't find a script to do this...

TIA,
Jim

Frank_Rizzo

4:28 pm on Aug 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

ip blocking is futile. You need to block the keywords.

If using linux you can install mod security. Out of the box it will block many things. When new exploits appear you just need to add new rules.

e.g. if you don't run phpgroupware and want to block whenever anyone tries to access that file:

SecRule REQUEST_URI "phpgroupware" "log,drop,phase:1"

That will drop the packet but you can also add the ip to iptables and ban the ip for an hour, day, week, alltime.

vtwins

4:38 pm on Aug 7, 2010 (gmt 0)

10+ Year Member

Thanks for the reply Frank- I guess I'm off to learn a bit about mod_security

sundaridevi

7:35 pm on Oct 23, 2010 (gmt 0)

10+ Year Member

I've had some problems like this, there are a couple of other very reliable ways, and low overhead, to stop these guys. Send me a PM if you're still looking

lammert

2:58 pm on Oct 24, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Hi sundaridevi,

Scans for PHPMyAdmin installations are very common on many sites. Instead of sharing your solution by PM with one member, it may therefore be better to discuss it here in the thread. In that case more members will benefit from your knowledge and experience handling these annoying attempts.

sundaridevi

8:21 pm on Oct 24, 2010 (gmt 0)

10+ Year Member

Hi, I wrote to PM because what works would depend on the specific case. Well I'm new here so, here is a short rundown on some things I would try:

- Some general fixes are to install the maxmind.com country geoip database and query it rather than using an htacess solution. The free database is about 95% effective at blocking a given country but you can purchase a much more accurate database. Either one requires install on your server, but if you know php/mysql it's not too hard using their tutorials. If you don't want to install a db then you can install a script to remotely access their paid version which returns the geoloc for a given ip, from country down to metropolitain areas in the USA, it also detects many known proxies.

- To get lots of different IPs hackers must use botnets or proxies. Elite proxies are difficult to detect via environment vars. But many can be easily blocked that way. A simple google search should give you a script to detect basic proxies. So all those should be blocked. Open proxies are also pretty easy to block.

- The last, most difficult, and most important thing to do to foil sophisticated hackers is block botnets. Doing this is similar to the way email spam filters detect spammers. You'll need to query a database of known dirty IPs

If the hackers are just coming from some rogue countries that you don't have any clients from, I would start out by just blocking those countries using maxmind's free solution and then reevaluate. Fighting hackers is a never ending battle.

Good Luck